1634bf8ff10e04966861cef51062a21ef03ed5e73f836076295c0f02362e49a9

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
Size

193KB
MD5

3c82e02e0e6fbfe5e43567f7beab36c0
SHA1

965c4bb782941d95276b73186dd6fd6300a67fd7
SHA256

1634bf8ff10e04966861cef51062a21ef03ed5e73f836076295c0f02362e49a9
SHA512

3d43106316516e6b1f90f92f089e968abbf03a1830b10b38476ea01c823140fc98ce3a825f61de20c37be2fd551328ca983edd911931bc04124cd27274d43a4c
SSDEEP

3072:65Xf+PP6zDFD0kFtEDFwhP4EO2jq1cEMASFUOUmK79YqOPJx8:uP+I3/8w3rOeEKFUOUmK7G7f

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (100) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qowAsAsw.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	qowAsAsw.exe

Executes dropped EXE 2 IoCs

Processes:

qowAsAsw.exeuSkkQwIY.exe

pid process

3556 qowAsAsw.exe
2604 uSkkQwIY.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

uSkkQwIY.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exeqowAsAsw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uSkkQwIY.exe = "C:\\ProgramData\\omUcwscU\\uSkkQwIY.exe"	uSkkQwIY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qowAsAsw.exe = "C:\\Users\\Admin\\FwIIQYEM\\qowAsAsw.exe"	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uSkkQwIY.exe = "C:\\ProgramData\\omUcwscU\\uSkkQwIY.exe"	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qowAsAsw.exe = "C:\\Users\\Admin\\FwIIQYEM\\qowAsAsw.exe"	qowAsAsw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1684
2080	reg.exe
4808	reg.exe
3964	reg.exe
5056	reg.exe
2004	reg.exe
2008	reg.exe
4852
2772	reg.exe
4372	reg.exe
2924	reg.exe
1916	reg.exe
4944	reg.exe
456	reg.exe
2392	reg.exe
4272	reg.exe
3044	reg.exe
2712	reg.exe
3300	reg.exe
4968	reg.exe
1684	reg.exe
1632	reg.exe
4956
4084	reg.exe
5000	reg.exe
3292	reg.exe
3448	reg.exe
2804	reg.exe
4796
4028
1172	reg.exe
1620	reg.exe
4056
3896
1784	reg.exe
932	reg.exe
404	reg.exe
1648	reg.exe
1012	reg.exe
1628	reg.exe
1912	reg.exe
1368	reg.exe
4956	reg.exe
1884	reg.exe
2284	reg.exe
3224	reg.exe
3684	reg.exe
4848	reg.exe
916	reg.exe
1568	reg.exe
3512	reg.exe
916	reg.exe
4984	reg.exe
628
4468	reg.exe
3272	reg.exe
740	reg.exe
1012	reg.exe
4784	reg.exe
3540
400	reg.exe
2708	reg.exe
4468
2492	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe

pid	process
2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4948	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4948	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4948	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4948	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3320	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3320	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3320	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3320	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5040	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5040	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5040	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5040	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1512	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1512	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1512	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1512	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1956	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1956	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1956	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1956	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
5076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3792	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3792	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3792	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
3792	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4480	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4480	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4480	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4480	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2348	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2348	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2348	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2348	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2628	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2628	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2628	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
2628	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4928	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4928	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4928	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
4928	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1620	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1620	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1620	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
1620	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qowAsAsw.exe

