5b617f3a66a3f0e1579b61e0bca0b7a9bdde03479ef1a3d8ea37d5f256146048

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
Size

908KB
MD5

06416250446f54281875e3834f4c2750
SHA1

e5de9428dd8eb2ffd6f49e9df799ef3e65769d5d
SHA256

5b617f3a66a3f0e1579b61e0bca0b7a9bdde03479ef1a3d8ea37d5f256146048
SHA512

0da1de97379cf58caf517c849c83d6a794baebaa5c174fc4e3e292bf2727d8539bcca8e12afb268e6f896c76a57cda02e49601a8913d26613a1a37369df55d62
SSDEEP

24576:s7KfcQIK9ZDt1YZZCnzRyYW/Aq/qp+bNJms:cK/9jYfCVrIAGqp+

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (81) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aqUUkoMg.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	aqUUkoMg.exe

Executes dropped EXE 2 IoCs

Processes:

aqUUkoMg.exeticYUIMk.exe

pid process

1540 aqUUkoMg.exe
1164 ticYUIMk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

06416250446f54281875e3834f4c2750_NeikiAnalytics.exeaqUUkoMg.exeticYUIMk.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aqUUkoMg.exe = "C:\\Users\\Admin\\AisoUIwI\\aqUUkoMg.exe"	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ticYUIMk.exe = "C:\\ProgramData\\mSIEEwYU\\ticYUIMk.exe"	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aqUUkoMg.exe = "C:\\Users\\Admin\\AisoUIwI\\aqUUkoMg.exe"	aqUUkoMg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ticYUIMk.exe = "C:\\ProgramData\\mSIEEwYU\\ticYUIMk.exe"	ticYUIMk.exe

Drops file in System32 directory 2 IoCs

Processes:

aqUUkoMg.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	aqUUkoMg.exe
File created	C:\Windows\SysWOW64\shell32.dll.exe	aqUUkoMg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4496	reg.exe
5116	reg.exe
3244	reg.exe
1212	reg.exe
2472	reg.exe
4332	reg.exe
3292	reg.exe
1236	reg.exe
4196	reg.exe
4996	reg.exe
552	reg.exe
2756	reg.exe
3304	reg.exe
3612	reg.exe
2012	reg.exe
3140	reg.exe
3588	reg.exe
3028	reg.exe
2700	reg.exe
3720	reg.exe
3628	reg.exe
1640	reg.exe
996	reg.exe
2380	reg.exe
2192	reg.exe
4304	reg.exe
1672	reg.exe
2544	reg.exe
468	reg.exe
3124	reg.exe
5104	reg.exe
1292	reg.exe
548	reg.exe
4120	reg.exe
1760	reg.exe
5036	reg.exe
4496	reg.exe
548	reg.exe
3284	reg.exe
664	reg.exe
4988	reg.exe
2036	reg.exe
5012	reg.exe
4500	reg.exe
1196	reg.exe
1080	reg.exe
2700	reg.exe
1620	reg.exe
3444	reg.exe
896	reg.exe
1988	reg.exe
4128	reg.exe
1196	reg.exe
3060	reg.exe
3496	reg.exe
2464	reg.exe
2008	reg.exe
4988	reg.exe
1616	reg.exe
2416	reg.exe
2276	reg.exe
1616	reg.exe
2352	reg.exe
1872	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.exe

pid	process
5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
880	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
880	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
880	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
880	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2748	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2748	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2748	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2748	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
3536	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
3536	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
3536	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
3536	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2264	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2264	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2264	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
2264	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4656	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4656	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4656	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4656	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
848	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
848	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
848	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
848	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1616	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1616	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1616	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1616	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4484	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4484	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4484	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4484	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1496	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1496	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1496	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1496	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4892	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4892	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4892	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4892	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1568	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1568	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1568	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
1568	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
5052	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
5052	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
5052	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
5052	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4304	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4304	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4304	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
4304	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aqUUkoMg.exe

pid process

1540 aqUUkoMg.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

aqUUkoMg.exe

pid	process
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe
1540	aqUUkoMg.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06416250446f54281875e3834f4c2750_NeikiAnalytics.execmd.execmd.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.execmd.execmd.exe06416250446f54281875e3834f4c2750_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 5104 wrote to memory of 1540	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	aqUUkoMg.exe
PID 5104 wrote to memory of 1540	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	aqUUkoMg.exe
PID 5104 wrote to memory of 1540	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	aqUUkoMg.exe
PID 5104 wrote to memory of 1164	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	ticYUIMk.exe
PID 5104 wrote to memory of 1164	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	ticYUIMk.exe
PID 5104 wrote to memory of 1164	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	ticYUIMk.exe
PID 5104 wrote to memory of 3588	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 3588	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 3588	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 3588 wrote to memory of 4176	3588	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 3588 wrote to memory of 4176	3588	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 3588 wrote to memory of 4176	3588	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 5104 wrote to memory of 2008	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 2008	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 2008	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 2752	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 2752	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 2752	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 3552	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 3552	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 3552	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 5104 wrote to memory of 1900	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 1900	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 5104 wrote to memory of 1900	5104	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 1900 wrote to memory of 2556	1900	cmd.exe	cscript.exe
PID 1900 wrote to memory of 2556	1900	cmd.exe	cscript.exe
PID 1900 wrote to memory of 2556	1900	cmd.exe	cscript.exe
PID 4176 wrote to memory of 748	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 4176 wrote to memory of 748	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 4176 wrote to memory of 748	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 748 wrote to memory of 2252	748	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 748 wrote to memory of 2252	748	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 748 wrote to memory of 2252	748	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 4176 wrote to memory of 1356	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 1356	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 1356	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 1196	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 1196	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 1196	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 548	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 548	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 548	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 4176 wrote to memory of 2324	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 4176 wrote to memory of 2324	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 4176 wrote to memory of 2324	4176	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 2324 wrote to memory of 4332	2324	cmd.exe	cscript.exe
PID 2324 wrote to memory of 4332	2324	cmd.exe	cscript.exe
PID 2324 wrote to memory of 4332	2324	cmd.exe	cscript.exe
PID 2252 wrote to memory of 4916	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 2252 wrote to memory of 4916	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 2252 wrote to memory of 4916	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe
PID 4916 wrote to memory of 880	4916	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 4916 wrote to memory of 880	4916	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 4916 wrote to memory of 880	4916	cmd.exe	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
PID 2252 wrote to memory of 1400	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 1400	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 1400	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 4052	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 4052	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 4052	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 3232	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 3232	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 3232	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	reg.exe
PID 2252 wrote to memory of 3128	2252	06416250446f54281875e3834f4c2750_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5104

C:\Users\Admin\AisoUIwI\aqUUkoMg.exe
"C:\Users\Admin\AisoUIwI\aqUUkoMg.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1540

C:\ProgramData\mSIEEwYU\ticYUIMk.exe
"C:\ProgramData\mSIEEwYU\ticYUIMk.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:3588

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:4916

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
8⤵
PID:1472

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:2748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
10⤵
PID:2544

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
12⤵
PID:2652

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
14⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
16⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
18⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
20⤵
PID:2548

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
22⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
24⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
26⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
28⤵
PID:1588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
30⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
32⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
33⤵
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
34⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
35⤵
PID:3212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
36⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
37⤵
PID:3628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
38⤵
PID:3340

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
39⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
39⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
40⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
41⤵
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
42⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
43⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
44⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
45⤵
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
46⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
47⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
48⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
49⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
50⤵
PID:1496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
51⤵
PID:5036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
52⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
53⤵
PID:3352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
54⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
55⤵
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
56⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
57⤵
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
58⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
59⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
60⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
61⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
62⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
63⤵
PID:880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
64⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
65⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
66⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
67⤵
PID:564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
68⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
69⤵
PID:5068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
70⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
71⤵
PID:4656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
72⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
73⤵
PID:3988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
74⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
75⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
76⤵
PID:4028

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
77⤵
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
78⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
79⤵
PID:996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
80⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
81⤵
PID:1864

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
82⤵
PID:3592

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
83⤵
PID:708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
84⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
85⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
86⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
87⤵
PID:3512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
88⤵
PID:4176

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
89⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
90⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
91⤵
PID:5028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
92⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
93⤵
PID:2828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
94⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
95⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
96⤵
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
97⤵
PID:2392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
98⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
99⤵
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
100⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
101⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
102⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
103⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
104⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
105⤵
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
106⤵
PID:3832

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
107⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
108⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
109⤵
PID:4788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
110⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
111⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
112⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
113⤵
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
114⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
115⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
116⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
117⤵
PID:4068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
118⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
119⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
120⤵
PID:3692

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
121⤵
PID:772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
122⤵
PID:2244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
123⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
124⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
125⤵
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
126⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
127⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
128⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
129⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
130⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
131⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
132⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
133⤵
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
134⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
135⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics"
136⤵
PID:3964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
- Modifies registry key
PID:1292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:4036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:1360

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IEgAogcE.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
136⤵
PID:3668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:708

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:3212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:1192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWocYUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
134⤵
PID:5036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
- Modifies registry key
PID:3124

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQkcAEwc.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
132⤵
PID:4472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies visibility of file extensions in Explorer
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
PID:3312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgMIgkIw.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
130⤵
PID:848

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
131⤵
PID:704

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
129⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
- Modifies registry key
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
PID:3720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsgwscgY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
128⤵
PID:3096

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
- Modifies registry key
PID:664

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
127⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEcwAkYQ.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
126⤵
PID:1484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies visibility of file extensions in Explorer
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
- Modifies registry key
PID:996

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqQUQEEM.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
124⤵
PID:2380

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uUkggoAc.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
122⤵
PID:704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies visibility of file extensions in Explorer
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:3828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
121⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- Modifies registry key
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CyosAEcI.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
120⤵
PID:2132

