305ec95c469f250ddf3213b4804ea4e384e17928a4cd99e486c18769129b24de

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
Size

198KB
MD5

2f8b2e08cd10884f0607604c4ece2f20
SHA1

423eeee56bd4e1da9878e66449a9280f1cfa2bda
SHA256

305ec95c469f250ddf3213b4804ea4e384e17928a4cd99e486c18769129b24de
SHA512

9cbd1b74ad89f22d81fcea2da016405fc853135b7001bf2bc45ddf5ef0f4338d1562c96e35c2c4b281b7ab7e554b01faa4e7a1fbb82603616d8e427fd41f8641
SSDEEP

3072:Nheh6phA+a22yDR98H2N2Ov7sCH37vbX0MU8s/9CNIKpNGhP28e:N4h44Ct2OT7X7DY8sFKpAhu8e

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (78) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

TiIksEkg.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation TiIksEkg.exe
Executes dropped EXE 2 IoCs

Processes:

TiIksEkg.exeIKEQAoMo.exe

pid process

3652 TiIksEkg.exe
2952 IKEQAoMo.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	TiIksEkg.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exeTiIksEkg.exeIKEQAoMo.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IKEQAoMo.exe = "C:\\ProgramData\\pkUYgosA\\IKEQAoMo.exe"	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiIksEkg.exe = "C:\\Users\\Admin\\mQUUAUgI\\TiIksEkg.exe"	TiIksEkg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IKEQAoMo.exe = "C:\\ProgramData\\pkUYgosA\\IKEQAoMo.exe"	IKEQAoMo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TiIksEkg.exe = "C:\\Users\\Admin\\mQUUAUgI\\TiIksEkg.exe"	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

TiIksEkg.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	TiIksEkg.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	TiIksEkg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4816	reg.exe
2608
3468	reg.exe
2892	reg.exe
1756	reg.exe
4876	reg.exe
2552	reg.exe
1092	reg.exe
1700	reg.exe
772	reg.exe
3020	reg.exe
4436	reg.exe
4848	reg.exe
2388	reg.exe
4340	reg.exe
872	reg.exe
4324	reg.exe
412	reg.exe
1904	reg.exe
4680	reg.exe
5036	reg.exe
2512
5032	reg.exe
2492	reg.exe
1444	reg.exe
2556	reg.exe
1780
1016	reg.exe
3796	reg.exe
4956	reg.exe
3948	reg.exe
2840	reg.exe
1148	reg.exe
3480	reg.exe
4872	reg.exe
1716	reg.exe
1840	reg.exe
400	reg.exe
436	reg.exe
1596	reg.exe
1176	reg.exe
4328	reg.exe
3696
2476	reg.exe
3216	reg.exe
3664	reg.exe
2804	reg.exe
2528	reg.exe
1368	reg.exe
2428	reg.exe
4244	reg.exe
1452	reg.exe
736	reg.exe
3512	reg.exe
912	reg.exe
4604	reg.exe
4024	reg.exe
1156	reg.exe
4408	reg.exe
3556	reg.exe
400	reg.exe
3596	reg.exe
4484	reg.exe
4608

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe

pid	process
860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3296	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3296	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3296	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3296	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4436	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4436	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4436	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4436	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3896	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3896	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3896	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3896	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4908	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4908	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4908	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4908	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4868	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4868	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4868	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4868	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4888	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4888	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4888	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4888	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3016	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3016	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3016	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3016	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
1516	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3308	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3308	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3308	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3308	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
4240	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3572	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3572	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3572	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
3572	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

TiIksEkg.exe

pid process

3652 TiIksEkg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

TiIksEkg.exe

pid	process
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe
3652	TiIksEkg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.execmd.execmd.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.execmd.execmd.exe2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 860 wrote to memory of 3652	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	TiIksEkg.exe
PID 860 wrote to memory of 3652	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	TiIksEkg.exe
PID 860 wrote to memory of 3652	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	TiIksEkg.exe
PID 860 wrote to memory of 2952	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	IKEQAoMo.exe
PID 860 wrote to memory of 2952	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	IKEQAoMo.exe
PID 860 wrote to memory of 2952	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	IKEQAoMo.exe
PID 860 wrote to memory of 4468	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 860 wrote to memory of 4468	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 860 wrote to memory of 4468	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 4468 wrote to memory of 920	4468	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 4468 wrote to memory of 920	4468	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 4468 wrote to memory of 920	4468	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 860 wrote to memory of 804	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 804	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 804	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 1924	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 1924	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 1924	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 404	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 404	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 404	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 860 wrote to memory of 2512	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 860 wrote to memory of 2512	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 860 wrote to memory of 2512	860	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 2512 wrote to memory of 4880	2512	cmd.exe	cscript.exe
PID 2512 wrote to memory of 4880	2512	cmd.exe	cscript.exe
PID 2512 wrote to memory of 4880	2512	cmd.exe	cscript.exe
PID 920 wrote to memory of 464	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 920 wrote to memory of 464	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 920 wrote to memory of 464	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 464 wrote to memory of 5072	464	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 464 wrote to memory of 5072	464	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 464 wrote to memory of 5072	464	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 920 wrote to memory of 5084	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 5084	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 5084	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 3600	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 3600	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 3600	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 2364	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 2364	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 2364	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 920 wrote to memory of 5104	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 920 wrote to memory of 5104	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 920 wrote to memory of 5104	920	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 3976	5104	cmd.exe	cscript.exe
PID 5104 wrote to memory of 3976	5104	cmd.exe	cscript.exe
PID 5104 wrote to memory of 3976	5104	cmd.exe	cscript.exe
PID 5072 wrote to memory of 2264	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 5072 wrote to memory of 2264	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 5072 wrote to memory of 2264	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe
PID 2264 wrote to memory of 3296	2264	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 2264 wrote to memory of 3296	2264	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 2264 wrote to memory of 3296	2264	cmd.exe	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
PID 5072 wrote to memory of 2428	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 2428	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 2428	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 3340	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 3340	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 3340	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 4024	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 4024	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 4024	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	reg.exe
PID 5072 wrote to memory of 4276	5072	2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\mQUUAUgI\TiIksEkg.exe
"C:\Users\Admin\mQUUAUgI\TiIksEkg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3652

C:\ProgramData\pkUYgosA\IKEQAoMo.exe
"C:\ProgramData\pkUYgosA\IKEQAoMo.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:4468

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:464

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
8⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
10⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
12⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
14⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
16⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
18⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
20⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
22⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
24⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
26⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
28⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
30⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
32⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
33⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
34⤵
PID:2840

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
35⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
36⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
37⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
38⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
39⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
40⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
41⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
42⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
43⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
44⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
45⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
46⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
47⤵
PID:2024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
48⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
49⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
50⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
51⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
52⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
53⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
54⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
55⤵
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
56⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
57⤵
PID:3308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
58⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
59⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
60⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
61⤵
PID:3572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
62⤵
PID:264

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
63⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
64⤵
PID:2852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
65⤵
PID:4288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
66⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
67⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
68⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
69⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
70⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
71⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
72⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
73⤵
PID:3376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
74⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
75⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
76⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
77⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
78⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
79⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
80⤵
PID:3308

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
81⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
82⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
83⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
84⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
85⤵
PID:2812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
86⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
87⤵
PID:1268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
88⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
89⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
90⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
91⤵
PID:2856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
92⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
93⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
94⤵
PID:4652

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
95⤵
PID:1904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
96⤵
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
97⤵
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
98⤵
PID:3456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
99⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
99⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
100⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
101⤵
PID:3676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
102⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
103⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
104⤵
PID:4668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
105⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
106⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
107⤵
PID:4000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
108⤵
PID:4592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
109⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
110⤵
PID:4144

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
111⤵
PID:212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
112⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
113⤵
PID:1532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
114⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
115⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
116⤵
PID:2476

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
117⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
118⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
119⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
120⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
121⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
122⤵
PID:1044

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
123⤵
PID:2608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
124⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
125⤵
PID:1712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
126⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
127⤵
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
128⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
129⤵
PID:3828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
130⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
131⤵
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
132⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
133⤵
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
134⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
135⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
136⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
137⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
138⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
139⤵
PID:1968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
140⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
141⤵
PID:828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
142⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
143⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
144⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
145⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
146⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
147⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
148⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
149⤵
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
150⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
151⤵
PID:692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
152⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
153⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
154⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
155⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
156⤵
PID:940

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
157⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
158⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
159⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
160⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
161⤵
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
162⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
163⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
164⤵
PID:3408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
165⤵
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
166⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
167⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
168⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
169⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
170⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
171⤵
PID:1636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
172⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
173⤵
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
174⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
175⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
176⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
177⤵
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
178⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
179⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
180⤵
PID:2856

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
181⤵
PID:3872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
182⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
183⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
184⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
185⤵
PID:1556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
186⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
187⤵
PID:1536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
188⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
189⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
190⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
191⤵
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
192⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
193⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
194⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
195⤵
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
196⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
197⤵
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
198⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
199⤵
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
200⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
201⤵
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
202⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
203⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
204⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
205⤵
PID:4680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
206⤵
PID:1840

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
207⤵
PID:2384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
208⤵
PID:5056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
209⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
210⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
211⤵
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
212⤵
PID:732

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
213⤵
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
214⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
215⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
216⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
217⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
218⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
219⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
220⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
221⤵
PID:3520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
222⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
223⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
224⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
225⤵
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
226⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
227⤵
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
228⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
229⤵
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
230⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
231⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
232⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
233⤵
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
234⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
235⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
236⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
237⤵
PID:1044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
238⤵
PID:2928

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
239⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
240⤵
PID:400

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
241⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
242⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
243⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
244⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
245⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
246⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
247⤵
PID:3220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
248⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
249⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
250⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
251⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
252⤵
PID:1848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
253⤵
PID:3316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
254⤵
PID:4468