pid process

3556 qowAsAsw.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

qowAsAsw.exe

pid	process
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe
3556	qowAsAsw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.execmd.execmd.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.execmd.execmd.exe3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 2676 wrote to memory of 3556	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	qowAsAsw.exe
PID 2676 wrote to memory of 3556	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	qowAsAsw.exe
PID 2676 wrote to memory of 3556	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	qowAsAsw.exe
PID 2676 wrote to memory of 2604	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	uSkkQwIY.exe
PID 2676 wrote to memory of 2604	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	uSkkQwIY.exe
PID 2676 wrote to memory of 2604	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	uSkkQwIY.exe
PID 2676 wrote to memory of 2060	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 2676 wrote to memory of 2060	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 2676 wrote to memory of 2060	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 2060 wrote to memory of 1076	2060	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 2060 wrote to memory of 1076	2060	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 2060 wrote to memory of 1076	2060	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 2676 wrote to memory of 668	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 668	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 668	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 3744	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 3744	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 3744	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 4088	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 4088	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 4088	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 2676 wrote to memory of 516	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 2676 wrote to memory of 516	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 2676 wrote to memory of 516	2676	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 516 wrote to memory of 2768	516	cmd.exe	cscript.exe
PID 516 wrote to memory of 2768	516	cmd.exe	cscript.exe
PID 516 wrote to memory of 2768	516	cmd.exe	cscript.exe
PID 1076 wrote to memory of 860	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 1076 wrote to memory of 860	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 1076 wrote to memory of 860	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 1076 wrote to memory of 3648	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 3648	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 3648	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 2408	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 2408	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 2408	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 4140	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 4140	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 4140	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 1076 wrote to memory of 4812	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 1076 wrote to memory of 4812	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 1076 wrote to memory of 4812	1076	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 860 wrote to memory of 3668	860	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 860 wrote to memory of 3668	860	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 860 wrote to memory of 3668	860	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 4812 wrote to memory of 5048	4812	cmd.exe	cscript.exe
PID 4812 wrote to memory of 5048	4812	cmd.exe	cscript.exe
PID 4812 wrote to memory of 5048	4812	cmd.exe	cscript.exe
PID 3668 wrote to memory of 4220	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 3668 wrote to memory of 4220	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 3668 wrote to memory of 4220	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe
PID 4220 wrote to memory of 4948	4220	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 4220 wrote to memory of 4948	4220	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 4220 wrote to memory of 4948	4220	cmd.exe	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
PID 3668 wrote to memory of 676	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 676	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 676	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 4832	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 4832	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 4832	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 1792	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 1792	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 1792	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	reg.exe
PID 3668 wrote to memory of 1316	3668	3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676

C:\Users\Admin\FwIIQYEM\qowAsAsw.exe
"C:\Users\Admin\FwIIQYEM\qowAsAsw.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3556

C:\ProgramData\omUcwscU\uSkkQwIY.exe
"C:\ProgramData\omUcwscU\uSkkQwIY.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:2060

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:860

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:4220

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
8⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
10⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
12⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
14⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
16⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
18⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
20⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
22⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
24⤵
PID:860

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
26⤵
PID:4056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
28⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
30⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
32⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
33⤵
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
34⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
35⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
36⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
37⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
38⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
39⤵
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
40⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
41⤵
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
42⤵
PID:3724

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
43⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
44⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
45⤵
PID:860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
46⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
47⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
48⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
49⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
50⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
51⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
52⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
53⤵
PID:3444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
54⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
55⤵
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
56⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
57⤵
PID:1844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
58⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
59⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
60⤵
PID:1736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
61⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
62⤵
PID:760

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
63⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
64⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
65⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
66⤵
PID:60

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
67⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
67⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
68⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
69⤵
PID:4560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
70⤵
PID:3208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
71⤵
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
72⤵
PID:1968

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
73⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
73⤵
PID:1628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
74⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
75⤵
PID:1852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
76⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
77⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
78⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
79⤵
PID:2628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
80⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
81⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
82⤵
PID:3716

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
83⤵
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
84⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
85⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
86⤵
PID:3224

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
87⤵
PID:2688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
88⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
89⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
90⤵
PID:3280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3228

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
91⤵
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
92⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
93⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
94⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
95⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
96⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
97⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
98⤵
PID:4908

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
99⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
100⤵
PID:4580

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
101⤵
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
102⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
103⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
104⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
105⤵
PID:5096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
106⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
107⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
108⤵
PID:4444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
109⤵
PID:884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
110⤵
PID:1696

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
111⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
111⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
112⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
113⤵
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
114⤵
PID:232

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
115⤵
PID:4832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
116⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
117⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
117⤵
PID:4488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
118⤵
PID:1844