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:2600

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:3100

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgAEUYEs.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
118⤵
PID:4032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
- Modifies visibility of file extensions in Explorer
PID:3860

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- UAC bypass
- Modifies registry key
PID:4500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiMEQocM.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
116⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:3588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
115⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- UAC bypass
- Modifies registry key
PID:5012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vgYAAgko.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
114⤵
PID:4340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
- Modifies registry key
PID:1672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
- UAC bypass
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyAIcwMw.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
112⤵
PID:3584

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
113⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:3880

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
- UAC bypass
PID:396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:1288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcEIMoUo.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
110⤵
PID:2464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:1972

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
- Modifies registry key
PID:468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4980

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
- UAC bypass
PID:3448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CGQEIMoo.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
108⤵
PID:2336

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:5028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IycsoAko.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
106⤵
PID:1148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:1248

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ByosAYwk.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
104⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:3692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
- Modifies registry key
PID:3628

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
- UAC bypass
PID:3664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqcAcgsc.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
102⤵
PID:4244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:4284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:3608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:1464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:1796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
- Modifies registry key
PID:1616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zmEkAwkM.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
100⤵
PID:3828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:4484

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
- Modifies registry key
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GmkEcMAI.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
98⤵
PID:4840

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:652

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:896

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
- Modifies registry key
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
- Modifies registry key
PID:3028

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\woEUQgkg.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
96⤵
PID:824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiUcYYgY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
94⤵
PID:1740

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:5004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
- UAC bypass
PID:4844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tqIMcQUY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
92⤵
PID:4728

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
93⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:3964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:4068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HccccAoI.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
90⤵
PID:2988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:1184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
- Modifies visibility of file extensions in Explorer
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
- Modifies registry key
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOwAIgYk.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
88⤵
PID:4500

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:1032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
- Modifies registry key
PID:548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwMgQQEs.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
86⤵
PID:1760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3948

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
- Modifies registry key
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
- UAC bypass
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSkwMUwk.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
84⤵
PID:4852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2276

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:3464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:1200

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wEkwwskY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
82⤵
PID:4272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:880

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
- Modifies registry key
PID:2192

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
- Modifies registry key
PID:4196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkAwEcYo.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
80⤵
PID:3580

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:1608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
- UAC bypass
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DasEQkEU.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
78⤵
PID:2344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
- Modifies visibility of file extensions in Explorer
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:936

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lEUQsokY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
76⤵
PID:3344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:3516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
- Modifies registry key
PID:2464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOUMAAcU.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
74⤵
PID:2448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:2296

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:3960

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsYEgUQk.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
72⤵
PID:4352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
- Modifies visibility of file extensions in Explorer
PID:4980

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ceskEQsI.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
70⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:4288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:1032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yesoEEQU.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
68⤵
PID:1100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
- UAC bypass
- Modifies registry key
PID:1760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hygsMYQo.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
66⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
- Modifies visibility of file extensions in Explorer
PID:3612

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:1860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:3284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
65⤵
PID:1176

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
- UAC bypass
- Modifies registry key
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NacwkMoE.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
64⤵
PID:60

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:1900

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
- Modifies registry key
PID:3140

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nCUQIYEg.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
62⤵
PID:748

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:3808

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:3584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IaUooUUM.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
60⤵
PID:1184

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
- Modifies registry key
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
- UAC bypass
- Modifies registry key
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sYYEQUQo.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
58⤵
PID:4176

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:1084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
PID:1080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
- UAC bypass
PID:1592

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
57⤵
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEEEEUE.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
56⤵
PID:4284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:1464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
- Modifies registry key
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
- UAC bypass
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGUUAsgY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
54⤵
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:2748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
- Modifies registry key
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vEEIgoUw.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
52⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4496

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:520

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
- Modifies registry key
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- UAC bypass
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAcIYkUs.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
50⤵
PID:3668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:1760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
- Modifies registry key
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
- UAC bypass
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LOUsUMkY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
48⤵
PID:4080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:1276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JegUowAs.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
46⤵
PID:1472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2296

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiEwEIEk.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
44⤵
PID:2980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4184

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:1248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:556

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQwUokEw.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
42⤵
PID:5004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:1432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
- Modifies visibility of file extensions in Explorer
PID:1988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
- Modifies registry key
PID:5036

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- UAC bypass
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyAosAMY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
40⤵
PID:1184

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:4644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:1732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:4404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DIsIQQwc.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
38⤵
PID:4212

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4028

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
- Modifies visibility of file extensions in Explorer
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
PID:1856

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmIkwgso.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
36⤵
PID:4168

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4856

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
PID:3808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vKMkcMEs.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
34⤵
PID:880

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2756

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- UAC bypass
PID:520

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
33⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UWIoYsYM.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
32⤵
PID:1248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:3668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4120

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
- Modifies registry key
PID:2012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
31⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
- Modifies registry key
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayEwgswQ.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
30⤵
PID:4392

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4608

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:552

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
- Modifies registry key
PID:1212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:1176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EoMAgUQk.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
28⤵
PID:4612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:792

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- UAC bypass
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqEAQUQE.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
26⤵
PID:1276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:1856

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
- Modifies visibility of file extensions in Explorer
PID:1748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:3752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rqEkUcEA.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
24⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2436

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:1284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
PID:2600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DkQAMMss.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
22⤵
PID:3512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:4588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies visibility of file extensions in Explorer
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:1080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGgEAIwc.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
20⤵
PID:2472

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mwMUcgAY.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
18⤵
PID:1688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies visibility of file extensions in Explorer
PID:4244

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:3016

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EuYQEAwA.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
16⤵
PID:2316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hEwUYkkk.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
14⤵
PID:3964

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:3496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies visibility of file extensions in Explorer
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
- Modifies registry key
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:220

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TyQskkMs.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
12⤵
PID:3276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:3348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:4340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmEgUkQU.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
10⤵
PID:4404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:2848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
- Modifies visibility of file extensions in Explorer
PID:4664

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- Modifies registry key
PID:1616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wwIowgYg.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
8⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:4556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kyQQAEMA.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
6⤵
PID:3128

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:1356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
- Modifies registry key
PID:1196

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
- UAC bypass
- Modifies registry key
PID:548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fEEIkIgI.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:2752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:3552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LSkIsAIQ.bat" "C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2556

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:548

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe
Filesize
249KB

MD5
c856f9ee4401cfea1137350db1aca192

SHA1
b51adbc32d3c1c8d04cec29d9b4e49f6765e771f

SHA256
c443107776dee42a43d613cb8a2919e89b5aa81a0589c3c41c83838718b3c311

SHA512
b03f25d58e2f4105f631f6d7c71e4dd56d674fbf540fcc818c9b296bdb0705282ad53d2f9c8f20de1ab3aba041021c00a6c2990ab2f7c970d012335ddbc1c243

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe
Filesize
228KB

MD5
b3ac733d1ab6f52134603053b0b65fd8

SHA1
c1d23f19aae5667bf4bc07dd09cbc44800db9e2d

SHA256
4924dec98290dd0b1ce10c01ae2324331c996ea610767645ca2b319ed0f9eeec

SHA512
e8ead51a6898df4d99377f1e867fb03725b03eb41143c759e58654b3116f85de5b88a5c0d555ff0a064763d7015612972f083a66cf70490d3a7b7148d0dc25c7

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
235KB

MD5
ec118491ff0dd8282498fa9639d8b4f3

SHA1
d8316894a6d8e02c018b067671fb2101b8ff1404

SHA256
02709d8181bcf15a3fe9f0b1eefd994d482544cf217386600548aedb4c68fb5c

SHA512
a94be18a4e8dc909cac1bc6662c4fe5ad959a11c18f3405bc29668a8c0721f5f562161d0fa9a07a3e89fbab854749ca5ba17b1a79d58a0f797213ea8bcbbee98

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.exe
Filesize
325KB

MD5
67f0186597f284387653ba5ba8069cb7

SHA1
d2f02094bf36ccb2e4a3a38eca5977fb012ab906

SHA256
2cb4efd8606287baabb854025af58bde326b31ab0ae02f976f04a1f810586127

SHA512
0cc3b2fd0541698439067987c35234eb4a23cdf33711444d92dc3aaff4106ae77a0cd47eb21efa968f16aa3012fa499233f9590ebded64cdc71e0320d35d3c5c

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.exe
Filesize
222KB

MD5
f6a434822194b6eff17729c8943da63b

SHA1
157500339f79153ee8800f7e81705719b75f44f0

SHA256
5fd5f913554da4004241c391998edf3df63f8b751266c639c2d0a7c9efa38dd4

SHA512
efb30847042b474437559e8de2b6c20d7bde229838204e74896576897ecc4d527d78bb058c533e096a24c60478088df31bcc8a60982ef0f56c717c2c8df50da0

Download Submit
C:\ProgramData\mSIEEwYU\ticYUIMk.exe
Filesize
183KB

MD5
36c016fab05116fd702a1e9e476ab185

SHA1
b1abb06d41d849745c9389baf9c62f9cc219d143

SHA256
687823fb9a5397bbae15b62834e1f9d0609b07bd9435ecdac2097274a11e8e5b

SHA512
f3966ba8e2ec8dced46a1217c57319405c6ab2d2f1729351b1090f62c4ab3185c89eefd76725613ab9b41e226be75904a58301bd2b8dbf7bf3219091a20996d8