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
255⤵
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
256⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
257⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
258⤵
PID:2608

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
259⤵
PID:4416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
260⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
261⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
262⤵
PID:3316

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
263⤵
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
264⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
265⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
266⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
267⤵
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
268⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
269⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
270⤵
PID:1716

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
271⤵
PID:3524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
272⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
273⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
274⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
275⤵
PID:1216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
276⤵
PID:2144

C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
277⤵
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics"
278⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
278⤵
- Modifies visibility of file extensions in Explorer
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
276⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
276⤵
- Modifies registry key
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
276⤵
- Modifies registry key
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqsMsMoo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
276⤵
PID:4752

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
277⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
274⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
274⤵
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:3248

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
274⤵
- UAC bypass
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGcgcoQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
274⤵
PID:1584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
275⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
272⤵
- Modifies visibility of file extensions in Explorer
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
272⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
273⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
272⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEsgkMIg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
272⤵
PID:3868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
273⤵
PID:4568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
273⤵
PID:3096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
270⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
270⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
270⤵
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
271⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WyksUYMw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
270⤵
PID:4068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
271⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
- Modifies visibility of file extensions in Explorer
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
- UAC bypass
- Modifies registry key
PID:4680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
269⤵
PID:1700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PyQsAIEo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
268⤵
PID:1516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:1712

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
267⤵
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
PID:4924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
267⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\buQYsccc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
266⤵
PID:732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:4864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
- Modifies visibility of file extensions in Explorer
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
- UAC bypass
PID:3400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
265⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmQYIUks.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
264⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies registry key
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
- Modifies registry key
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkUgIUwE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
262⤵
PID:2956

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:1452

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
261⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
- Modifies registry key
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
- UAC bypass
PID:1868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\weMsgckc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
260⤵
PID:2392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:4240

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
- UAC bypass
- Modifies registry key
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MYQIUYAQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
258⤵
PID:3248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
259⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
- Modifies registry key
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- Modifies registry key
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rgcckosc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
256⤵
PID:1156

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:2856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- UAC bypass
- Modifies registry key
PID:1368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
255⤵
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tioQYgIw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
254⤵
PID:2840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JuEsYckY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
252⤵
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies visibility of file extensions in Explorer
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:4744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:2292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RcEoQoYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
250⤵
PID:3872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
- Modifies registry key
PID:412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iuEIsckI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
248⤵
PID:3852

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:3400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:2820

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
- Modifies registry key
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
- Modifies registry key
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UowQIYkk.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
246⤵
PID:3412

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
- Modifies registry key
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akoYgQgM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
244⤵
PID:4220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
- Modifies registry key
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIgUoYog.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
242⤵
PID:548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:2460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:1520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCkoAsMw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
240⤵
PID:3400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
- UAC bypass
PID:2028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piEoYsgc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
238⤵
PID:2508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:3876

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
- UAC bypass
- Modifies registry key
PID:3556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xkEkEcUo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
236⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:2460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:2072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQwAEkkY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
234⤵
PID:912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:4748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:456

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
PID:4228

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSUIYwQM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
232⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
- Modifies visibility of file extensions in Explorer
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:4764

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:4592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGQYkIYw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
230⤵
PID:2260

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4652

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
- Modifies registry key
PID:1756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
- Modifies registry key
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aCUwgAQw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
228⤵
PID:2804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:1608

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:3584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
227⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
PID:3400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\niEIcgUk.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
226⤵
PID:1468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:4984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkoYcAks.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
224⤵
PID:4836

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
- Modifies visibility of file extensions in Explorer
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VkoEAgoM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
222⤵
PID:664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
- Modifies registry key
PID:3020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqsQIEUs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
220⤵
PID:2428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:3596

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GooAkAEE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
218⤵
PID:536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sqwYAwcU.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
216⤵
PID:4476

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
- Modifies registry key
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMkQskcY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
214⤵
PID:2096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
- Modifies visibility of file extensions in Explorer
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
- Modifies registry key
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PqckAIso.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
212⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
- Modifies visibility of file extensions in Explorer
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
211⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkQIYAks.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
210⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ROAYgYIc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
208⤵
PID:3092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
PID:2176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:2776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yWUUksko.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
206⤵
PID:4748

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:4880

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
- UAC bypass
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oyUAMwEM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
204⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
- Modifies visibility of file extensions in Explorer
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
- UAC bypass
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kkMwoocY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
202⤵
PID:3868

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:4740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:1128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:3296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiEYIsYI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
200⤵
PID:2776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
- Modifies visibility of file extensions in Explorer
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:2124

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lkwUMwIQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
198⤵
PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:1556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
- Modifies registry key
PID:1840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RYwoQMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
196⤵
PID:3584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:3100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- UAC bypass
PID:3556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ICgwEUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
194⤵
PID:2892

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:4240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oCUwsUYA.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
192⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:2292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- UAC bypass
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqQAIAMs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
190⤵
PID:368

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies visibility of file extensions in Explorer
PID:1552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kUcYEIgY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
188⤵
PID:4220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:1716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- Modifies registry key
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dOYMsUQI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
186⤵
PID:2668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:1780

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
- Modifies registry key
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:3940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZKwYEoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
184⤵
PID:2144

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:1980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daEMoYUM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
182⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GWQcEEMU.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
180⤵
PID:4240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
PID:4436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:4220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgsccEMk.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
178⤵
PID:4448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:1700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaQYAEEg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
176⤵
PID:3848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies registry key
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4672

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EQkMMwIM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
174⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:3676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
- UAC bypass
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYosIoYs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
172⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:2376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xIYUoYcM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
170⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:3092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:2956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIYUQcUY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
168⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
- Modifies visibility of file extensions in Explorer
PID:2508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aIYgEoUc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
166⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
- Modifies registry key
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:3456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EekQsMMY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
164⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:3376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWoAUYwE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
162⤵
PID:1524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:2912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
- Modifies visibility of file extensions in Explorer
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
- UAC bypass
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YEUIIMsg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
160⤵
PID:2264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bmAYsEEI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
158⤵
PID:1760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
- Modifies visibility of file extensions in Explorer
PID:1108

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:4732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psEssYUk.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
156⤵
PID:2384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
PID:1144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
- Modifies registry key
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAMsscYM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
154⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:1712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIIMMIsc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
152⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies registry key
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAAgMsEs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
150⤵
PID:1880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
- Modifies registry key
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:4640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQYMswMY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
148⤵
PID:3200

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
- Modifies registry key
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAUIAooc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
146⤵
PID:1268

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:4212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JAgkUAAI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
144⤵
PID:2016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:2552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:4792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:2020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsQgUYIw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
142⤵
PID:3604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCcgYMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
140⤵
PID:400

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:2164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:1144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NUgcMUAc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
138⤵
PID:2384

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3316

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aUUIAYwA.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
136⤵
PID:4984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:3604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
PID:1128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEooYMYY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
134⤵
PID:724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:2176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAAUMgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
132⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:3912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:2528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jYYAkwEg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
130⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:4224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VeoEQowI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
128⤵
PID:2812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JmogsooM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
126⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lswwgkQs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
124⤵
PID:4024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- Modifies registry key
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KSoskoME.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
122⤵
PID:3020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OUYwEkkg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
120⤵
PID:1596

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KyYgIIEM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
118⤵
PID:2340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
PID:3632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOsUckoQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
116⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
- Modifies registry key
PID:1444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RgEQggMI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
114⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:4408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lWYYUIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
112⤵
PID:4744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
- Modifies registry key
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XiowUkwA.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
110⤵
PID:4672

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:1172

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:1756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:2476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAoQAskA.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
108⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:2072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QwMAEcIo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
106⤵
PID:2552

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
PID:1044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
- Modifies registry key
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEkkwEwo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
104⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:3912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JucYYkMw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
102⤵
PID:948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies registry key
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NyMIAAEY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
100⤵
PID:2420

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:1268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BMAAckMY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
98⤵
PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:3664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UqkokYYo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
96⤵
PID:2044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:2024

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:1880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\umwMsooo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
94⤵
PID:4936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MccoggoU.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
92⤵
PID:3912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:1584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:2652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msEgQQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
90⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VmEkIUQc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
88⤵
PID:3220

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:4036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PEQokQcw.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
86⤵
PID:4264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
PID:4216

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:2892

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaAIwgYI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
84⤵
PID:1676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:3420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2784

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heEUAAYU.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
82⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:2820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uWIQgMAE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
80⤵
PID:1216

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:4668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:2956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
- Modifies registry key
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SCEUUwAo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
78⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies registry key
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyIoMoMc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
76⤵
PID:4676

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsoAwMQQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
74⤵
PID:2784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:4004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:1444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
PID:4432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAYsMwUs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
72⤵
PID:1880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:4592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vsAkgYws.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
70⤵
PID:3204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:2476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
PID:3456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1156

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rwcksAAU.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
68⤵
PID:3084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
PID:1216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2528

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UsIkcwAY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
66⤵
PID:4004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:4400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:4752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywcgkAQA.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
64⤵
PID:3240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\msMIEEYQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
62⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
- Modifies registry key
PID:4876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:4744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VwQoMgAk.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
60⤵
PID:1732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:3796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:3596

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\feQYkUgY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
58⤵
PID:3496

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGMsUgAI.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
56⤵
PID:3616

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- Modifies registry key
PID:2388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YSswYYgM.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
54⤵
PID:4992

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:1676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\swMAEokg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
52⤵
PID:436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eggsIMwQ.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
50⤵
PID:756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4908

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:4936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bAsYkYQg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
48⤵
PID:212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
PID:4660

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:3340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HGwcwMQU.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
46⤵
PID:3368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:264

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- Modifies registry key
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmMcQsQE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
44⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:1848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:1452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\boscggos.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
42⤵
PID:2668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:2800