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
119⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
120⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
121⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
122⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
123⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
124⤵
PID:3604

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
125⤵
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
126⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
127⤵
PID:3108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
128⤵
PID:1628

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
129⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
130⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
131⤵
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
132⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
133⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
134⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
135⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
136⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
137⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
138⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
139⤵
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
140⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
141⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
142⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
143⤵
PID:3120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
144⤵
PID:2104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:3148

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
145⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
146⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
147⤵
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
148⤵
PID:64

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
149⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
150⤵
PID:4828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
151⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
152⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
153⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
154⤵
PID:3836

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
155⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
155⤵
PID:64

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
156⤵
PID:4236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
157⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
157⤵
PID:372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
158⤵
PID:3272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
159⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
159⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
160⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
161⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
162⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
163⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
164⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
165⤵
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
166⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
167⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
168⤵
PID:4148

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
169⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
170⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
171⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
172⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
173⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
174⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
175⤵
PID:2620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
176⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
177⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
178⤵
PID:3300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
179⤵
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
180⤵
PID:4084

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
181⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
182⤵
PID:3604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
183⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
183⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
184⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
185⤵
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
186⤵
PID:2588

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
187⤵
PID:868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
188⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
189⤵
PID:3744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
190⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
191⤵
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
192⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
193⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
194⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
195⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
196⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
197⤵
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
198⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
199⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
200⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
201⤵
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
202⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
203⤵
PID:4816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
204⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
205⤵
PID:1912

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
206⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
207⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
208⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
209⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
210⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
211⤵
PID:232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
212⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
213⤵
PID:3468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
214⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
215⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
216⤵
PID:2676

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
217⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
218⤵
PID:3804

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
219⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
220⤵
PID:60

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
221⤵
PID:4556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
222⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
223⤵
PID:1888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
224⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
225⤵
PID:2724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
226⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
227⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
228⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
229⤵
PID:4916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
230⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
231⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
232⤵
PID:5004

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
233⤵
PID:1580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
234⤵
PID:4908

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1712

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
235⤵
PID:4808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
236⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
237⤵
PID:1352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
238⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
239⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
240⤵
PID:4392

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
241⤵
PID:4076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
242⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
243⤵
PID:4436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
244⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
245⤵
PID:4568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
246⤵
PID:2772

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
247⤵
PID:3564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
248⤵
PID:4356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
249⤵
PID:832

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
249⤵
PID:4724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
250⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
251⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
252⤵
PID:4092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
253⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics"
254⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:5096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mmswEwgU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
252⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
PID:1984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:3984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
- Modifies registry key
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FCUUIEEM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
250⤵
PID:4324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:2804

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
- Modifies registry key
PID:5056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkMYcEYw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
248⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
- UAC bypass
PID:3712

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIIAokMI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
246⤵
PID:916

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
PID:1916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
245⤵
PID:2908

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:3896

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:932

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEYMMwg.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
244⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
PID:456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcQokQUo.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
242⤵
PID:4556

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:4604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies visibility of file extensions in Explorer
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
PID:3312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qYEYkEYc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
240⤵
PID:4516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:5088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iIMMYUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
238⤵
PID:3320

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
- Modifies visibility of file extensions in Explorer
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
237⤵
PID:2240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xGQoskUU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
236⤵
PID:3444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
- Modifies visibility of file extensions in Explorer
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
PID:4320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
- UAC bypass
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCkskowM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
234⤵
PID:2688

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:1016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:3256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
- Modifies registry key
PID:3044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
233⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- UAC bypass
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsUUksgY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
232⤵
PID:4556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
- Modifies registry key
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
231⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wqYgwsok.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
230⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:3468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmsgUUoc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
228⤵
PID:3448

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4028

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
PID:456

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\siUogMwI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
226⤵
PID:404

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
- Modifies visibility of file extensions in Explorer
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
- UAC bypass
PID:2620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jIoscQEc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
224⤵
PID:4788

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:4768

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4956

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
- Modifies registry key
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
PID:3540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\loMIUEcY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
222⤵
PID:4544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
- Modifies registry key
PID:2924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:2708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
PID:2844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VgwUIkEk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
220⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
- Modifies registry key
PID:3300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
219⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1232