Download Submit
C:\ProgramData\mSIEEwYU\ticYUIMk.inf
Filesize
4B

MD5
430a2a52d0c00c59f43e4c2dd964de24

SHA1
3894b1eb8398d562358667d0913a618902eaff70

SHA256
a37f365b59c7d2fa5337a8457b1d06ff25d3705f29ec82fb2fa43c88e8c957cd

SHA512
f17902e6dd54c9297430c6d2696930a6d0591f79641d408ecadd4b6046fc4ed254377c882b23c78c2c512db0aeefa6a5cb9bff91bab6447b11f47a8c51f87567

Download Submit
C:\ProgramData\mSIEEwYU\ticYUIMk.inf
Filesize
4B

MD5
d7479f83445bcddd14b7fcff3de0f0af

SHA1
bdb9ef9285b0dabda3ac50bfc8e6f6a239937bf7

SHA256
1ce9db9437a0fa625743e6a521c594a90871190d196566dd68da1aba82d4da5c

SHA512
8f825b618d04071966ef9b7e9671e39d9740281420e76cdd310655311d6a9180bc9f8187b1dc0aacf8ff340912550b729219f7342b30f9550134c90c5e225a19

Download Submit
C:\Users\Admin\AisoUIwI\aqUUkoMg.exe
Filesize
195KB

MD5
31c6b861898a784cf84efb3dcedca0fd

SHA1
bc5a4edbecdc68fb649a419d8c66576be7dae431

SHA256
8418a5cea8ff94169c34bf4521f6a1a119e788c5e90da78e2064c7e897f771d4

SHA512
d76ac0b4c8b47691a3b315aeae3d66fbe6ee435b99967632e12ac9535dcd80e2bb465011104c4968d9e118efd401009410a01eddc132ee3928140bbafae7271d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe
Filesize
255KB

MD5
4a43892698c1b6c6dd07ad49f7c558a3

SHA1
88e5beff51c9366d9ca321b392cc680634ab7344

SHA256
d603bb98c57e1d01ae0b465aa9e41ee37be5c4c0a18d92c626a3b499bf132dbf

SHA512
8d8e2a6d1f0240c7962e769c40f5ab86cf60456ca876257a21511400aae443276b8b5de3af3d403504235678e0fa18bb1d13f5576fd0d1d90daee55891de5534

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png.exe
Filesize
184KB

MD5
6d45c86c46ff53b46e525328bd95cf46

SHA1
dc0e9f3f5fc16c94f6451999b1b547b78894cfbf

SHA256
c13b6a188c6d71994c6a75a8bf0bd944f1773e4950f8f28e43e056a93ddacdef

SHA512
f77ccd89c2c6e47ae0717bc02ea8c5523c28e2d20a35a1c840e5da1699953e9d686d12324533d25dfaf0783a31113c2e79cd71fdfc5545acef01efd7aaca872b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png.exe
Filesize
183KB

MD5
2b5f3b3422ae8fa9840ba2d4182ccfa1

SHA1
35cd0d0f301a6aaeb1347353b0e60a372d7965ee

SHA256
bb6af4c51dc5c2eac5f1c300cb98e139bb02bf1b4bdfdb2b6a7db18063d10fd6

SHA512
989f4e86ef6fddf301ea300fd33251eaca89f07543e24fce34ba26d48140fc1c1d2c8c6afb180a67f2df7309c61d103d2d9990aea8bec1565a994f921d8062fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png.exe
Filesize
199KB

MD5
458883a638cee3d76d9de9f154e9edc6

SHA1
2faecd98cf0b6d265c9d4549744aa4415940f66e

SHA256
a6a3de2f95777cdfae345812def5be1fa070d593d64979b3e3a2f7165ec3bd29

SHA512
e26bcb8f978d28f3ef6b7823d7da95bfe90b7f2f21fbcdafedf04d0fd6ef3243ba617776c69f0a0875abfb7f5c623169c949f2667d703a281ea0770af2aafedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png.exe
Filesize
182KB

MD5
97c1fa8aaab1dc6f32eef085ed0b55be

SHA1
04971c4234a2aae8c3c50b20cbe9b48af8deb849

SHA256
6659fe6d91cc98513c85b3fab32a1d07750b484266561c32fedf75c5db69a893

SHA512
cd300462f1cedb2bc1258835e58c2838357929a8b3793fa40859af8fe29f712a7b8c929af16fa31d834ff02b1d4b0a77f24e152f25024bcc13021e36cc3ccf9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.exe
Filesize
195KB

MD5
1fb0cc7f67281da8cd93e7e215f59e03

SHA1
71840f8b37f3a4efff319108d7da9d8576c213fb

SHA256
e1bbeb1ab2a69798970a196c646a96e473d8d875baa1458a08e70a311a6b8beb

SHA512
05c43fbd419395b8e77d4b474406d3a97d41ae2b31cebda29a0a00a3d820f2e9a08f47333b14c8fcfee0c529dcb9c863a6e1a0ee1017e28c7250638fcd1f2a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png.exe
Filesize
198KB

MD5
424ac0bd2ab7e84200d5bb45b64d45f2

SHA1
e6ddbef7e4c3b9196a495da070ac5ca2b1ea5929

SHA256
7a15f6aed3e6e627774a6bcd546d26659885229db9e03420dd31943c386cf211

SHA512
4b56ef3fbafa198835c3388472dbe7cdb6d71e108ec6bc812e5a38644e0b4694c28c3dee877ff59f83718c33b3c2314d5624373b7f920ba693b4a22cc4cd7ef7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.exe
Filesize
196KB

MD5
d7c8a78158d4d33e63315d1057080c49

SHA1
7ff9f54003a2b69df888e38d8f92e36ec501a063

SHA256
4b6d3871695dc506f11960a3f528132fd5041041a6e958c389698564cdaf0d0c

SHA512
e7a8452febe52509847458e1e2ffda4f55d900d2c27112c16e185e29fcc793c5041ce3f5908d566b5ac8f781d8618f6623e1736b6cf1905e1e308f434a89971d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png.exe
Filesize
204KB

MD5
f6c79e2bca87a38fd030b3dd7f424fe0

SHA1
6de4c1a803a2ecbfc6c3d5d4de85d2e4a99b2a94

SHA256
5b6b996e80da7ccd0ec6593c2ff49d35c7a848c80c8019dbe473c4e6f8785f02

SHA512
8ed791adf24de24bdcfe0ca020139cc4748c8b2a850e68d2ec05177880b63a081c60ccab2101abe1c6a86e6ffb06e7694774c8d49ede0f30c0901333d86adef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png.exe
Filesize
191KB

MD5
a4be1855f48d30c1570cf4f14b4b3113

SHA1
e389dcb6e448753b72ae3718b6394dbfa1a3bc01

SHA256
0511c819ea6a401082c549643194b22eeead9cca4ec344d4fd610ba2584eb96d

SHA512
ac641fd73e944d207cafd7866c8070d16e1bf28ea80f58de157e81eaf0179040baf28046bd88629761d4f72ea48da67e791cf0f529b65befd9d443ac5edb33df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.exe
Filesize
195KB

MD5
372aace85bdd4dbd8e100432f96bfb54

SHA1
47aeba845b418e64cfd69d29256aecb828929733

SHA256
589c86358ce3a5951b1fb732b80b201ce5bbf4a41448c075d6bdf08dce2afc3f

SHA512
df075711d961a1dd4503f452c7467c86001421a36589d75d3e533e04bd8b42fca4ad20538986c0d2843655f80d3dd58a96025743918e909ba3b113f7e6cc1c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.exe
Filesize
200KB

MD5
5b85e9f444c04f8237a08558037ee642

SHA1
7104c20ccf71e7b6915ddfd02c14f65e61552021

SHA256
970fb1d236f0c4abfa98607e90f1b37128771e6e959b17d34ca86d15a66fce20

SHA512
8c293baa9bdcddfa1c6dc48080a623129764012a1cd2266572f01f3d988974e459155e2f6ed81171517f9625b5713df5057eead609d36769a749c07e12bec129

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.exe
Filesize
190KB

MD5
5626d30f73ef43d542350547adcc7306

SHA1
6d40647f2b7247b8e7c2590e7dbe9a9437110df3

SHA256
7cf73183693480ca5e31f1e41f337587e51bf974320aa42a003ce21906487305

SHA512
c9719089d4952f577db769df69a991d667490d596bec9efc423416ce86a7b1d9c3e6c9a4c318b4ac8e8a959c09be3f1f4f4a4ced4bbdeecd7702fe857717cb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.exe
Filesize
198KB

MD5
0e0f45a9ad910b139984c07d56bee551

SHA1
9cbdd0a90b822c1b7535057ec145b84f64968356

SHA256
9eb1df70b58b8d0789b58964b91fb62c23afd4e54a5f1bfdf4b460485eeb5774

SHA512
2550e299b2b0b86cfef63e031a45e70b2a1a8c6a83768135fe72263d99883f7f7f146dbc36b83947acfb03dfee41c39541dd888b053d77b8722fe648aa07858c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.exe
Filesize
217KB

MD5
59ef803c20e7aba98f482a3c42b2ae1b

SHA1
3f15b2b015363f21b5de6959cfa1e8e5caf9070a

SHA256
4505e6d36fbf9e33d3003d3a75a024ceb25923f4f023db727ddf144adfabdaac

SHA512
8c0d1757f0a2df5314ff021097b86b00b12c2e0277063e1400dfd735ebffc1bb36c397175b81cce7786dc23bff5bef6ca4b41ba527b023c43db978df5779a287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.exe
Filesize
185KB

MD5
79f5f3353efcecc842a862ac7e1cd39b

SHA1
158e83aee4dfb89d9f769b141316b42fa0e9531e

SHA256
fb2309dc76528ac17e9e2771e15ea9489a1b1060cc8e91b4ee77ac1b492457d4

SHA512
d175a63d6e7e544c167084d3f1902f1e035efb5d32b551247d60e5cd6e8d0bbe5bb9b437ca7250ebaf50b4ea9c2f425d5fd243f5203b81144baf51cbca411865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png.exe
Filesize
197KB