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:4224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmIEkUII.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
40⤵
PID:3568

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:3416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- Modifies registry key
PID:2552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMgYUUkU.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
38⤵
PID:4876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:3600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\giMcMcYs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
36⤵
PID:3224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwgMkMIE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
34⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:2920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:4224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hAMgEAYg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
32⤵
PID:732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2340

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- Modifies registry key
PID:1716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWIAEsMc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
30⤵
PID:4780

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:2912

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:4952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:2380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmQMcYAY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
28⤵
PID:3584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:4348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zcMMYQQc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
26⤵
PID:380

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3200

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2788

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OysYcAAE.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
24⤵
PID:4120

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:3384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:2912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEccEgMY.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
22⤵
PID:4124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:1636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:4340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiQogUcs.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
20⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:2840

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
- Modifies registry key
PID:3480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqsoEIkc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
18⤵
PID:1236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
PID:4276

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4732

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- UAC bypass
- Modifies registry key
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rEQQswQo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
16⤵
PID:3692

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4560

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:4672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYIgUQcA.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
14⤵
PID:2820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:1148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:1524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piUIccgo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
12⤵
PID:2176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
PID:2016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GYUUQssA.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
10⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies registry key
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:1116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QuQoIgIg.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
8⤵
PID:4736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:3340

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:4024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iAgUkokk.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
6⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:5084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WEYoAIEo.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NoQEYEAc.bat" "C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe
Filesize
314KB

MD5
2d8ffbde782b6b4f57848ff6298021fc

SHA1
f1860dbd47bc80512d8bf29265f3fd319bcfb146

SHA256
f5ec9da5672e4665ba179a92e69679f2e90fb87f8284148892102e3bee4bec9a

SHA512
fea8b47d6a42930c31daf28d30e592b597726cd22e671960636f6948eb246e6d2f943848b149dda839f0ead0b407c126e1874c757ab47ef3533a391bdb796953

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
225KB

MD5
e2c16695901df575a13946435e465e2c

SHA1
59784262d262617ab017648a7717614b9b190d42

SHA256
187353e09aaa9a56870e476640d0d191563a9aa5095c749d91bcd7bcc2618aec

SHA512
127c49783a82e6c0c68a6733f2704e9264a032423227a434bc70dd0e5a04d8d53ab1f7ad4310588b8ff5d60bc1b060e5c9f45ade077f96c2a884b62f9976840f

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
229KB

MD5
83eed48efa15e0da69ab2d5a7bc14551

SHA1
66c64e933a3f7b5cb5f2615ea33b8e839027b3b1

SHA256
541b6394d164b7b0b1f38410359e219f7b201012bb551becd5d1ef4f9e2b3c81

SHA512
4b29d318bcdb4c883537db565c7994c4792cf2583070d9d9378dc1ceafe6e3126646eca1b1a4ca9a664445bd219c31e03b29083a466894f63329c5f421b7e10e

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe
Filesize
775KB

MD5
3132eb0bc4fbd9da080382f2c8830b5f

SHA1
732c60d74aa34c8917f6f9ab638298998700c884

SHA256
e7df1d0e30da48e42fdc3f758bde9de327c97c79affce720877e099ca850ec22

SHA512
624796ab8476e381d9aa8b294eea27dad4c78c747958b0ea820fb5cbb821ecb5ffb52c8bca1263504002bd2821eb6627747dd27b78fcfc9849ec83e945f03b0c

Download Submit
C:\ProgramData\pkUYgosA\IKEQAoMo.exe
Filesize
194KB

MD5
70f35b8029c7db93c8b8d9e3c7be878d

SHA1
2dca4a81f8d9125e1f96baad404eb817f76634d9

SHA256
b76a0d61003e12dfddb18660bbe43d03cf66ecd267e5e1dcfd5980b1d9c62f6b

SHA512
eb4ae20e34ffe26d1d7ddf5ffb3a680e12bb12b740927ac557b9a87bebeaffda90f7176d990022c8a69a4d3295669d059e35a4e59d0686d4995ffa71a89ee521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
Filesize
204KB

MD5
a21327249b6cc83438cb5af431717aea

SHA1
761a35c6d88013851c867c32905e055451acad5a

SHA256
0acf521a8b2ae902645fc944ace34ddbecd1c6f86f5f6ff9565d655f25cead58

SHA512
0f5702a8d067d66e259a5afba13e04297b4c0109f66cf2502fd6499ce3506aad9f9943b5eb35d8fea7cd076df33b6f314d0d519f3cac94c3b10a2b138bc459f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
198KB

MD5
f4d5239c2e69c329cb5169b2e300a057

SHA1
e1c569b3a0dc05b39d405d73018a131616e34c2d

SHA256
00342a917f1d255d8f98069f9122e138ce4402bee07afa380efdedc3abacb680

SHA512
ca551735f0aa744ffebc9245ceb82904b77fd57fef5ad49da97ec2bb3db2d67d8a53affdbed2cbf74c1a778687ad61c02b8c74b36c36c032a8cd065ae44c7394

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png.exe
Filesize
209KB

MD5
ba9911054b3ce7309c21d7feb1382633

SHA1
6a82706bf1ee90335f8c94bc233243c70a8bf7f9

SHA256
8e6a7307f14675716edead67e6e39fcfd3f4f83c553131673f073c04cdee302b

SHA512
b2a6b750cc03519360ea85a85ee9b41a3f6a4ec1adfc39a386a119429c8ac5b488a0fe81db0274e4dbfcddcf7d72bb37d74155cd90a17357a8579897c57e0bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
196KB

MD5
36eae6b0d8108b95288c583a532e04b5

SHA1
3841f37a715d90d333dd5d4eda0e978b38e26aa5

SHA256
38bf36e3a91c48245d62c341417f6e3c52feee85cb7e0a1c768373b6c9492be1

SHA512
5aacce44d2a31d25b494cada25b6002b07541533bf32b94a2d3327721523bbe037f109b9b5bd6521c4575f32e41bae85e1a1dba7d9e19a3fdb4c7760ae0a1937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
186KB

MD5
2a86efe85a55966175d1db86a0c93665

SHA1
40da6eade2796358559a1752779f72fbb3459d7b

SHA256
1bfbd8cc39ba479743a5a7133066271a04d1ad4e38a20224eb866780625d52c1

SHA512
1e3f7eb33ad3e846dae8c9e1a45f9dafe777083b1bceb193dbd23ac77d555a5b69f0589d401d03847eb7b253882cf2960e0926738c443739a4469b95531cff94

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
Filesize
203KB

MD5
962895e437154ce37aac91dd5a9ea3a1

SHA1
9028919cc852e1e25d17316ac76d0321ee81a476

SHA256
8041df8ac4ba154a5c3c23e01489a75616eb45bb38e04381d7f114fb3938172a

SHA512
9b114cc78bf760fcc8b14b43a6552c7b23c746f2889abc11fbfe53733d5d6d25fbb33a4e0eeb53957ef38019d5c15992c5cd9f6cf5e8f3bba977655125ab208e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f8b2e08cd10884f0607604c4ece2f20_NeikiAnalytics
Filesize
2KB

MD5
ff04b357b7ab0a8b573c10c6da945d6a

SHA1
bcb73d8af2628463a1b955581999c77f09f805b8

SHA256
72f6b34d3c8f424ff0a290a793fcfbf34fd5630a916cd02e0a5dda0144b5957f

SHA512
10dfe631c5fc24cf239d817eefa14329946e26ed6bcfc1b517e2f9af81807977428ba2539aaa653a89a372257d494e8136fd6abbc4f727e6b199400de05accd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAYM.exe
Filesize
196KB

MD5
7466da70cca00f2336550a4716464a0c

SHA1
36de93052155a7912f9c1cbac9058ae72cb3a3e4

SHA256
2f4d6e7163f632ad529d6e112a585b1395451cc19d04fc5f10b3ca82a567334a

SHA512
b410ec2ebd98820779ce3afb006362c0b81e091d147a7e0bc6bd2a00a9a961118bca70769bbcbdb82e7601bae0a13d4d059b310b574d2cab6ba61f1c660fa55c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQIE.exe
Filesize
201KB

MD5
0a4a91c696d25c61956742576e4e95f5

SHA1
ea71bd6a8507d71c328ddcae1bdbff391c6f2826

SHA256
ebb100b86167a5a28ab4ff3a5f18d0d6d61a38924f99dcb8040ed1d6c1cc1d13

SHA512
de346e4ea442b4c8f8156b91765c64b7d81e91769dc399143f6b0689a510453b3cea5be2c9aea4a63398465c1a8d74fbc7b93f838c2319b9dcc6702f2bd2f223

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIcc.exe
Filesize
210KB

MD5
7b604b74adac36ce218b666e5416baac

SHA1
969d3eba4464ada6d1bf8bf58662320e2d7e93be

SHA256
d30441c77e066c2c2fab9063b28c0cb4a3cc2419952ba346e71229e96f21c24b

SHA512
4136e748a12b891a3d6849701762821f241628c3e940600fa54f7377527b58be7ba9c6715637ffd8f1b620f7460d1a6d03d995521f28a20f723a61ded0935a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIsy.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQsk.exe
Filesize
188KB

MD5
0c76461c3056259a8dadf6658f545bf4

SHA1
6c91ff3432db50e9a873fa5addd19cee04ebdb9e

SHA256
c1d01780627adbb2e51623b9202d4edc2a0c17194329a330554b0e50f42b107f

SHA512
8308cd8b56b96aed9c9d5f7365473cb1b40211bb48262a07eb3ac51a5c704956d320f6858388e30b8f1e0889cbdc97cee71aaf1eb734d12da09acf241a0a9404