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ncsQcsAk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
218⤵
PID:4632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:1792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:3836

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
- Modifies registry key
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- Modifies registry key
PID:4372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YOMoYUoA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
216⤵
PID:2572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
217⤵
PID:2020

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
PID:1632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuookkcY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
214⤵
PID:4148

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:4052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eKooUgMg.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
212⤵
PID:4616

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:4540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:1736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiMkwwwo.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
210⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:3412

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies visibility of file extensions in Explorer
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
- Modifies registry key
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rsEYUAEA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
208⤵
PID:4328

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
209⤵
PID:4452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:5056

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:2128

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:2168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
207⤵
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PgIYYsIY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
206⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies visibility of file extensions in Explorer
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOUgUIcU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
204⤵
PID:4620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
205⤵
PID:1888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
203⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UmkIcYgE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
202⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:3272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
201⤵
PID:4140

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:2768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
- UAC bypass
PID:4128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gOUkIIcE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
200⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UQkEgQMs.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
198⤵
PID:4276

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1040

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
PID:5048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgQwsAsY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
196⤵
PID:3472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:4236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
- Modifies visibility of file extensions in Explorer
PID:1732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
195⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
- Modifies registry key
PID:2804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zQUsAEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
194⤵
PID:2104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:3804

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
- Modifies registry key
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:2724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
PID:5084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nucEEMko.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
192⤵
PID:4292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
193⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
- Modifies registry key
PID:1784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
PID:2020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
191⤵
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOoYAsUg.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
190⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:3268

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
- Modifies registry key
PID:1648

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
189⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuAIgEQM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
188⤵
PID:1428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
PID:4916

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
187⤵
PID:4676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kMgYgMUI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
186⤵
PID:2628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:760

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
PID:2076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:2300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:2008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oukMMskw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
184⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
185⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:832

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
- UAC bypass
PID:744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rakEUEUM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
182⤵
PID:4856

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
PID:2020

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
- UAC bypass
PID:3304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwksYAEQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
180⤵
PID:2808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
181⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies visibility of file extensions in Explorer
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
- UAC bypass
PID:3896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAQEgwUc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
178⤵
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
179⤵
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:1292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bCogoIkY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
176⤵
PID:1844

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:1620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
PID:3272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
175⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gYsgIsQo.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
174⤵
PID:4272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
PID:1588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:4324

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MsYYkMAY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
172⤵
PID:2232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
173⤵
PID:3684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
- Modifies visibility of file extensions in Explorer
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
PID:1924

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:3060

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:464

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
171⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eqIgcUYs.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
170⤵
PID:3796

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:4076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
- Modifies registry key
PID:3964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
- UAC bypass
PID:1568

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
169⤵
PID:4092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IQEYYYsE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
168⤵
PID:3744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:3120

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:1620

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
167⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOIYIQEk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
166⤵
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:2348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
- Modifies visibility of file extensions in Explorer
PID:1968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2088

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\piwkgMoc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
164⤵
PID:4872

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
165⤵
PID:664

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgQIsYUI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
162⤵
PID:4076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
163⤵
PID:1564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:3312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:4140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
161⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NkoIMswc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
160⤵
PID:408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:4220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
PID:2232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
- Modifies registry key
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- Modifies registry key
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWkUUIIE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
158⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4356

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
- Modifies registry key
PID:2392

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:2144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UecEQoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
156⤵
PID:1712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:3976

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WiQckUwY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
154⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
- UAC bypass
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIIYEMIE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
152⤵
PID:2808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
153⤵
PID:760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
PID:4676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
PID:1308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
PID:4344

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
151⤵
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zAYkgcgI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
150⤵
PID:4332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:2676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
- UAC bypass
PID:688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZCMcwkgA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
148⤵
PID:4376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
149⤵
PID:4140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:4292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
PID:4540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
147⤵
PID:3096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nUkMooIM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
146⤵
PID:1628