MD5
ab3271c44d5d69ae9e010c817f8388b8

SHA1
adc688d242dc20a39f43daf7dea9ffbaf5beac60

SHA256
00bf939f0641fb86f4b8af4a5ce2b0685908a05dc9af0ba8b2b2d73d862f4f85

SHA512
f432e2d5ec6c352561ff20b9a54aad64ec14cd27ecb0d85b73f6dba0bb8cec583d3560392806d7e2c66dbc2011b562f868163e9b8bf288721485f776450fb423

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe
Filesize
195KB

MD5
4ffdd499ded8758cffc83094f9263762

SHA1
d1f9097f2422e61e4b22e17c864d1521e6e70568

SHA256
e963eb01f9456bd09380464a9904ea85e9c52cbe07f1a80707e84a22295170fc

SHA512
09eeb612e48a45dca8ad5975c0464e67cfe831814bbb8eb550523df0a5f0ca25c93b399d822508b295fe1f1d983535f1c014ec995d0e1edfcf2fdd4216614466

Download Submit
C:\Users\Admin\AppData\Local\Temp\06416250446f54281875e3834f4c2750_NeikiAnalytics
Filesize
716KB

MD5
2d9c72c17e97c6d4e3a6e582bc88d471

SHA1
bcd6b0432f798926777b03a89c80c6b2561a8141

SHA256
ef452ca1798c8424d2e53543d49766fe3ed1c5a408f50fada76de7cac04335de

SHA512
9dc8bd363e8cc92b64394e697160a404ba7b26773aac1daf63b6ee70495548084f0a518195ffc6fc3cf0cd81216c8614147b03b06a57560d28b4143c6776c084

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQkI.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgkI.exe
Filesize
314KB

MD5
cd98cca88ecbd28de863488a59f9baf0

SHA1
76e4e1dd7471a09492f8ae5136ae2a24531d0b1c

SHA256
ffb1030d1d7c2e031d2c10b84dff54ecb9b9066388dd335417537abd444c1315

SHA512
485172137b6624a56f428b475ec53c2bc4a72a481502dc9c1793db8cd8f930d900108de6b807001fdafae139dae77250fe23f8e603bf237f7b9a726df728282d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwIY.exe
Filesize
192KB

MD5
3f0d5c6d3d6c914015d1768e5d2f7a5a

SHA1
b7a62cee66046d5eb648269892d682e26af5a486

SHA256
5a3d8c8ab81cba93e77fe29c4c321487e23fde4fdb3154eadda67cc0ea93e758

SHA512
47321b66eaf9848436f80709d05a283708e2ee394f3382c5d1902e8f401e6510e75cc6760aa32a50338dd79dfd840c04789b75e16cf7b2ad86f138c804cb69ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwsE.exe
Filesize
769KB

MD5
3076ae2eb65d5a313acce04e759d4200

SHA1
1d0de969fa9ee04fcc65664f703177b8caec882c

SHA256
da1d387d5a9a283126313129d0501d42a38be9ad3af96ee118336a007a8f08de

SHA512
7b4086e11ba6496c0f2a2d02b2bd1494e3a1c40ad4f88c46053f8af20b5f2a80f82dab02c83d5033e634835fe72e81fb0ce968ac56b6b70a82792ec18746691b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgM.exe
Filesize
648KB

MD5
05fe785bb2f25c1ba12cc6d03906c4dc

SHA1
59c0909569be6f0d24a7dcf84a1de8dab17f6239

SHA256
5a496b6e5679899f27f01e0d8e1b03720b72fec0ef3b740c436382a5a95eca1c

SHA512
f9cb67ee1bfbd44e094d8a80f60afdaffa63b7c50d72921912095856c6edaa0d3dd672c4332971c61b8b21f0708bb40f79e491bf50791eb8f5d2f2a72711f846

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUkG.exe
Filesize
197KB

MD5
6788cbb7fddc8da78ecbc507c0b59a49

SHA1
d1098e4e484f0c306d7a751ac4f19fadf81a064f

SHA256
6e7240b6291b99b1276331068e2c00f1ce77ae6b857b9bfb833e99a39c23f65e

SHA512
eee9a64dd898ed61000ba2c9d92d5984d0b0527438b4d59816a11c93edf062c8d4143d7163c6e08137b85d822313fb1f06453640d7c1c1aa63a3b516d610ed88

Download Submit
C:\Users\Admin\AppData\Local\Temp\CsAe.exe
Filesize
199KB

MD5
b873731cf05d66d44db6f7e2405f88d5

SHA1
a12a863641ea7eda1f0ef39598ceb9b47f4bbb0d

SHA256
cf799856f1d17f2016dcb5052b10b7e96deb4d066489211e615af47158a88475

SHA512
8e042b01f264bccdd3d4d7ce681a5e770bda9c9debd0b04dcf062ad8972ac9473a52e04334cb411007657ae301a27c0221c665d61bb886ba1ff45a4082c39ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CswA.exe
Filesize
199KB

MD5
87930bd641bbe72380302bd07d45573f

SHA1
5d511bea4514d90c4f36f066b8fc443dcd769c90

SHA256
67e98f571708976940faeb607e7964c4b6901c1f28e35d0953a8dc92d7d5792e

SHA512
86c902b1cd6d3d4d1bef32c1e5dfa8b053a9081c7e8a63248955bfaf2c01e142a4bdcb27194e43bceca18f4e63db17e9ad455bcf2d86762e7c5ef1fd3938e143

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEUY.exe
Filesize
787KB

MD5
0535fab9234fc29ad9388a63066a50cc

SHA1
594cd1f82541e230f8a821dce174ff9be1571ab4

SHA256
dc44b1a7d823f284e2468fd4724281c0913721808e9c2d9ee941c1fe35d99dd1

SHA512
703404ad8e1070206f29c407f6c57d04e9253a1d4e22284734ef4582131167cd81f026db968b2d179e4a80eb95110d75c29363535da167f8e619a84ae76c0495

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYQG.exe
Filesize
186KB

MD5
633d293989a0a7a79610cc3aa1a391e2

SHA1
8220cbf95956618b1ba7848e52299743a56adb9b

SHA256
bbb7ac43d7b1e625424ad469bb5ee7b1231fb92cce590942adb6748edac16710

SHA512
a636f017792c5fa36fc0c2d0eefcd70227c21eeb5540153a1d5e582b3bccda2abfd9e947f9ab4744a22c2dc1ada911360256fa37bf795ae822b0d0da28a502e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkAE.exe
Filesize
210KB

MD5
d424868085e4c9b72340aac6cbfda2df

SHA1
8b934262ec5560e25e9c7b1d1943d5a377a1c562

SHA256
0fb43f0b7c6fb14e543bc47b61ec128b7facb7ad35f21d147972f39a502659d0

SHA512
882e3aa92ab6b7386391d51db58711b7ba4406ed65f394848732b5e69bdef055e9b739110cab14cd725805c3d1d6130990b2b4035d9682b1bce4a14999ba0680

Download Submit
C:\Users\Admin\AppData\Local\Temp\EokQ.exe
Filesize
212KB

MD5
6396c9f7af46f17438c482c132a5a281

SHA1
e7bbca7639b5e0019fd9b0a0364a3d76ed8d2047

SHA256
22bedb78993febb123f3a7c211c2866645b7e7fcf2ca0687726ffa6ad5893794

SHA512
2e4c0bb95f0002a5bddc679d59fae210607fef553a6d874ddc453b655917314bbffd2686865e71beeb82c4e5a7246e7ef84b77f947b8fa255f7264c2ef835dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEE.exe
Filesize
415KB

MD5
78d6be84cb9eeb944047fa6623dcd8e2

SHA1
ddcafdac93e31314802370ae6932df7381e65851

SHA256
5c3081a34e3c8606dc22351bde844de2e028934775e3be8b4f0862a7071af42b

SHA512
2acaf213e74586685ad4058833dbc5a101de78f235c8cf016c5c9525bd69f1d2d38c32bed2a84282a34296ab7067f3bcf6afe3fb983ed68dd16144b2661d4343

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEEW.exe
Filesize
202KB

MD5
52892cc121c4ba330167067f065f9e52

SHA1
b4d02e2e66081ed22c3f9598762097f2479fa644

SHA256
4f068bebe6438f0df241d3e0544f8945308ee449bc3dfb14450b6ca747f54470

SHA512
d817ae1a5da6d8646dba8f0b2d80927b1b625f84b9182d6882a32802aa2cffae622ffa6da4a4d9a7d46eb1b5868d3d7ff6898274ea218f244c01267dea8683b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUcY.exe
Filesize
208KB

MD5
524697d3d80ee7cd1b885baf0f26d32b

SHA1
1c020924f3b29e96fc0f298c6949f93d4bd970cf

SHA256
81fdf26e02bd3f95d166858f1878236f89e965055be3373dc081479ec7cfd0ad

SHA512
f5add77158bc033f2b7dfe22aa5bae113c75bc0693d6e78e3aaadb5cc5563b4b1cfa014c444bb1c28f35fda7401f2f7fa4824025cd94d08a5ca497850134ce00

Download Submit
C:\Users\Admin\AppData\Local\Temp\GsgQ.exe
Filesize
228KB

MD5
4a1e963630bef63304d9fb97350fe4e2

SHA1
1e2aceae6141a042cddf7452d91d0ad192cc6a15

SHA256
e8e92f887e9274781355ef80deadadb47a60c1ca78f9b9e64e920781bad7512f

SHA512
8c31ae12ddc14465729da28a7c4bcf1ed18035b924b5dda6adb7c8b9a218554a673b733552b507a0a0a45b14d6bd618672cec442f22551c9ca2fe5486857e4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYku.exe
Filesize
190KB