Download Submit
C:\Users\Admin\AppData\Local\Temp\CkgA.exe
Filesize
191KB

MD5
f7ed4d09607fb2bc5a3c79eee3501fbb

SHA1
1cf12cfbba5dd3316744ff4532293407e145a1a4

SHA256
3f83b05a93f0d42eae42a520e954d57ee8f1003f0b334034c48853edeacb0252

SHA512
fa8a4b63d577ef64c6d7fe3eddf567986bd84aa0cba550cc651db7dc7417df8338a0a293d3b18e4ba3be4faceab51629ec3b0d6313289f39c3c40593799e131a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CoYY.exe
Filesize
791KB

MD5
b0bda536efaa4bafab0e583825cda1c5

SHA1
f2977e69542b9f02415a8f37d75c381c78232c2f

SHA256
04919a21d833d8bf92bb26292fe98ae9dfd969a512dd2fbbf22e619c257a9d34

SHA512
1f7c0521f2b9a27f317a21ad905be465380b950cd7614c21a320fc20b6cfcb29709269b18bb1d471e43807a2fa08c35491a8bc2e516eb7fd92c4a96f5ef36049

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEMm.exe
Filesize
262KB

MD5
dcefd2a4923ad57bb7be39d397b00c92

SHA1
c3b69b5e3ec6831858afbb1c460955ad8f2d9848

SHA256
c70eab236d1188882f7589b786263039d07b0d4dd59d558b831635445b88203e

SHA512
6d85ca3fb7618e5e68ecd5084f81bbc72d26ac7ca6c30a4b72ef3618f655630511f45536c9cc4b7925bbeecf90ffd737418c042e2d90ec7c4f47ac5037204cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMYW.exe
Filesize
834KB

MD5
669b47c0c9e445178a0810316f588f3e

SHA1
077d24ecb3c0adc0c2feb76f78cf3ce852326225

SHA256
3798f1ab14ee7456604e3452e4f3963e51f279641c005eb565833543f1491695

SHA512
847d82e5b09df9b88daeba08da9f4f59a86a83057550c3fbf37b1224e0f5199ddd6d33263048c707140ef78bd389ce75a863e9390d784b18a7f1fcf65cbd137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYAk.exe
Filesize
189KB

MD5
40857382f11a3d7e4120131b5630af40

SHA1
3606f5c5799e35437124b8ed34d5fb4d90557a1a

SHA256
908910e00e11987399f2e12e830d1addbb31b7afb04f421c849ec5368c27563d

SHA512
377d8fd06a84c49fdcfac28bb1a737b0f9e162994f91d98d005bea1aec1a346e0d1d7def0ebdf26291b23e830b1200fa7e7cd9469eb313ed1235e306c819cd55

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYEw.exe
Filesize
222KB

MD5
0dd445fea23f412e4fb241ca1555676a

SHA1
66fa2c1777d258515e971b1277e94e060973ad11

SHA256
82ec98738c6516be529867353958b5314cae3070fd03ba470f3d429cbc927e00

SHA512
10a1fcf9ebc839a6794a6f47913f6e0a4254daec119146f003fda56124b1d81fd3762ebed95908143435bde40d3f7e81ef1828078a433a94420504af3d0a53b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EcQQ.exe
Filesize
642KB

MD5
d750e3a00444419da3e8422fd25ab51c

SHA1
5da347f0af78545d700966c67bcbc1609099d4aa

SHA256
738311d7500b79f22512680d6fc75301ad20f16dbb86a01c818ecaf4b908a74a

SHA512
32679616b5ac7b9a074c5601d710f0dc0cafc063b9919d4c17201f672f0d475f6c24a99bc6685c75f231fb3f48bf99e89a1c6a15dcf5c83d03e6d09844918100

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkcS.exe
Filesize
206KB

MD5
5c39a51674a1db8765f1c3af90494961

SHA1
3d026764a73f85db3aa2f7fe658c992f46d0956b

SHA256
879f0b193f6afad15ea1042376d5aa5d71078ef00caadd1aee657553aeef4900

SHA512
9ceed54ec27290bd5482c5e60b0c84a293d86fc75b6558ad1f4953866bf6bad9de6a646f29d7bd0c8d5f63a8a32bf7b6cb0fdf3add6f6a769f696eb311ef1b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYEQ.exe
Filesize
192KB

MD5
7afe219442fd8aa788f0edda4cf11ec1

SHA1
d6b08853cad12c99269f8b05967f857f91523499

SHA256
4dbd48d70b0e38428f87c4b3eb5d77d26824c2e635d1c98498cdf6193a998d51

SHA512
317c62dff25314f19c4e1c232c2327a8b9c100621dfa69ff1cccc68cf8b5b5584a96307c992ed080576634e0e8613f4baec1c380508a2dd8163804882c23d360

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gwcw.exe
Filesize
770KB

MD5
4489e79ca61d8f6728b13fcd4aada6df

SHA1
0abaa1bb5765c2d2252018ee9acac978ec677c2c

SHA256
6dc81d4f7f4ef8f25eb2ed7d8637e70824a9821d05bd61809f1bb9f85b9cd62d

SHA512
deba90439a7e3cc81a58327cba03bb513e63fa4e7a5a82b2811b15237ed447a257cefad1481f962e1bc39a33620b5875ef4dd058031bac6d1d0967f6cfb16757

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAsY.exe
Filesize
202KB

MD5
e86947ea4152a6ee689d39da4dacca93

SHA1
c61dd17c5ad80ad835a916be5289f78c06d66a32

SHA256
602ecbdac600764a316acf434ecf22bd7015e4144c17e4ef3796be1e64b3af06

SHA512
4b0cf344adbf6e97013add85d8aa4a9a56a069165dcadd1e1c7dc25ff4f9fa74b4212790facba426162c7f01524e84e048cb0f0b3aba6cd8fb773f340fbeded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIkQ.exe
Filesize
1.2MB

MD5
6d1b27a75798ca79205fb59ba40703d9

SHA1
78a5edf5ea3fe287d7450c12f7919f27c338cc70

SHA256
4731089246178c84ddb8c9fe67b4f856ccc64e273a0c6d3a75daed994b507b98

SHA512
55dc8262779518fb075a74a06542f2e18a3d2cde9c75a0567edcc793c7dbea29c7251ede28cca513a28fbf08e04e31e45e7367fd669abe9d73714ebb70fe84f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcQU.exe
Filesize
696KB

MD5
17cade04155b67d3ff40b594b4bf3b92

SHA1
265dc1c2b0f44a059c16f1a87689cd5298a27552

SHA256
be22efe7aee2f6c73e19fc1e8044d5adbb96b580d329e257044c7d646f35e226

SHA512
f0c8f7115f907127177cb23b067be047a9d96addc3b97ee80fd4c37f0e86b907e299554c5a3ffe6dee5ad64d5b85a105224d3b3c45fb091f58e1b222eb6320f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgIe.exe
Filesize
193KB

MD5
d909b811a00d7ef67afcec0a4c310b87

SHA1
b4593f9c53f3b10bb84e4e4df78108f6fac97459

SHA256
fdb4c907c549b8d82b188f8114c815c2caed9d130a0f675d6d183c3ce6155556

SHA512
92b8c10488dbe693cc06da1643f2f6284ca3adb14bb3fd4aee00ca5f96551ca2cb6f04a6eac4a00b9e1e2b51d0a636da6228a66df3f914bf9175c3c6062e7e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwgQ.exe
Filesize
209KB

MD5
0becca631dd1364abbec933c60567209

SHA1
94fa3d1f5b6e1e0bbb1a22ccdc9121b123d274ac

SHA256
05db9a3ce01b3a80e39e858d9bfdc65308310c07141dec629b771033476fc567

SHA512
52798dc69fe402e26c27403dafcae6679cfe5593bffd8169cce54e9f737d71c6dfae718f994138e65052cccf97ea8f2e25976b0e3e94dd47dd7c39dcb205a3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAco.exe
Filesize
227KB

MD5
ebe0e1909decb1eae3145fa7f397c991

SHA1
1181ffe2bc3893a3514fe528129fb29411c963b5

SHA256
41b4be255a720543df85e981140c0c0cbfe1c2e10983bc8b93d1eac1daa4767e

SHA512
889dc857602f7a0c77983d3146218e00c4c6899fc0ffdf679ee479c94445d3d2143cb94c940ec37b2ceb3c090726ebd16648e2e46c4e4f6e085c6ad4d01dacef

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEgm.exe
Filesize
958KB

MD5
cf7dc65e67448c0180c925f8afb0e7e0

SHA1
ce08a1feb5e966480420f5bba0de8e9a96494f67

SHA256
a23df5990704aeb39b557f5ba75fff451ad2fc41db89728658d1c58984762c2a

SHA512
2810cda7dfe4997af9e9ce556b530571a93879b4cea7fc6c5aa60992a4ec58d13e1b7bbc0f22e2b2683bdbca751dca6c8507d76a72a6a7594ffc96b031e7aade

Download Submit
C:\Users\Admin\AppData\Local\Temp\KUoo.exe
Filesize
198KB

MD5
af67e98a7541a087988e57d857d24c10

SHA1
9a2f9152f7df3b8137e6ee0f843e535ecc42aacc

SHA256
b97f860262fa4656692d556fd39cd290f915b7c18a620050156483fa98795706

SHA512
9438db0e18e416a80977f167a8a3eb748c2e67392c63212c14b3767e50a45096d1236698e383a03dd45c822c28d2b26b9d5a0a8f49e54199067d55c3bfd252a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUg.exe
Filesize
186KB

MD5
c431f1513b0812a1dd2ee7c2c2dd271e

SHA1
6f02e3de247d2dd1e0746848e39f0364e5d1eb56

SHA256
e5b7aadf28ec07066b516db7ea493ea3a5a2c0139d4596beb2d88bd01a278624

SHA512
c73c7532391191c53993454bfd27fa8455e4d97b23ecf71369261b4eda02d9ff259c6bb6ea7852911ea02ad71c5af0e6030e57415cbb3191396853906b3c453f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAII.exe
Filesize
322KB