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:2284

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
145⤵
PID:5076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sGwoEEAw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
144⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
- Modifies registry key
PID:2008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OWAQwMEw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
142⤵
PID:1124

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
PID:4868

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
PID:4468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WgEcAAUM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
140⤵
PID:3024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:1924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
- UAC bypass
PID:4908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CqQssMIQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
138⤵
PID:464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1812

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:3396

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
137⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BiYsEswE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
136⤵
PID:4040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
- Modifies visibility of file extensions in Explorer
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3744

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
135⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:2908

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKEYUEEI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
134⤵
PID:640

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
PID:3668

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dMEYcsgw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
132⤵
PID:2300

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
133⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
PID:4852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ScAIoscQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
130⤵
PID:1040

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:2104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4856

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
PID:832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kaQQIgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
128⤵
PID:932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:1724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
PID:1348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
- UAC bypass
PID:3148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qsIoEMQI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
126⤵
PID:4828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
- UAC bypass
PID:1564

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
125⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGIEcAsU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
124⤵
PID:4376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:4488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
PID:2644

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
123⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
- UAC bypass
PID:4292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LiokEwQM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
122⤵
PID:2004

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
PID:2104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwEAkUEM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
120⤵
PID:4052

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:2348

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:2480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
- Modifies registry key
PID:4808

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
119⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
PID:3060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LegIwIEQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
118⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:4376

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
- Modifies registry key
PID:916

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCAsQcgU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
116⤵
PID:2712

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
- Modifies visibility of file extensions in Explorer
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
- Modifies registry key
PID:456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuwckEUw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
114⤵
PID:224

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:932

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yusMQgUk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
112⤵
PID:1452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies registry key
PID:4784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4780

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USkEIYcU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
110⤵
PID:1348

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
- Modifies visibility of file extensions in Explorer
PID:2196

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:2544

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
109⤵
PID:4360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xuIYoQwk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
108⤵
PID:1792

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:3116

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:224

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
107⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hscMEcEw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
106⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3292

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:5080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:1092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
105⤵
PID:4048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pCMQAYAU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
104⤵
PID:3396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:400

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:4784

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:3668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xekMQwAk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
102⤵
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:1852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3096

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:5056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
- UAC bypass
PID:3032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
101⤵
PID:404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMEAcwoI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
100⤵
PID:884

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
PID:1292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OagYgQog.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
98⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:5108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
- UAC bypass
PID:3604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSsoUQsk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
96⤵
PID:1052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
97⤵
PID:4468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
- Modifies visibility of file extensions in Explorer
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:3844

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
- UAC bypass
- Modifies registry key
PID:4848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rMIsUUQg.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
94⤵
PID:5044

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
95⤵
PID:3756

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
- Modifies visibility of file extensions in Explorer
PID:2628

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
PID:4464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lAUYsAko.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
92⤵
PID:5056

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
- Modifies visibility of file extensions in Explorer
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
PID:1664

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
- UAC bypass
PID:2708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jAsQQMwY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
90⤵
PID:232

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
91⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:3396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:3108

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
- UAC bypass
PID:1884

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
89⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kQwYowsM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
88⤵
PID:3604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
- Modifies visibility of file extensions in Explorer
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:1792

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
- UAC bypass
PID:4768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
87⤵
PID:1948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAMcgAoo.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
86⤵
PID:4076

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:2916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies registry key
PID:400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
85⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:3444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UkYMAgoY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
84⤵
PID:920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:4828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
83⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwggkQQM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
82⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:3748

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
PID:744

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:4360

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
81⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
PID:2520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JGEYYcMQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
80⤵
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
- Modifies visibility of file extensions in Explorer
PID:408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3236

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:4348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xoMIUUwk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
78⤵
PID:3920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
79⤵
PID:4292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:636

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
77⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:2088

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
- UAC bypass
PID:2480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWwUoMYM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
76⤵
PID:5048

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies visibility of file extensions in Explorer
PID:4272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:3152

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hqkAIcoU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
74⤵
PID:2536

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
75⤵
PID:668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:60

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
- Modifies registry key
PID:3292