MD5
3fe74ff9e8e5cc899f8284b337a91f68

SHA1
1f2ed7092f584126d3ed546c66c5e928aa98fccd

SHA256
7852c2ce01eb6b2edc663dcfb1d113b6ed038f66440b28b4b04e120ac0a60f98

SHA512
32bed82b6c89f3966222addc158f1af127d0a58529112144ecc8080cb568d0fefd5eea0dbabda6c40e45613b8c57738a7ed769f42f32130e5d440d6b857828ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Igow.exe
Filesize
643KB

MD5
2e358427f6eddd1709db911779fcd7a0

SHA1
dc189f2613ea85cadfeaeb9f6b927e414c2d2ef6

SHA256
53471b71cf6ed8689194e45c44e80f1993695bbfcca3124c3645103ee47bbf18

SHA512
3866bbb4bb01f3d89c05a431e9fd5affb9203cc6db1ce41d6c436a17139bd125778ab0be6400c8e8f401b05a76ce1f0a7d09ddb13b8669ec374343187c7f1542

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIES.exe
Filesize
563KB

MD5
02add863aab51cf2a0a585d282d69137

SHA1
624512a361d858b586ee91ca8b00ce4efb756417

SHA256
a318605dd2799b0a2bf163da60c46a56e32b645440d3ef409b456563068219ee

SHA512
512a66106afcfbcf5312d678f59ce593d3f6a335f7447843ff316485a20311c1eb8f1c43aac8ba802e6e3bb9d26206f4bfa2be64e5a990a131660ca8ee0e4c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMMY.exe
Filesize
642KB

MD5
9b23e219efa8d6201447f3579ee7dc11

SHA1
7791fbf69d4c6753c9f85762df76fe7dfa9404c8

SHA256
f11d8750a12ac971d14648c3de9b19c25692b675cf49682459829c2e41544772

SHA512
719d22d5feef15e5096de15df2afe6952885f51a152c6e4ad24643982f583be3bddc7b618bd13fd56bb9a0f8f381a6a95bb7fa4b7743673fe182011fef9dd397

Download Submit
C:\Users\Admin\AppData\Local\Temp\KMcA.exe
Filesize
826KB

MD5
bfe89249411ceb904d48a86862b1a0cb

SHA1
df8fcc67bb8cdbdd9f9ddbf24f04f0ce09aeea0c

SHA256
3a4aa7708fa28032874cbc3f115f8580a5afce173440894647e8e1678958296f

SHA512
cd08b9afc2049e608604e461d18da45fea85ec2688087fce05bfb01d8a757d2fd65036346cc157abdb9cec0fb25a6c3e392f9c1aadf0e60396515542698c07c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LSkIsAIQ.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEYW.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIIa.exe
Filesize
243KB

MD5
bd94e438e9c24053708a463ae37feb96

SHA1
a932bb7e5156bab78124a2dac968a4f75d9a1591

SHA256
37f6e820d7b1026f0ccce1ef41f7279285080daaef6792bbdbdceca742edc064

SHA512
e3742bc31198c6f7a5a2c62d24556ed707cdb6537d98bcbfbfc5990ab4370407907f10ec64860ad68f1e1adb0327b09781a168b1f8b19c0ea67bf0c896f77a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MIwk.exe
Filesize
724KB

MD5
6c993e7ce60603298d6fed0b09d6836c

SHA1
abb4f9b6e8b8688c9b6b927b32d516944e32a3f1

SHA256
4b5515b78895d7c2e446a22b839323632b2159e726593abb5e606a956aebb44b

SHA512
4bf401aab99cf1763242da47cec21ba9a75fe8b4bcbdcc0492f4e7eaa1e05b95a48e9f406047288e182b09be52f058acd69dc91bbf20de6ec53f963a7e2bf9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MgYq.exe
Filesize
200KB

MD5
cb3b98cda044f6363d00989488965ed3

SHA1
ebc5e3a4ac27067cfa1073699ef697412ab9a58d

SHA256
0dc08fa41214eabaed67945492667dfb960d0676438cf7309a19a95b348cd49c

SHA512
661824931c72f4065f6c73bdfe2fd989ac4643485d4d284c3d785bd28554369923c9c47cdec76b2636de40c11594b3afc32301f5df9fa123ef912711b83d7c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkQS.exe
Filesize
205KB

MD5
4a204e68be9b76f6fc077ebae38dd08f

SHA1
676f84c47244a4753801de8db54d60d8e2fb1fbe

SHA256
9cee23edc2b7035277cbdbeab517050d82948e5576f2ac00d03810b78c642c0e

SHA512
a30b71260c51d46d6b7f60eacda27e38e3da3cae6bf6ff2b8acd483987efcc03d97d2d93e30916cf88c4680b17ca0aac0acfe82edc71201f1ab3b6d5cf937793

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEYs.ico
Filesize
4KB

MD5
2d56d721c93caea6bd3552e7e6269d16

SHA1
a7f0d3d95a19f61d30b9e68b0dcee7c569249727

SHA256
f8e8be11d1062a945187b65fc5e5b1500bce03cbdbf6f4af9404b649aacc2aa3

SHA512
c01d86c43876fb8eeab79b72380a00f095d95c3047f530b777ca89d309e7bd797bf83857beab29527eddbbc491da3edd95ba343f6a0725cc565015f095cf0919

Download Submit
C:\Users\Admin\AppData\Local\Temp\OQwq.exe
Filesize
185KB

MD5
445050b5276c9601559daaabcebcf244

SHA1
7cbd1fa7fe722648a5b32019dc51d86448175aa3

SHA256
46f7bb745bc1602e30320e64aa8e2539f9c5354a8c202fefcd062d8b79564284

SHA512
e187f5df6aaf711b11ebdff89e4eccc57da65ba729cd24bb0581024c8023a1f8e4c0ab73964d2662148c00b9d4533c2cdcd3769084f6cfd07d683591c311f8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEIm.exe
Filesize
712KB

MD5
073abf5b1fa7ca91ed61e472f4008aa6

SHA1
559f325dd9ea11bea3edbb07fd3c81d9a5dc328c

SHA256
f6788175bdc339e39d0ab86f26e961c652acb32b4997f1747fb4f778f9535e84

SHA512
29915cea8e1ceae7c4565158a037e7f25f0282d8ee0d3fcf883636c27334477aba76a06000ce304f65b7db72e3457d3be18c2a76ca634ce34f9697b49943d93b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYIc.exe
Filesize
354KB

MD5
fd16f3276a6628f48a62197b7d4f5af2

SHA1
76a449906fc2f96fd72c7173d73ffc7790e62fec

SHA256
d45e729b201b121c450ecf6d4363aa6b55e218ff9a862abf078a16de846df48b

SHA512
979a4b454cfc521f806361ceead193edaabfa6cc63ca741adc912a12eefc8fc1b9ee0fc2ee8a7c57ba92751e8456c1962310954c04bf8e8b9c23182c330eaa18

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEYC.exe
Filesize
814KB

MD5
77cf8cdfb06f934bd7df86c806540d53

SHA1
8342a6b3d3f68a6b0926c5d96daf97e4a5a4115b

SHA256
e2978c8fb4f56ca7b094381317d6aaba2a4585eab090c7d348b0700614c2b229

SHA512
cebf72fa29c8762f110318a18c9dc1b53df387bda693e4b4e4b24e8026b36f12b5176202f66ebe65b090c66eef1503d1a0cafc6e6142c54e094d647c5c106e90

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIoS.exe
Filesize
5.9MB

MD5
d098df87c30e5c14e74fedff80f2a43f

SHA1
8713e36c52611924ca7df15552ff3a45c853a2e2

SHA256
d9598bdf37802baad4e71bf8a3626814839f79a5620de4ebf9391292b2ae7953

SHA512
2c5c276326795f2d8a84bec21ec64918f5d0dbec40d55e9efb396978610af30f95cbf39be8606f78282a03400ba5e4c21f63dda5e46e2681697a7bae30b16b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQEC.exe
Filesize
832KB

MD5
c7d98dbb26d990ef580b8c31f52a694f

SHA1
26e47cc3738e85438f6b5189f2f920bb590cc393

SHA256
c12ba73e0dd356449863f2817316aa0a37e1b225172ecb8d261f7dc37da90a1e

SHA512
09d295cd02c79855a1c771ec483420cccc796a69442ef231b9323a19845bc8f739de85b25a82cb86651f43ccaecc31b41f06a6fc8a4113c45ffa4e8ef27c4913

Download Submit
C:\Users\Admin\AppData\Local\Temp\SggG.exe
Filesize
186KB

MD5
b0e3a4365d106693fe99e3bcb18b3276

SHA1
99dde11b7031f7fcf4f2e8e6229e8a1c395f87b9

SHA256
abf1fc1f5fdbebbea88c9161652353cee487217690f24fe1965958856df6c5e1

SHA512
29352db51a253896a1d07a871e34f10c5edef0fe5b4a9e3b429098fe755f43858bc58b2d3a5c059771b88e5bf916ff513311945391a3ada8a762a2cc63b3586e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUkU.exe
Filesize
197KB

MD5
4ef42f452781accb5c18a15d1830dc47

SHA1
ea1d784faced511fd9e8ce71137b2d0290f076de

SHA256
51fd96f30ada7d280291a3621ae36fff849c56b3873b22b476041748cae344a4

SHA512
b996d20884c5e89a898a0c280533e853d2e456d9bbe101ad0a8d698082bc40ad655be9947ac5b7cb86fa9d7bba5c329e3d76ec41790f0d36d74fa5d90592312f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgQW.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQoO.exe
Filesize
189KB