MD5
df14d65e4cc4ae9b05bf310c55350d30

SHA1
67f874e39ab71de28020460692ccc862caf5b3b3

SHA256
1e5bb30c24af2efcaf0bc893089d42e583972664002932851141684274d7b448

SHA512
1638be1f9962ff68a68ed11be3857fd21471650022f0aa3c7abe951513847b71ec63fc937b0306887c00f4046e4a6d3cbc6c3ac23717bfc174705f73030db663

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIYa.exe
Filesize
641KB

MD5
4199bfe2944f3823908328fbfcc71be9

SHA1
6a4f74fa5485239a9367bd31be0fd7685dcc8d70

SHA256
60987f4d0a65c67e3b514e59bd502606abe7c1e899ddc6a1fb232781a876600b

SHA512
a7fea5eb95ad19489aaeea8194b98f8aecc06d1c9be43c1d2692669f0d5cc917d568065c217cd88a5c9c306c83737e2ee9365ec245cf6f1d8ef32ecf4523e984

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQoG.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUEY.exe
Filesize
201KB

MD5
2deceb8b09215c3af9fabb2a6f85d349

SHA1
440a71c2a22d051d16b2106ece4211cfa3be561a

SHA256
665fcddc4b4d3b50fe9fd5396d1fc3bd46340611669037d6a728780edc292440

SHA512
9753cb07f0391abfd7ccd464c229a258ca9cab2a5939014141c8cc029c9c55b2f584e286d76772ec3e8e079415b70b181e1c8f4e27c422203c7ce27fe12666b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkMg.exe
Filesize
558KB

MD5
19efb5c5715c6e1b65aa8e216b462bf7

SHA1
faf0635d0d2f15c04a420f131f35b3dc6d766123

SHA256
31e008eba59abec3ef65c4fb026c844e6be29fbdb912479e28a08d9e1a0eee56

SHA512
c448a002a1e216514a09340e36dca16efe8a548a779c94948cda9308bebd7f7aebc84904cb5c67994bcdd3ee113fc985be45ca1a6933934f213f39e16a42a808

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMm.exe
Filesize
425KB

MD5
ab5b674c2d16d7dbe29e170abda853b0

SHA1
7b5601d776780341c5b089532381a34f939e17aa

SHA256
7940daa4f00ab2c6053bea7e35177644247c4ba31bd2aaad178a20269eeb85b8

SHA512
ba98d686cc894c48c3fb100a77f35d015bfce28fecf1487ab86d29fb822640e54d734bc2c6bc6cc6d59c6d29a6fdd4c4a1f42a60c4b1079822104c8ddcff7313

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsQm.exe
Filesize
657KB

MD5
8e126fc5bc66c1414e6fbed4f66407b0

SHA1
2bf3beffded618b3705b9dad7dc27fc8b70296ae

SHA256
b140a7d35046ec39e0781178c40e9b3f101b5dace74070d3f02fd99ea97a676e

SHA512
536c63e4b40b1e95ecfed5a4166364f17dfbb28b7f5fd885f02ff5c811dd1b17e7e7db1828dcd9e29c3d1ae53580cf5943818ca2c22bace179c4ffbe97a41e65

Download Submit
C:\Users\Admin\AppData\Local\Temp\NoQEYEAc.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMMq.exe
Filesize
192KB

MD5
5d461ebffbec5ec3ab1db1bdfd3892fb

SHA1
9eee739567081e89a503df9083c1f421bbe60abb

SHA256
483c2c7292b80af6463c6631e0e6234be9b186e1209963687d1d6f20571afaff

SHA512
334aa4542aab6d879d1580b9598d751f4d36ec8bd5b777abdc35983a91b63119e238b72b66f131171f0bfaf568aaec6c349ca87e6bd55bcc34857d38906dc730

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYEC.exe
Filesize
199KB

MD5
5cf07c2e944b32adeb4eb4dcdd3febb5

SHA1
88e014b2564afea2647abbb22f8e0e3e3d3a490a

SHA256
55ab6521ce4b5daeb1d584a4a191dea8936efcd314ddb733722620d0585a832f

SHA512
e059de3325f7340f0934b49c9fa82e355b18b35cac9bb0ce67fdcb63d09a56be5d0a10954d61bcf4e0777419365b7364006b7a93dedbf3e4917a9ed5c441fe72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScUO.exe
Filesize
5.9MB

MD5
c34227cd87e726780769b61f50797982

SHA1
6e9a0bd07d0a1b749ea7b184b3798693161d8339

SHA256
43dc7ede8047e71ad1e683af0a5827c428b44403447a9b43a77f36dec53f172d

SHA512
8adb8f96e71e0c88258a48599709fe5c24e2bcedf3f34a0981c127d2c9ec5356b08a519f85f44f0fbb88de34a7b5121224c050eedb497b0996afcfa8abdb5497

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sckk.exe
Filesize
201KB

MD5
a62d917d3d73f500a1db8e38465b47ab

SHA1
1236147aba84c0917f09296636feeb9fce716546

SHA256
46c6e906ef75f90a1a2fea6289687e347adceaf5936e62612ff4a6e193d4ab72

SHA512
fe0ce6de46883c9606769eb795411534c24b881b0715bc821df724889a948982bbd92dfadd9b0a9fee2e9eadcb57d28236507823493ead30d09f5fd89375dedf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYK.exe
Filesize
198KB

MD5
417ab4d10218b4fbe054b5e9a8fbd137

SHA1
ef9632f1d130a21c0caae8684b872cc91ae7a7b6

SHA256
146161143f5798f2b84c0678d3696e5d1ad0cbfc564675ede5073cd3ff54c9da

SHA512
2fff63ca6996dfcecfc1a4739859c48dbef5fe2844abe63f11744d7e950e1243a4a93a46d0f545bb4e8d0cc43c8f6b2de30496ec30629dbf074804f507d3b8d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sogu.exe
Filesize
202KB

MD5
cd411147d9cf0195e80ff44c47161003

SHA1
ee6e2ff510636add7b6a8cdaa40d1617d23d0dce

SHA256
d83bb641313f5bfa7725d5e115418538121eb1ff4984a33b490da15f76f2bf99

SHA512
64277b9f802891ddff672b50fbef189d38339c045cdd37a5402da6dbb2c1c156cb6377378e17cd11f29d3acdad02a448b019180a8cfc089346f7a251ff22ba8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwIg.exe
Filesize
201KB

MD5
eec830ff2b53ba0d62926d54a000a8e4

SHA1
0467565c0013de710eea55d380caa195011f7318

SHA256
f0735e33e7d8b0bf7651d1193fe96ce27a105332bf22d89af5212045dcbff4c9

SHA512
b40e3ebfae26ecbd9843774863327c04608a14303a2fa4afb1b1c99ca9debbaf0009c7d383a81a022e0a7058d48e14d49e11a6c43bfd0e09de02e284d0d7995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAUw.exe
Filesize
187KB

MD5
64cfe79964dd1446d79eced254f73b4c

SHA1
597bc1b24632517ef1447e4b60b0a90282db255c

SHA256
61475c2da568e6a8d1366195e6866305cd446c1075e0379f15feafd6eb3203b6

SHA512
820ab1ec762fc5594cc8d181d10666d964c4cf177d935e629d1571f61d2a3d6530b9cf9f706e0a9ecb1bd3f8814b3e927f1cc71322b1249e162eaabf87f88c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\UIMW.exe
Filesize
202KB

MD5
690d9ea84774e600820b3617cdb47cde

SHA1
a58eb72790e60a3bf60ff8c7561d959b541f3b81

SHA256
d772831332bbd319df7dac17067fc93f4835cce68acc40686cd033a23e86ae78

SHA512
9f3ab6680a552f07f297d04175ac29875c49871a53a3aa02beb1fe73c26f6d738e7ee464392f4de363e689d8bf88de1e5d5ddf1ce4a2a1d0a6a30bd0ff72713b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQMs.exe
Filesize
1.1MB

MD5
f8fde0240462b5fb8a56d84e1c956920

SHA1
87c7a2b829f03b118aa7c4e6c6c86fd71d47e7c7

SHA256
0e788c993a24f5fcf14e158bb935cb1654c77699e0741d9874f16feb976fb362

SHA512
375c27fc0cbe8572cfc8fc0a965c4e98d5cf617978e2dcf71400c9435a535888d2022792439ab546a1e59bfaab0945e06d6ddcb3046529dce5b17ffd6102a18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UogI.exe
Filesize
799KB

MD5
c527ec492651746cc69ef22a667db0bc

SHA1
4a1412861fcd9e4156010da4d7ae144a9facabbb

SHA256
3ea691b28dbcef3905101da1eda990b6fcfa698780768c265b428a04eb211a5c

SHA512
2e97730f849e0fbaca5f6cf523c6247ec556db4500598f5f5af52f61e2060f175b34c808bd05b621cb30b0de2f02954ce4e36cc1e8dae1844bed238c9c1a4bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAEa.exe
Filesize
1.9MB

MD5
740faeb868a23a59734748a8491c1cc0

SHA1
e88e057be9e9d37cbd8835206d96b3fca72bbcef

SHA256
5c0e3260f10b9c522ddbad4152511420dfec78745fe1f4457d4dc47a8cd8f13c

SHA512
7e658ac16db45afc26608b99da2bdc3a97912a746b92cafd1559a0c40bfb097cd69d96049d1ec10a2d8ab3944dfa8e747773fc37323317f2a5dd267edf2e2411

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAYk.exe
Filesize
838KB

MD5
129c086e97bd0533c4c67268cc2af061

SHA1
b46cfd207470ddaf239f424f92991f3d94af6b20

SHA256
3b567d04171adb888fcf6aae7dde787c7fa8b89c2ad3c5de4fb5f68e1a5d31fc

SHA512
fc489c03c0cc1322a7f86f0cd763c8281daaa3d251b19fecd6fdc22f380480837dfd9b229dc44561185f5071556a4d5b8dacc5343d58d9e8e39f99991733c296

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQwE.exe
Filesize
206KB

MD5
0cd37d00e4de448b2c13d47fd552e4c5

SHA1
b73b83154d2020b1c0511924731e9f9b8f5edc49

SHA256
7fe51b8b889fc5c0a886d467bdc623c42c0623fb8db35203b8a4c2e7359f86f3

SHA512
1807c3fa8ac320efdda7e433601e92ea2cb9ad937e6acac64b3335596b9ff0752c7c677cb3ee1d0e7b6f5625fbac391d37848d2479fae55e1d19484e2a0e0f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUoa.ico
Filesize
4KB

MD5
915b89b32206268168c5789d7c55f7f0

SHA1
37aa8ac4a21bfd3756457063f300caf5150d9cbe

SHA256
1aa540b0acfa68f313963ae32ca68a5b3cefb49217cbf3b9e0b9eb98b9b94b6a

SHA512
35ed5562ec9fcefca9bc1644dd8fd7c28ead223eea2100eee38c51224332cc071cb7a122f750144d1d2b38b3580dfd8025cc59e0942a97f729ac39bf3fbfb9ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsME.exe
Filesize
200KB

MD5
c665bd8b0e89b4a8c24dc859752b4022

SHA1
c3683dd2255f84863aee79da3f6dc25c2d7589a8

SHA256
76cadca67ffc9f5690518ce19074cc30509766e99c25558d1bc0ce815fa17ba0

SHA512
dc66f932dc84d960f85249edf0e4e2683863379c6bf42b903ccff28666dc947e24627e2aa2137477fc5634b4e26a065440555b6c3ced699ea2a3e7aa37f73908

Download Submit
C:\Users\Admin\AppData\Local\Temp\WsgC.exe
Filesize
196KB

MD5
3f27548a8915dea36fe884aebf779f6d

SHA1
3aaebf74eaff59e157589494a11ef11ee9abe1d5

SHA256
ff93f8c14332db027e386db95b43bb90168913611efa0a9e3b5830ab4cc76872

SHA512
27950e99d8b581482b086035025cb0e1e07a855ac71bfd323f895110c882332d6b299a10d716038cb58a08bfca9f4edc2dd2f0a67432e874d59f5316c0a9270f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQYC.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\YocM.exe
Filesize
209KB

MD5
dc274719bcf883a8f1db499647bc99a6

SHA1
2ee323aa5ff71ecc524788fb87dae7a9b9439e4e

SHA256
ef459e14a07215f8af02f5be9912616a238aaea968532afe160e7df6372db4e9

SHA512
ab76cbc51b7a99ae0408d4fc5d03d2b54b107b0bafaf8140307125cd64643b0b87ab0ba049f00fa2397b75261e1f86038b2feda507853325568da326ba669fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwQw.exe
Filesize
213KB

MD5
546cf4f9f74ade8e0cea6f8d4ae9a799

SHA1
1976000297cb7f9aefbdfc06584d881979a31838

SHA256
84e6ce8e344a4e6f5c03824a11f5cfb306f71d9643c396542effaa5cb67df682

SHA512
c8741282a3bf6730b102fa2c45e5414d9c556850bf1595956d4baf5227c4514e6ec3a815677f6ae3225a35baa47ca279630efbbae1aabec14db580222f475c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAEw.exe
Filesize
629KB

MD5
f5744373c852b73730fc6d1ba9c6276a

SHA1
2d95e0eb3592207a17f444f19b983ca9bf07dc56

SHA256
5b566c09c4424aa1f31fbd165489bd909d39b6ee6ccb6e840d90a853b0844484

SHA512
af85e3f43386b76c050a8420fb0239feb1dee7a9596b5560e76ca63bd3a7dd5fa50736a26a1877350ff1afad2243379db322ea31b73804c102340cf234334691

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMow.exe
Filesize
194KB

MD5
f5c9ba6be44f493211cc1c4a6c0b60af

SHA1
c2bfb51e3f342f01e648232570f2eebf3932f68f

SHA256
61a3720fb6372bc81d78789080ad739bb1245a546517383593be53090fa82eb0

SHA512
b56101439cd6e0a6aa92dc645f99b75b726f87e91eb73a685eb15d1f84acf12215684067b24a176921de1d2cb4d8a973d91b10eb810fb71612572c3c710bb89e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEIy.exe
Filesize
201KB

MD5
ff5fb65a38f31074d26179765da0d723

SHA1
d65e8a02215aad19535750bb763cd7a22807b335

SHA256
34850cb874999ec754ddc8a77fa0629067e3d64bae04a4a260778872ba706b8e

SHA512
1c3e7ddd7cb7e6acc449830f77f810fdd655207ea7bf9ef8cb8cb2c3c52eff1460c009bc45bc3c37447ce27120852370c0efadc69c9d04b765a2b9acea20b9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cQok.exe
Filesize
819KB

MD5
cb43071a8330cd61f0f22f95c498e3f1

SHA1
d8382ee892c382604cdd2a188d695be31fd70748

SHA256
db0be4de126a3d95a171967f2112d09cc1b4027b1095fa7bfee59080d8b39803

SHA512
5a147ad42fadb8e678cdc7eb9b4de02688152d10965c14f7d63fbebc83df9013cd42b3298dbca0a3256757ad86f1c754aee2db2965e42237b06697948e3060f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYUE.exe
Filesize
200KB

MD5
94df7e5214124e63c5ea1628b8c93fb2

SHA1
d46df9eba82bbd083adf94f2ababea9d990b364f

SHA256
a0672262ccb2199ba8cf089531c0a1c2fa351f3bbe24860b743efc26a516f8cb

SHA512
7d739d31125a2f378bd7edeac9772f2d08359c11850a0640e9702aa8eefda3d368e8c0cd0c3cc2b1e75c4de36f86573cb621046f3ad05e9babe35cb19ab1e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cgkG.exe
Filesize
1023KB

MD5
08aff6590994c4a2efa195e8f4b5b3b1

SHA1
698012c022a1459c26df167074e1f986e11e619e

SHA256
5282a92ab7d8725c55201c81cf1291fe87f8600b8115e6b9b8cec339dc8308b2

SHA512
ba343ce15465e7c285b8feef8c606af230b6673ca20b9c693a5b82a2b37a1069c58bdd05a5ea7fa0627fd0bc8f4fb9ec974499f1430426c742388cb58495ad70

Download Submit
C:\Users\Admin\AppData\Local\Temp\cksO.exe
Filesize
199KB

MD5
3c489b404f3c980d1d1cfd2dd052b463

SHA1
5b194bf85da5e540b5c469ca99f042669a1554dd

SHA256
0851096560947f9e0af38090f66009bbde5a0a5571b811d06ac5aa8e5accfa7e

SHA512
9610f07251a251c9e22c2186f8cbe10a256c759f06c0be0e3de58174f81926840a1ca1fe8673a6b34c3a2b01ec92d5f08cd59538f9cecd16f3db55106a8fe152

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckse.exe
Filesize
222KB

MD5
57f3d4c67571e68ff1829fb77f1260f4

SHA1
10a2776b0524b200d1d116ad8a8df9704a86340c

SHA256
3862fbdf6433e77559b433aafc8e9e62aad959c00e5cec4fe02793cb28838802

SHA512
fd613fcdb685b5860b0507007a3eb238b98e3f7c2fb312a4138f340f392fd837871d086add824fc61039e14d2743c8745b109199353508070e718060b614bd42

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwge.exe
Filesize
206KB

MD5
22a57b59eee53d2bd97393d0e2b49034

SHA1
4371418207b3551640a66d1eea67c09501946d60

SHA256
f10c55ea49115a9bbd11b73c3ee2b9682f12de194392224a5e9f84021099adc6

SHA512
d382d18fadccfd0e2196f765d06266961f8a4e7ba85bb524c2c81a00132efe3b9d7537efe1b2a4c82c0fb555cbcc0ddecafb69a38c599871c53cba4be405506e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQIQ.exe
Filesize
858KB

MD5
7d0625dd098baffa558d83417907313a

SHA1
b224473ae2898dafae98ade83c8842d75900e689

SHA256
bdfa30c117bea3f1fd82c352a5e26ac1168308542e22262d7da2ef370e386d95

SHA512
99df7718afbef3e81467eaadd119d3b09229c65789413e87e94c383a6c6fb16c8abd2809855e6b04dafc1d63d9d9eb0a77daa52c4e89077b78925adedb8284c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYcm.exe
Filesize
191KB

MD5
eab5279150a286b501f69f0d045ad9b2

SHA1
b893fc99441f7c7cf977ed9a59812056cf163873

SHA256
8f879b9e30d726977c4f3674effd0b8b8f1827cecc56a503e69f219ac2caeb17

SHA512
241567b9eb51d14fd3ad864458acbc3ba1f402fc2f2f08278bfbdcfab5b4099502cdb1f656d9bf13953016d3fa71cb4f99d5c8ec9de65aea3bd7ac78a02ac280

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoAC.exe
Filesize
1.1MB

MD5
da16ac473fca36293de0576161e5e49d

SHA1
00c8525e6595daa36f787fe4b0203b7198a09439

SHA256
d5051582a51c02492071f944678d05b42c5d4705ebad784c5d1abdc7d07b81b9

SHA512
8b7c1c2790c5b203a24c28252f5b3210810fc6305f779c5d6633e4d9ec72021054550e8dd9a3f4ccda08b780dfc93e7712af1546886d0c0c3a2a37cf029576b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gEQm.exe
Filesize
225KB