MD5
e671423f50bd611dc4bb7d995ed6e59d

SHA1
7a96830026a77103c39d8e4b8a8c9a6bdd7de2b6

SHA256
6b9dd2fd7c2314b88f07b9b0bb9bd4b3df826e62aa60bf1699a0a896aae66570

SHA512
d5f3954985adde9c354d482a80b21c1541a680a32588c6e6ccab9227b30cd62319b718ffa0b4117ce8d43932df1122e4ddb17611e18bd4fdeca9f7e819a43bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\WUEC.exe
Filesize
240KB

MD5
2a0c39f8711cc7fc6d0354118e40c860

SHA1
113e3e4cd59315ec430fe2d29c607db4a9bd62b9

SHA256
43c5f8db952a840dd3e556fc88436fb5bbd4247551456845292d5ce05c9a0bb8

SHA512
3f9ebfcb35726a1677179a464fa0bd07d6fd0e0771965121bce3e720680cd55885ef23025e7a3e55a89a1dfc569159477b2c3a0d3d5d292e10b03e5880ffffe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYEc.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WogK.exe
Filesize
326KB

MD5
e3a6170304cb363c5cef1bb7465f3c3a

SHA1
42a5b71d4414ac405325969cc1778c4d127a9b6c

SHA256
675567b6ce72d304d4c9af74fe8c9d184a9bf7beb52b842c5d7ce3f7333f9579

SHA512
5dff2a8d968640b234435b7bb4b233004465faed63f9f013f6703e71e0b324aa8f7b978e985a22284509a445e78894d16275b9debc1720eb08a086715be2d91a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwEM.exe
Filesize
209KB

MD5
8161f777115578f781813056ac0a4b85

SHA1
8b0699d33bf7fd1923ce4a687aeb660920e38200

SHA256
41e1f7f73fa407a31d2c08d22165cf81d6ffab6b44711024e34d65756d859d9d

SHA512
a69b3dd225893c0ebbef9dcfeed1d302104effca926e600abef21512daefb59532fd6a7715e060964cebf65b9d2ec655f417d224493feef08c9862216b90b741

Download Submit
C:\Users\Admin\AppData\Local\Temp\YgIE.exe
Filesize
5.9MB

MD5
0cfb4d9143bbeddc1d860b40fc5e6537

SHA1
d1382ed2a317757e6835f2b0ff632cb2b3c2baf7

SHA256
019bd92ff05d06f8cdc6def810ec357c131d8b43d752dda87702bcd5ac913349

SHA512
0528e6df250894671ac971a8e35e0e80a631f48386cc364254c8d77518e0ae1fb9a279485c9a0ee9c1108bfc219a8264d0cdfce40a973eb25b2d67ef1370f06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkIk.exe
Filesize
189KB

MD5
a33beb8dee599f862744d2ea98409cbb

SHA1
c38ca8b87d395d48567ec24f4d08c8ac666a2029

SHA256
e0a83e3fe2191122ab6e0dd29172745f36578bc2328034f663054177229082e6

SHA512
ad307379fb0b2d662a3d9e817fd046e0b031f4d162f33b9e29ebb27854ec4e8c570c462c51b35dc086df964d7852452e88fc916fdd012fe15b4a36dd3474dfed

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUwO.exe
Filesize
647KB

MD5
2a06310223e0048a1bc432cba8e9f385

SHA1
9d4b6b9e2675dab20d863f23289959978c901f2d

SHA256
68b20db0d3ca5e1ba1a402406dd6a7501b5719e52f8dc29d01e47e43cd65e84a

SHA512
b38977680895fc88d06d6717d8c046b7e85747bc2d743c95c74c28ca4eef22955efde6d813ecad5c4f7bef74fd53835b30f32164ca2ed60e53757d9e3ccdd1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\acEw.exe
Filesize
191KB

MD5
e63bb8d7f901c6868d3d04d8b4dfa593

SHA1
5b0e447fa6de6729b14fa66b49cd58e7b90f70a0

SHA256
b4a25175cea16d66646bb3bc4942f8172e4fbd0b084f98c97dd6b315429393c2

SHA512
fed1a304e8703918fbf405cc6201ac3941b2a0e7a44a4d1c391cc5a4f9748b137b85e16272acc8a9b4d8e847c99be28e8562db10d91dd4477d26bf949aaf7442

Download Submit
C:\Users\Admin\AppData\Local\Temp\agAM.exe
Filesize
189KB

MD5
6247c842ff6b97bf80e09c870dcf20c1

SHA1
156fa771d46e54dd5a7a9da4413c661b95bc2cfb

SHA256
ccd999a4cdce922c251c48cd562b410dfd989670454dba5b17ced7941804926d

SHA512
c566c7773e31a22f7bc49e82b12ee3d43c3b8e76b4fa89fce27c4c696372f98c63bdabbb04fd522eb8e57955ade0663bd6a2e4c413e719d0aed50ee1c78b408e

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUw.exe
Filesize
1.8MB

MD5
0bb129c3e335332e1f58929d3ea7fdbe

SHA1
786fb79217acc9a1d72125acba87abc6d67eee80

SHA256
1eba8decbf1f898a9f8b26b96ff87ac6cc05009c7a005084cad9cb2c46455b49

SHA512
ad12b50ae6ca46814a20358df7eaf028353da960e7a3f50b89afd697b491b13a3fd01aa15935ae69f0284fed3d2b34d2556da81ea55bd01b1c01aae8959aa01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoMu.exe
Filesize
185KB

MD5
363e3c8064f7a87470d5405ae965bd73

SHA1
88d59a8323bdd4998ec1f8fd99db1562f7bc3a2d

SHA256
d1289c42faf355008cb7249e5af7c736bd4f129079ca1babbdb3a080c2c84f53

SHA512
ff7e6300d64ae1d0935f7376ecfc29205a8470a62b6677d5ec5fa2f7445e24c3143207c0cba90ff8d83667db294d1c257dae5995f8ed88949c05136523a026bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\csgk.exe
Filesize
431KB

MD5
da8f11648fa7cee4fa8ec49e8599ce60

SHA1
8331f49317ecc2583e52b292dce7c79198be4e3d

SHA256
fdd2e241ec5bdf1cd7b9c76f57741582af9835bb2435912552669e9f62611917

SHA512
885bfa42b2bbc2ee6ac32dcb54b5fe3182543c34c33d316171d1b31221750ceec1a811c6a2c67e5d5fad1d3e241b6c8a6db28a6b79bdfdd6dce9648e0bee4a04

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEQS.exe
Filesize
495KB

MD5
9f4dac91295317ffce4b2218d9d38f2c

SHA1
b6427a3f6249e184c5bb195127f01da5220ff1aa

SHA256
a659e65278a1d32785af6cffd727f2fc87a81dfd28d475bb3c51d05369895388

SHA512
06519bbe146e330530f2171204ab301233e1f466c14d12c5662799add7157705d318f46f74ca89da0a1e4c0ecc242230c09164d02f41c21e5f7185fff354c260

Download Submit
C:\Users\Admin\AppData\Local\Temp\eEos.exe
Filesize
217KB

MD5
9f2ff3f3c8c1e51c823b75f8195b7631

SHA1
d734089d52a7b4677a9905c9c8b727a35a424036

SHA256
32b356765fe041a3a3faea10c51051f4f0efd9d0ae3aea84c14225e5eb25861b

SHA512
a9afb5b4b9a38bb9c1b3525f476b8206a27be639408fcbb479604864e0e8560da2e715e9733a9d947040ca5ce74294dd2cf4c5162fcc46e1561932d661cc52f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMUS.exe
Filesize
196KB

MD5
059ba7ab8132b32963eb2a16df7f7db1

SHA1
41454325416c2c5ed11bcded87f1b3081d4c4372

SHA256
0150c2ec8cf5f30e11c7ad8206fb176260919d143e3bceba509b157eb0fb264e

SHA512
8ee045f30dee412d51ea078946a5b5a122a96ec94aeef7729d919b4923628b9c0b2f1cede2fc22aee73c11be8d1ba079bcf14fa3c70d3d792f1b9e5b920fe0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoAS.exe
Filesize
369KB

MD5
4b6cf6b8285ad5d3ab67923ae3543064

SHA1
8c5ee1aedbbf49582b945ad4ab44a148d7b01d97

SHA256
f1b79b0eb6e8b48e00af817646bfc7f31869a5a5f0ef434a331df1efd247bcac

SHA512
6a0169005e6c45f331b7fa5bebc11aa3b8ccf90cab5f31b44980c3eed21580b19754ed4178a18eecd276873bdc8ffd55122f9932b1624cec2d373673e353e113

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoMM.exe
Filesize
184KB

MD5
1c07ffec792921ea9080c2af5e01795e

SHA1
0b8e7b43ca4a677103999b1131b6ee11a2e34f11

SHA256
94f4b81c381aea67cfc51e39c21c219d7d94493fe16ea4e3ab3cf9c0913cd0e9

SHA512
a40e2fcc5d3d06782bdd4f3331dc75008ecd82ec975f95f5957399ec67a8cd932e279a73b31df9a2a816457ecb6abced791f5729022a240155bebc9fc9af3958

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggoQ.exe
Filesize
203KB

MD5
82826573304fd0f87f0f14ef1b5a869f

SHA1
fb62581f6c719e14719a34c9dbbfbe7ae27064db

SHA256
76a42579d8c8e68e3d9a8e9daf9329f23e8b74014be4b115f88a5ee25115c960

SHA512
53c1fb2e068d76de245e2fa381461316e7235bce9c52c87ad053d5027be228542160f4f6e819e484dda6d04c5173225757ef1d04945cb7145529ba6114de91f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gkoU.exe
Filesize
201KB