MD5
695baadfa1147aae70f8bd68671c81fc

SHA1
facb425f8f80e06907b06b26ac3e67425be44dc7

SHA256
48cb3767f2036a0039c7a7578b7b59093ef51a3fb06d608a778eecad1ec29f33

SHA512
8334ffaa5f13c381d856d158b1243bbbbaa35fe52da4b19545f0a93bfe1b357ede9c46d948addfee57b77b4b2bef1d904a7112e5cc7052e4db25838b900b4a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIgQ.exe
Filesize
802KB

MD5
69a0951118bf45c306b8d8deedf996dd

SHA1
da8f1db5504ab381426f9b4a4f4879d0faf2c7c4

SHA256
6b8b77a54aa43e9ab899c5af1d3ee69e5e6aeeb5eced274c3f55bbe2f57ab2cf

SHA512
0e2eec56d17b81581b96b6704ef446583f11a4c696976cb16c95bc24b35d66863684922c87150ba625ab2a76a5fd56cf626594b962f306667f79e1a8c0926ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gMcI.exe
Filesize
196KB

MD5
5125c31bfbcec247d4f958bfc02f8abe

SHA1
bf89c76ae3ba5a9681031cb26d0abb5daa3612f5

SHA256
90d3939ccffa945ed417d4403e994550f43a7fa7a9bf2ca2739f4e6c95368173

SHA512
3e3e183f40c5d8a9c05f477c2f70ce81422880704b56621bc9580320fdedf3260957e1c0b437a21d4b13d8b545f5c1a90e685da83b7c207b8ed52246a57cdccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIoS.exe
Filesize
640KB

MD5
87afbd9d2fe2a05a4b20abe2beb01da7

SHA1
c00c2bc3c6ce2d09dfc583189eb5315143524620

SHA256
55c519d5eaeeeff154a7e763b7ad6f982f8f4a297fc01a37c55f39bca7b3abe4

SHA512
d489cb63a749297730cd8942247dac34481b25d0f49f272762788c485bf547f2a248d038dd73b76275cdb9e1ddfca1fcad66b98b066bc1cecb042870a4e07369

Download Submit
C:\Users\Admin\AppData\Local\Temp\icIW.exe
Filesize
185KB

MD5
d5e6268fd557542d10580879b78326de

SHA1
00c5d227eaa963143be4732f6fbb8704c89e9885

SHA256
1f4630ec77ee5b64bafdb883ae4bece63df5ee2a7ae85c01dfeac9088699e123

SHA512
143d027b95e3c03aa2666be95b9a674d281d0197ba76f1282bbe1ddc41db650470f4e5e958b76c379b66522a6e6f5e13f991efdc0b7dab8802d50e7130889277

Download Submit
C:\Users\Admin\AppData\Local\Temp\ickG.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikku.exe
Filesize
663KB

MD5
cf81cfc151ea8d9996a7eb166075cad0

SHA1
488a75ce769460193e07833d8eb41f93d545f389

SHA256
e64a745cf33de054c457d4d95a8f5ec819410d715ac0e72490eff3c1411156e4

SHA512
92edc5dc50755edbdfe0ed05fcdf276af56bc9998fca63a7d517586ee6f6a99b771cefc239f37fd756546d499279600bb918053f1825620e8d72f6b92f277b6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikos.exe
Filesize
195KB

MD5
1ea0dfcfb56579b9b7d3fb3ca40a56c5

SHA1
2a1682e29a87d4c845d5c942ee4fcf6f98d923a1

SHA256
4bb7a921de19ab078e66183c535a445893db61709ab70ec519f7d83cae329e9e

SHA512
c60ea27e6279fbbd826eba975c77d79a7a4b914eea9389a8a0ef02b1e7847fccde9c3e5d9c3a93a758b47ca2c0b8617b71bb5175325e8fd3faea3ad408965fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioYS.exe
Filesize
188KB

MD5
f7e1f6a43b9463309b139c1c074f4ef7

SHA1
dd6d4e54f1d6d5ca72220d8cb93073bb7608de05

SHA256
1c333bc946303ffdefecdbdd1fccf797207f60940bbec2d2397f15113be5e441

SHA512
16dc5bbd0d7ed1cb63f3aee95a800d88c37f2f7c00b037ca311ef6c6eed08f0fa17cf97c7ee859b0c7e3723c93b9886ba84b1b9dddf350233766714d18a79a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAIu.exe
Filesize
212KB

MD5
57eedce7969d0bbcf8a1c641bbc579c8

SHA1
109b13956aa21acafa1b92e776cc5e3888f2c66b

SHA256
d2afb4196d67f72c22ad5aa6107df0b1b770b1bfad27a97cbf1de4b7ff49783c

SHA512
a7f54bbb03adbc0ef9a8eb1ab2b8c6c5842e01cf45c107309e555e929df5b681ea72bbf1adfc3fde44fc0ca75e7a18d978de9bf8e4407eea4b86f87dd712d7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMQI.exe
Filesize
324KB

MD5
9037e1eba41f71fe53a5aa0e49892c78

SHA1
5fd597cfa1b3d4900cf2ab56f147e803c81f57b2

SHA256
c713e768ff62ab5d973aa01a6d2185e80651a7255a179003a7747836bf58fe33

SHA512
ceef69178772cc090f1c35a77c0654d387be935d3278298a77ab596be50f696d395afd4ff3865007242b58764a3f2e3a334176637a1a830ee03064fa0bda40da

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQcK.exe
Filesize
866KB

MD5
b8ee1228d53d58803f20507ae7e58df8

SHA1
fe0f8519f271753fcb0bd2f4510476ddca149747

SHA256
e109439c2887208426c8068dfd604cb90e54c6a2da67b9e1210ef321b06e85cc

SHA512
32c8fc25309839781dd4daa6f7e464ee5b8b702625c36b664460687a45e0cbd026db2bb73bd5dd17588d2ae85864c06178cf9b73ca8fdef8abf41f4757951475

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcIm.exe
Filesize
806KB

MD5
c180e11d4963d9bb04f7550613521d5d

SHA1
453b040e21ac109b6ec7a98f10a2d52b04800fb0

SHA256
dcfac279a31808a3d251e2f3b075251dbe0637b76416f9158b81f7be8a6b22e8

SHA512
8be12cc964d0fd7ebda8e952c369d3501acac82beb22f0cc198fc9d1fd6dddeb4c08995198c62124a90b486c58bd32707c94a648c20664911d2896be1c63b1d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUgu.exe
Filesize
508KB

MD5
95a27b0cd62dcaa9aacba2b8b6d99751

SHA1
7be10339327de1543d1b5e78461c9bc3c83008e1

SHA256
a82ce8df3e5c0fc2c7097b0e96b368d4d1ec7f0f19c18c7fb596840b9231c233

SHA512
9faea541ed76558799c4c033de20a6c43c2d2e3055def0c3d662b8a128b323a77d80ae28ec28959c987034b354d7a027733e6b9cf759d8aa0515b34fc7876cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgMO.exe
Filesize
228KB

MD5
d722680e06819b6eceba4eee8e9bdf40

SHA1
da8c01e347a648932c11814f7f739bd4af4f8bae

SHA256
4ffabe8129de4df2c3c313ca5b901c10b15696c1e78c344847b850d94d24d59e

SHA512
8f5ad8a94316004d5e1f4233279c5a4a8ed78ca61596f2afa11cde641934bdae82895d16d536d06bfe4f50033090208db419d40197a7106d5ab0b18bc396cbd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgsi.exe
Filesize
1.8MB

MD5
e27e65ef2d67abd130069ac7299231fd

SHA1
a0d936152aa2de1df34459db638ced26e12a065d

SHA256
0649ae28ab1cba694fa9e9de43428a3dd34d106854d72b477b3aca899054bf60

SHA512
70ec1f2e8f9504a65809f54c22dcb0487c6289e8dc7edcdc7a2caaa0830e144b8583ad6c5b7cd21eb7a470130b71f44da96e6206c8a2c00ab6af7716ca05b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAwm.exe
Filesize
189KB

MD5
f8435f70008aa266a801f55549e48e0c

SHA1
f4eaf9be644fa3f3b7decbd0ffc6fc41f71fd208

SHA256
94fd6a4c74bd847672d6d3f94df8069a683736f4a99881d27e056f155ec3515b

SHA512
55bb18de9d401f673d1a731bb3fd14c8c0a7eb41b9a512edb0cc8d5a9ec53acfb31880c398934528a1753075388a9a907b7d995ef4b09851de7422b5596f3f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooEy.exe
Filesize
205KB

MD5
59f25e3e70cc4351b363c66e16349eeb

SHA1
9de34fda4b97fbefc342422d995b093e56e10a32

SHA256
eca36549e6f9457c941b0e4211ba7d2b8860da27609dea755b57df55c6ecf3f5

SHA512
71864adeb05d87c32c3f5ce3ef1bd713bd9974e25e9d052d0a2c74d2dd30ea1c909c3be7f1f8439953dc672a9f19eb816769e67f081103e1578335c01e5bd8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ooMa.exe
Filesize
193KB

MD5
c84cc2ad835a053d6f450da28f8180ec

SHA1
f8d1213664f14471254a24914809e72292cdb3c9

SHA256
a9669b6378d7a85b7d68660769bd8bc179deeb818726ba9a3dfb36ff484e6998

SHA512
f9c4d3d9897805951a74a158aea8e7341b08a65cebfc030b58838b5a267d1c6e4fd6ff09380da6a2bcfcf89f26f6f765b47373a362f581baf4f4ec5be059c7bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAgm.exe
Filesize
195KB

MD5
18726c76e9214049fa171b333a6c7882

SHA1
55d5e5158766ceac1aa1a47dc443619886b8a5ee

SHA256
367c6d38372d458f74619a9afaeb51cb5a420087376da19cd4f147b185701cd9

SHA512
709a7e0b1a129cfdc97a1e662d8c1d00a0fb4b42c1842f4015cae2f29d24c015344a178b77a40579163dde1405ae572c3810db351878cb6efa3664c0c8d34f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUAE.exe
Filesize
197KB

MD5
78cc332981783302a20ec748bb7b0e87

SHA1
0e53e19674df87a7082786dfa8a101501df11c2f

SHA256
b52b24d27318506cb9f33306094b5ec1482e8d48b321b77f4f9520041b703d37

SHA512
1af66c9948c71c3b8a813ce7a36f1dada22ab4c7cf34aa4fc97bc83b0c5677be1eb5f7e38a12bd9223b667255765e5205bd9221662bed94c234b1969402b7864

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYss.exe
Filesize
196KB

MD5
b9693024776007569517f2735aa1da28

SHA1
0c32429584381ddfdc4c17be5aeb310f8f11fdbe

SHA256
f8215ccd2b5dc0466846b614f3ec8c340ed105d5d66642b93f9f3e48a6642881

SHA512
56cb0a861178123adef1ae2e03cee874706425fb41ca18d026c3979450c2cc3b4a3e8091c04672fbdc0270c59c2b504b02f637be308dd4a5e171fd567284cfda

Download Submit
C:\Users\Admin\AppData\Local\Temp\qokq.exe
Filesize
186KB

MD5
5a7ddb057c3e5e71849f2efd80aee908

SHA1
975a1c4f52429a5a86e7616b84f06101d55fdde5

SHA256
8101d765ccbe9461afff09463cec047ded9fd0ff0807ccff0e9f8bbf1cb4415e

SHA512
965daf3f488d128de77c025a8cb376d0f7914e86491dac596a67527e502af01a4ba0bd9d07db69cc1df0408f5f10dc1781c5110ebf2c37499f6fc268739fa7b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwAa.exe
Filesize
232KB

MD5
61625c17b77d1ae653acaaf297439d44

SHA1
1e9c8a500f510108510756571c1ef118a4642ca3

SHA256
6b890ba54401cbfe9e460db9e5102f445b947538b2ead47c1067324afd5645a0

SHA512
086580b90eb49d5a9012fcadea556f2dac68f92e87bf06eaa940c841ac59a9939b609c1064240c1047b9623a7bbcf479680b20e33a3051d001bef20fa1bc0e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQcq.exe
Filesize
205KB

MD5
049d651886e52a1d3807cd772603d487

SHA1
9ae6b7a3475da41f633a8efd746aa43951ac38ca

SHA256
6e1db9b05771b5c2deb46478d9af11f3afbfe2189d4fa2363043a1b4820e1f1c

SHA512
f50aab50543549d78cbaf45f5ef4ac0a30b457fbfbe4d840f8428e000a946856ad44721480040ecaf3c269b97a7afc8479e7d513dc3f73626db998ce62881cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgAG.exe
Filesize
194KB

MD5
52dd0e304f0f12751d0ec3480301be4f

SHA1
d011529348708d59892120ee3c4015f31d593ba7

SHA256
1e36b834ede33e9b25342c26360ffce9b1b382322052409ca6f7631e8fc9c60b

SHA512
cec8dcdf5a5dedd7ee8682e30660837dae2164ca9ef8e505178b71d27b6eae6ee6b9d44fb36ad1f0bde84fdfcfaf86ccb9e86dc22af47844b10dc90f60e59e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\swce.exe
Filesize
186KB

MD5
db32c233731bbdde9978780a93aeb982

SHA1
32e56e7f806c9c2d330c1da64bef56ae105b90ca

SHA256
27f967d681de5107a2da9c5f30039dc2e8e5075dfb165bff4d2c7fcda440205a

SHA512
41d1a6dc77f9f143bfb6ca107668dff49fc07d7d271effc89d986dab93e06189b235476d0f1a8b5bfaf82d70749161365c5796a790bcef89c17745f5db3481a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukAC.exe
Filesize
206KB

MD5
45f54d4a7bf0056cf06927c6a1f667e9

SHA1
0eedd23833d4f73bb90918e47cf874ec166798df

SHA256
bbf74f15c7dc459bc42ca648f9a8e718c37f5ad486a70a607394c648822921ad

SHA512
769f935b845c6640ae8a5bacac98be5923c4610043d0ee75884746e4f1222302fd7a49645bb78974ff1d07fb774944aa5a72936727bad9a469d4428492925c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEC.exe
Filesize
5.9MB

MD5
ada1e5cd29ef21872b0ef741ac989709

SHA1
0555f7c3c8e8bfcf7c5df2d0e244ccb891e2a095

SHA256
3b3c894b98c731fd1dc63e584c05c727f7288e14d99fad425f18ea690acd634e

SHA512
b37dabf5a21b8b1239a8902c464c7db4afe511cd0d1beb7e9e1652892c2b6a3cfe5ad5f8b528c73a2d49beec44d4921050e4a7a1e2df164cfb14bd35364a216e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEAO.exe
Filesize
189KB

MD5
c5e58d15befa1a80537b94565c9a9293

SHA1
92ebead8d18492d26bacc3e5545984f50199475b

SHA256
5662c65309b5e80fec20abb09e9717dc8a8e5c047648b399392bef2597339762

SHA512
712f6a9f5362a8b7bb0771e762a32d357e310398ed5fa14bd27895d5b9c5c99185bfea97cddaca9a15b2a2051938ce484b11a457151725d409530f4f7908a050

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYQQ.exe
Filesize
181KB

MD5
f1e6b6b719f6df6624b1e635a0bed486

SHA1
26523d65f878ef026aa1245097c97a89cdd0d02e

SHA256
04d3faede59bab9295d1317bc780f3f30d6e712f9d5f472630a8ce17f9844bc4

SHA512
cdada8ab5c27de2e1ec555ffa13513dee1938307b89427a37e9a58216d0439cbcd0733b669c7d0549ca43d22e77aeaf6d98c7e51ef6340a27741b399181fdd73

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwMY.exe
Filesize
196KB

MD5
7f4d6d38f65ac98535f85b57f755da63

SHA1
8bbe7e7288b5b40b618cb13105122fd25fbe9b37

SHA256
907b57ddc7cc22b7f9559dad2c7984b7bc6a6babc754c899580cd67cece4c8bc

SHA512
f13e2b427048f54db18eb1026dea7e348e0db86e889c2b26b19e1129bb2c4619cabc70671d5928155fa7e2a07f557fcb18c46f1d8ef442eed3f3e80d51c775d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUAc.exe
Filesize
196KB

MD5
bafab6b88826a692b202cc1fe6d3069f

SHA1
c54e5c31d9f83d9ccfed6582f62cb35f8856821c

SHA256
dd847c398036d33b9ca47ef52d46d8951471f3cab5e5182cd961e4d5ec5906ed

SHA512
fdfcff23ea382eb573be7d5395b9c4503735a52ca3043e13fcf7ed96c253f68dda7b33b0f6e947ffc7ee3aa4c0317cd0e9624039ef2c87962ba5fc41cf57fe08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykks.exe
Filesize
313KB

MD5
0193ca6187aff279cfde732fc9c25cca

SHA1
d62517cccb331e017850d39b2d2293db2cbb3ae9

SHA256
8131843d698b972dbdaf1b6b7524bc7f9cbfeafce37a23fb65366bb79832ccae

SHA512
88d4c6e71486ee3d803c9f773752a3dc6e1e13ad54c3a5434b4a4593c28040034219c97ffb64a9d25e8e3d9de6da89195a6765e02cbbe70f55726e1a319cfb58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywQm.exe
Filesize
245KB

MD5
5cd2a3d702434b618a790b43f1a434ea

SHA1
864f289f0b12b7d2ff705e04a37c04ee19fad3e7

SHA256
c135f372d4fb7aefec3560d76c2dba13757d32d47929b2ec493de03a74cf9306

SHA512
3124b31df59d08dc46c32dd5bd881343a8104538748b08f9431ec0e1f212e88c639a1bbb89ac43d501476421af6e47728c5ee57bf0c4aa38c16cfca66dbff4cb

Download Submit
C:\Users\Admin\mQUUAUgI\TiIksEkg.exe
Filesize
182KB

MD5
b5cab533613ffcbb445434cad27252e9

SHA1
2947c2c08d4b4b2dcecc06be709da9d1be67acfb

SHA256
7514d0e85dc78b7004715cf717c7299f24596bd3f7ba5616348ff3842c196530

SHA512
69633a35b1b7a132fae642479b380046f976b65c76622c92f7b6616fa8007e91d1af32210b73568e94fdf8e7824af5823f457de27fa87218f1553a87deb341e7

Download Submit
C:\Users\Admin\mQUUAUgI\TiIksEkg.inf
Filesize
4B

MD5
8a30d0cd16e5eb29e04aa2e229e9e2c8

SHA1
3dc1bd6f90e5dca99e38d96a3bd5fdc6fff2f8d3

SHA256
11615e752fee16c6425aac6363ee6d77a5b5d50d96b0a085fe6c79e48e32d331

SHA512
c7c2cf9024e6cdae18c64245fe10d687c25ce73fd9c0b95551f5d361c5a3a3ccf42923fe2a559b899138d78161748f6f3402c7bbe3432230e189cd18ecdb8ad9

Download Submit
memory/756-426-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-416-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/860-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-397-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-456-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-464-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/920-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1236-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1268-482-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1516-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1740-422-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1904-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2024-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-444-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-501-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2856-492-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2916-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2952-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2988-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3016-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3220-441-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3224-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-181-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-402-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3376-417-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3412-483-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-205-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3572-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3652-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3664-558-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-548-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-78-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3896-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4024-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4144-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-177-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4288-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4328-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4408-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4604-396-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4816-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4868-131-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-387-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4872-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4888-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-102-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-117-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4984-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5036-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-44-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download