MD5
1cdd70d5bb6eb13e252e1c183c187096

SHA1
a3cfcafac6435fb56f69a76c12a05d9bb061a6d8

SHA256
3d166e7d67aac74dfa9fc3ee642f3391d7fd304994d8529964d099456dc44bec

SHA512
c3c743ca721a18f48e57b9705cd6d674925f2c1450db9e02cf2c382dfa6bbee697ed0d7c0de085f9594a0e7cbaab4775aeb65beb6366d6f6baae04b6a452337d

Download Submit
C:\Users\Admin\AppData\Local\Temp\igku.exe
Filesize
528KB

MD5
c11ee27c809ae689931f0258093797c1

SHA1
c608095242517cd168fb66447138b15226b63bfb

SHA256
9e1c978afaabdca4825e804a213d52a661d624a236f8ef68fc7f3d42b3381d71

SHA512
d474682432fbe1ccfebaebca029ae3ce216d3d5c2ea13b1f21d48b183d7c0a1f3ec0c5a9aaf345cd97283e74eb5dbf1331a1343cc14f142f0a6bdaad764696a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\igwY.exe
Filesize
199KB

MD5
f39cad3f9219e56e84201a43d6ab04d4

SHA1
cab0c318fa45d0d5ed56ee2267a16ce48d1a50cc

SHA256
20e51485dd50d679c73f43774e18d32056b33a94a360b2ad6e45c2b6630f529a

SHA512
87557aee63d3032e0261772b20b5bb787cc41f7e434e3c2576073813ac083a6296ff002af94754f5e76312df19bcbf611caf70497c4f8f3dfa4e7e483b8c8363

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwYe.exe
Filesize
191KB

MD5
e6740b02b2d6dd8d4ab85e068e3b6b6c

SHA1
56d287c88a36dde4af263a2f167912a96550db0c

SHA256
92834c6a94367ac10e779170f26d0e90a93813ee3d181d3639354374f53f4140

SHA512
d0af65fe0c0cb284905d4e5976aa7628527f15903dc8130bbabe827950129cb140a451bab21d0889d34fda37c63ac473c9a7e9ee080da1d66364af7057005ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMQu.exe
Filesize
422KB

MD5
f23120fd5779cd21ac801b081b6e3568

SHA1
72ff94ae9a7b8b805e9962eb1b8ec2b91eaeacb8

SHA256
63e29df9db9abcd3fbfd9da4d62dec94d594e02b54fda3a646812ab4cb1edef3

SHA512
b318a0875b5be7bd30387068f51002c6f63a61d49c420afde550e0f867dc3c272d499b2fd6f1d31a09533521d6f863b55a28bc7d79ff9b3bd40e8cc42dc37578

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkom.exe
Filesize
205KB

MD5
08b86935b321ee06f3781e1fb492a3af

SHA1
8a7e42ab75bf784d03a47f2b26a58a9c991b7220

SHA256
357f0dfddec1c24aeee1f6417842b2ddc5873cad1fd51953ec9c6361cc609def

SHA512
1c259b4c5e5b5d81e6bdbfcb502fa9672c37c5ad89bce0c7d943cc2b2617783a3f270fb6d060f2d6f605375781bdf28d5e32bfa79f4c1d89767534cee1a1c4d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwsu.exe
Filesize
185KB

MD5
cc473f58c0c050f6ab739302c36f21c9

SHA1
4f096540d86eedb9bad53b84d635747ab1e2d4be

SHA256
3e2159441b17d7dd9a6abce240a90999b452fee0f97c0ecc60f0564650cf3aba

SHA512
5938e047093522b96e34e8591319fbcda0e1b7afc057d66f9b05b0c9b6abefb65c4a60d38da4b2df25af43dcea120a79da11ad4db6eda0225938f5853f5b763a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUES.exe
Filesize
312KB

MD5
ee93151a050fa70e02b8b65bf663a3c0

SHA1
4f64a9cc6861fcc99fc888f413c98ba68e21e482

SHA256
0c09e3333997d24be9bb74e9985eaabe259fd3f79eed6be363f8efa3e089a650

SHA512
4498f4f532ccbeffd95a52ae9c474351ed5b4623178e6f3c7cc5d374356d72e1584741ee8c61be58577d15ad709478ce2a7f2704917c0744ed1fe4e06f889c65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUYs.exe
Filesize
215KB

MD5
6265167c9d48784ef238da3ece952e51

SHA1
566ad14f235ddc7977f87dbdaa1a493e82dce009

SHA256
f8a477e1d9bd50dd561db3fd7615a9557b47e986cbce230907235fe3f79924b9

SHA512
1f76aa494101ad38fcbec216e036f8dd93fb99b2fc94193c57b26751719a2304652a1357ce9e07d20aa8e4d5cbb6192f9dfdb71a23cf6cbc60982b9b53f554b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mYoC.exe
Filesize
192KB

MD5
f6b58f437536c7fbdf2dc64588937f0b

SHA1
801ef3c1a1668a2958437369f0b91fbc36f66a94

SHA256
f6600ed8cdd49f95235d5d2fb3ccc69a3ae7488b4a5bb56ea02a7c5c48124b01

SHA512
ad65336130784bff750e52b1ac7df1adabd2b5c357387dbb707861559aaccd57d54cfabd28052203030546d206e430b3179bac68baebbe633d064985acf6b743

Download Submit
C:\Users\Admin\AppData\Local\Temp\mooa.exe
Filesize
801KB

MD5
5e2b0bf070c00587b3b7c49ae1e7b31c

SHA1
7cce8a10f995a8d96926aacb67b8b71380b7cacf

SHA256
0313955dfc239f66deed17640930f965fc9c585b74695a325960d0d895a2bd33

SHA512
d01becb448f678ee85f309484c7faa19fc315246bd5beb1e470772085f54d9d0f1865b9402f98a0904ab1fa2a5931066b9fee2052775489c6eb4bf86d51d8590

Download Submit
C:\Users\Admin\AppData\Local\Temp\mwkm.exe
Filesize
195KB

MD5
ccabf9e5e4033d8d1649dd0a53e9b453

SHA1
8ea72c8f45557623fbfc9847089dbcfc3dd7cd06

SHA256
c21346323442c559f84e880534dca2f5a45daa063eda9f4cd577405f350976c2

SHA512
07a82df342614ce8eb0a99bce90721e382437fd0c4dd455f6a022190e205644fdf3f40c7757f6e9506c66c248d3741a8b444ade14739ef4874728ff0d9337a4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qAcu.exe
Filesize
217KB

MD5
ad9bb86a0c6e38377f953c151dff2ef0

SHA1
80e95a8ce5feca88aa47c909a2f3b5e7c67ff37e

SHA256
b2c133ca15a61449e559c15461ba0f67995c1eac50f3be7cd8f7c5d6f125e0e3

SHA512
0ace0bba51bff7dba8bea03649e6fc4c7f88b4978769c0efbc412607c1e114f0e2344c30f604e991ce5307213fcb49812d3258103bbde9484d3b69ee30bf3049

Download Submit
C:\Users\Admin\AppData\Local\Temp\qIIk.exe
Filesize
191KB

MD5
9afcf5d98b91acbe1872fc7a7f73b843

SHA1
5db448d5b9ec4d84c419303fb236646218b7792b

SHA256
e25aacab46222b22e0742f3011f934494891f7c21ea3c0d52e0a222eca1cfaa3

SHA512
5e3cb8ea1754d77154f399f5d2145d2196f3a1b290596c0bd1f01838d5c4ac34f1faf09f0b9b96979f1c83d5f2c7c33da41741ea2ffb641507ee1807c0d81439

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkQe.exe
Filesize
210KB

MD5
cba721aba55fe2285268e759d7ee52a8

SHA1
3f95f510a0aded858bf2fdfcc278a4c14c724d88

SHA256
cd1b4a2ea498e37088c6ba7740bc7bfbb42a3fa295fed81c7bc8b64e5e736895

SHA512
522c343d1350b7498849ffadc04bd78b7ac6ee0dd2d59c4506bc17feb0fcc64c3432e44e0b990c1b82423169852b0056dd46d003fae72c47dfe84c35baf9ec0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIUW.exe
Filesize
206KB

MD5
41aa9d2fdc53902367cad03f865c9312

SHA1
4982669887695ef2eea7fbc78861c953429a4224

SHA256
400072cccddc469faeac2e8ac6f8d4c1f4b85ea2070e5194a9667d7235b20407

SHA512
de2368d00e7071819268013943b8c8caf9650b44f539c108101420f95626a159e7b0a9d3fe3dea7bed3475544f2b8a68439e0766a2a339eea30358431a71acca

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMQi.exe
Filesize
582KB

MD5
388d16d40ae66e1f1b5adc3b6205b551

SHA1
16a4bed653e028310ef27d6e6348ac45985b8895

SHA256
4a9997b5ada30b3fd881590faa245a9b116906009eea85e5699f6c7c02624a52

SHA512
6ceb6feaed1b0c0cc1407851cc7f1a5ded4ca4156f567e851c9cd224562dae5dad024efcc79c794f9b9c9f35dca8420cdec512d457f1b17dfc508e0cb19c5141

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMgg.exe
Filesize
207KB

MD5
8249a7ac6128597e052895711889fd61

SHA1
2b76189c68d12b59f1af36bcb9c2559790ea2222

SHA256
19feeda91de31da9f187f10849df0046da2251ceedf922d3a0d683a4bb1426ff

SHA512
a9395ccafe7237c60ae3c6d94e601a93063f1d1ec36e3f83dd5fa9972cb8742408043625a68c1018f5da067d391493c8f49eaac74a447c20dfbbbe08280fb414

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQo.exe
Filesize
193KB

MD5
83bac87090fd9c24704498228dc10a54

SHA1
6e830af8175b802e2c3729b8be6253192c339a0a

SHA256
3fb6d8f25ce8898426556609a32c3e91e76c99ba2e2c9a0c8efe46d2b5129287

SHA512
cac295b462748888497559da67c9671dc310770c351571579e192e3f93f29b40e96de3bc8f5b1abae25e341c1322173ace40e55c6bfa413168ce91305ad8e75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUMa.exe
Filesize
204KB

MD5
a15d0544249302c23c2c05eb7ac09064

SHA1
51478f2c38acfc613d041b4c09e2e2943e56282d

SHA256
59ad8efab1e3c675e0a3d5e38b95b9eaedb828b2715725ac346a869c689f8720

SHA512
ba1dd00fe3bb2ed4e395dd4c99064ed12731d8ef8ac48ca0f1ffe003199313563f8b685272209a748a189586cd5a3eaabc4d6511e1592c1e13ef4b3c362acf93

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUQS.exe
Filesize
775KB

MD5
21cf02aeeef07e9521f74ab0e148bde0

SHA1
ac738ab5cfd028e7bdddd0542a89fa6e23d2339c

SHA256
d2e877db163fa44ce7ee36456eb2757387e5ea86eaed7d5a2c61a2d542f1fa3b

SHA512
3b910b90bf5189c6c034ad43323d16e319c9cc3ac580d9c4af10130731cfad80b222384997fbdc9a8a464e510d4ff0db9380d87c16d7cbcb1343cc8403079418

Download Submit
C:\Users\Admin\AppData\Local\Temp\scIs.exe
Filesize
311KB

MD5
81c57becda2b9799fc9d40e12976619d

SHA1
5058a69c03fa94dc1fbe970d17843da97727b429

SHA256
5c78beecebb95ac187e94dbd0ca42e03f4f6d35849f51956891304f72bb14977

SHA512
dbf092adb205fdf6fcba5c7bd5dd51f158abb9468f7ea11c3a80118701e177cd1ccfd8b4eac1bf9605f992f265766f906a7de7363f198578cdf4c8b9f6a50258

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssgO.exe
Filesize
208KB

MD5
9a7bb225bee55c78d42f15696ca78adb

SHA1
b0dd0454cde0291d1e69eab5c5b66cf5a253c79c

SHA256
99203d16fc994fdf9f87c99b5f25686cd54dde1b98d2675ba047ba82f9a8c43e

SHA512
f94ab3cdeef4cc7f14895b722f7baea39c3aaaf2c1f27f073f6a1b57dc790f8e12e60059c8cd657f726710cf29cafdfb9d6b5e5d9f4137dfd825fd9f143381a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEgK.exe
Filesize
813KB

MD5
675c8791aa514d781008bb4b3e1a2b92

SHA1
595e3f07c2e76d531f44255af2d9cd315a153270

SHA256
faff8d34778425d035732b3ed7369bca170d52003b0fabbea518e4394c8fa9bb

SHA512
533b0a69d8334e1fdea14d9eb286b051e8d92287bc5b5dba234ede0fbfd494b376445b876d56ec76c6b509e3adb1f805c5b0bb3347584d3df19bac8d5f76fe17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukMs.exe
Filesize
209KB

MD5
839e7c422d9ed6607e8d3fea12a774b4

SHA1
0f2e5e20af22b342a0289c1477752c63018a2e17

SHA256
e7732f83a7069de93689bc61f896813bb6f48f695c265380a60b42b7415c1d65

SHA512
b5bba2255575c46980de3903be9b78588370bf7fa509be25670768ea1354bdd912af3a3e66aa01f6c3061da9c86c619cd8737e47e7c305763f92c25b9a65bf90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukku.exe
Filesize
384KB

MD5
efa78ab8df7af50ba3ef671a8c75729e

SHA1
ef5b5274789f57dbe73643ef9deda38216b8cb5d

SHA256
bed509dddd740536331c5d52b7cdbb4d8331bd45078ca0d46294d0a0112b8fbf

SHA512
dabf484cbd6945d1f75281434960e48468e88b190109fb57b3b074a312af16a0f1a3fb3d30fa87685b029a8fb011759a8324c8fcb9adcc3a6b5996fe03ca6727

Download Submit
C:\Users\Admin\AppData\Local\Temp\usQo.exe
Filesize
199KB

MD5
1221c3ef4432d272fb7c317fd014d928

SHA1
f649396b3ff0b521da28661058d9f352a9f23c72

SHA256
bb71f468ff6d6494310a212f5c2032d2f0c570d581cdd20107f5b7e725f292bb

SHA512
1e02d740d838c97a888024e7570500079ee499c161c559653176b4869225e9379e3d973e49bccc13120c7ea6bc9d57b1e85fedd67a2f6b55834908aca75a82a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wQMg.exe
Filesize
188KB

MD5
efe11a7b53559c228b9afc90a5f3f259

SHA1
5b022319ac0210766c6b5a12acd13c97589ffcae

SHA256
f6e3ea9a7ab7a1faeff2deec3aae4fe06bfc9e51b83b9584dd74c1375c77850f

SHA512
fef86bb73093ec24f041ebef2aacceb94e5323a1dd09d615f3f97645854e9eb36d4bf4ebfca9ec1d78bad7b2349edb8615e61c99286ce8f06eb06e4858ba57db

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsoG.exe
Filesize
641KB

MD5
a39bfb4dd3cdf409376d431d2b75701b

SHA1
0963bb0374ffa7d707c59c8f3b80702bb16236cc

SHA256
91e06b5e438dcf05e26798edccd9e8f99d67f8b27c817af1a2aa607cf15fffcd

SHA512
3f29708e11c23a19701c67b173a1a1c42eacc06abff2aba7b26b72d964075a81fc88e9b64f6609f29437f40c04538e3614c3e3c9d5b6cf59509fe337340e87a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygco.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Roaming\CompleteExpand.gif.exe
Filesize
436KB

MD5
4fe6b5381408743075a70edd2e57b215

SHA1
82dbd189dcf1e1569b1bd7c3e326d6635468ac33

SHA256
4e2a57e9a4cdfc0bc6658d68245207ac39b0b51056da2c3df6b59601ff9eb493

SHA512
59ad18fe45726a0d3d09f79887f3cdfa12f64c13c0455c020bc1c7015d7d5d5af9d81b3aeb63ee2d3dc93c19e92cbbd9069b814b7dddf963a683579ccda66c92

Download Submit
C:\Users\Admin\Documents\ExitUnregister.ppt.exe
Filesize
435KB

MD5
057a44fc74c2751b15558bb7f587bb4c

SHA1
6b1c08b62fb026a010dc766618b5ebf55a27a302

SHA256
99ee388b29af119b8a52f0ba633c7d5874cdb9337c015042afaf6d8b862331cb

SHA512
c298545e6cbb8a2eb0d27be5e9015032d67a7d66982748a570bbf6d50d3c438e74ebfd4a5de9f5a71175e8b442f6a28ee9a0485087b0a19e5b29b3509df475d5

Download Submit
C:\Users\Admin\Pictures\ConvertToInitialize.gif.exe
Filesize
543KB

MD5
dc3d3da0881223b7864967a360957472

SHA1
7a1c809e9d068eef171c3f4fbf213ae63469f832

SHA256
45eeba2ace38d550e70091cb99054a5b2f4d1b7b4019c30f99480af8d788d2d3

SHA512
f2c5732798318ba76270a605b4b255596161fa59f889f711c42769132c5340725c1e2fadac9dec45a656a3e67542160c06795c257bba3d3ba29c0fef2fee938a

Download Submit
C:\Users\Admin\Pictures\SplitTrace.jpg.exe
Filesize
584KB

MD5
eac108680f0d3828c5f24f326e449af9

SHA1
480047f91e2126e6891d6085747335832d05fd8f

SHA256
600d119bd05db63ffa3a6fd6029035512397ed5940173ad5b81d80b785fefb3f

SHA512
5a179b1df2b6ecec8d641644129f9e23cce4c982f467541bd822d6467db3d0dac3dc53d51541650cd15efeee32bce0ff626f0f5a9765851d472192a269fad462

Download Submit
memory/564-393-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/564-385-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/708-461-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/708-471-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/848-121-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/848-109-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/880-45-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/880-362-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/880-374-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/880-59-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/996-451-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/996-440-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1036-365-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1036-356-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1164-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1200-291-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1288-355-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1288-344-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1496-144-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1496-159-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1540-8-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1568-185-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1568-173-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1616-118-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1616-134-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1620-538-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1628-309-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1628-296-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1628-498-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1740-472-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1740-481-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1860-336-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1860-327-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1864-460-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/1864-452-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2252-44-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2252-33-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2264-82-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2264-97-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2316-546-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2392-523-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2392-537-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2572-384-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2572-376-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2748-58-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2748-70-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2828-518-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2828-508-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2992-283-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/2992-269-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3212-225-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3212-237-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3252-432-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3252-420-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3352-328-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3352-317-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3512-489-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3512-480-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3536-71-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3536-83-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3584-274-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3584-260-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3628-241-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3628-252-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3720-347-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3988-414-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/3988-423-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4176-20-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4304-197-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4304-212-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4324-443-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4324-255-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4324-429-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4324-264-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4332-213-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4332-224-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4484-135-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4484-147-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4656-108-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4656-404-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4656-413-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4656-96-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4892-158-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/4892-172-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5024-300-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5028-500-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5028-509-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5036-319-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5052-196-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5052-528-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5052-181-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5052-517-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5068-405-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5068-394-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5104-0-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download
memory/5104-19-0x0000000000400000-0x00000000004E5000-memory.dmp

Filesize
916KB

Download