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkkQgMgQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
72⤵
PID:744

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:4720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:3252

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
- Modifies registry key
PID:3684

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKgwksso.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
70⤵
PID:3060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:1916

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:4948

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
69⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:2876

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- Modifies registry key
PID:1368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cogEUIMU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
68⤵
PID:4432

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:3228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:2452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:5108

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKkkUUAU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
66⤵
PID:4272

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:1852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:1068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:1596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:4464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqYQIYQg.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
64⤵
PID:1340

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
- Modifies visibility of file extensions in Explorer
PID:232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4828

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
- Modifies registry key
PID:4468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:5000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duIwEMwg.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
62⤵
PID:2088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
PID:624

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:4444

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
- UAC bypass
PID:552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWIgYcsE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
60⤵
PID:4080

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:976

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kSAoIIsw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
58⤵
PID:668

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
PID:4948

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4956

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EakQAIUI.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
56⤵
PID:4632

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
PID:2808

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOUMYEEY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
54⤵
PID:2768

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:3580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
- Modifies visibility of file extensions in Explorer
PID:3772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QqEILsIx.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
52⤵
PID:3012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies registry key
PID:1684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
- Modifies registry key
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VucsswMk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
50⤵
PID:5076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:2572

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
- Modifies visibility of file extensions in Explorer
PID:3812

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:1952

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:4628

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
49⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nEIsYEMM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
48⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:3716

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
PID:640

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
- UAC bypass
PID:3152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOQUEUsE.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
46⤵
PID:3472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
47⤵
PID:4988

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:2204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:3468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AwkYMEkA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
44⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
PID:4052

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:5052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
- Modifies registry key
PID:5000

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
- UAC bypass
- Modifies registry key
PID:1912

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
43⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UIsEksQM.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
42⤵
PID:3248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:4968

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:4048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aeYMsEQc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
40⤵
PID:1292

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mWkMwQwc.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
38⤵
PID:4720

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:740

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
- UAC bypass
- Modifies registry key
PID:4968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMcYMIgA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
36⤵
PID:4084

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:1632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:2180

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1508

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
PID:384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XkIQYkYg.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
34⤵
PID:2324

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:1912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
PID:912

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:4816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LaYoMYQU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
32⤵
PID:1588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:2076

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:3996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pkEgMcMo.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
30⤵
PID:4584

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
PID:756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sEgYckUQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
28⤵
PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:2884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:2128

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
- Modifies registry key
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
PID:676

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kWooUAAU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
26⤵
PID:64

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:3612

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:2920

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
25⤵
PID:5012

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
PID:1996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ukwkkgkk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
24⤵
PID:3444

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2012

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
23⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
- Modifies registry key
PID:4944

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
- UAC bypass
- Modifies registry key
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PIcgUwwk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
22⤵
PID:4140

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
PID:1648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:1452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgAYIYQA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
20⤵
PID:552

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
21⤵
PID:372

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:2396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
PID:2504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:5068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
- UAC bypass
PID:1236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VucAswsA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
18⤵
PID:4760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:3512

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:4084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zUoEAkAs.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
16⤵
PID:4936

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:4468

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
PID:516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
- Modifies registry key
PID:1884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miAgQcww.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
14⤵
PID:5012

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:2924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
PID:3308

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:4964

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
- UAC bypass
PID:1780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uMswYwEQ.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
12⤵
PID:3468

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:2264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
- UAC bypass
PID:1140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WGgwgYQw.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
10⤵
PID:3980

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
- Modifies registry key
PID:2004

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
- Modifies registry key
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IsIUYEQU.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
8⤵
PID:2480

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:1124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:676

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
PID:4832

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
- UAC bypass
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIAwkYAk.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
6⤵
PID:1316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:3648

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:2408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jmcUMocA.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:4812

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:5048

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
- Modifies visibility of file extensions in Explorer
PID:668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
PID:3744

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:4088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\daUYgcUY.bat" "C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2768

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5068

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4944

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4560

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2536

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\omUcwscU\uSkkQwIY.exe
Filesize
195KB

MD5
78a2d3b5c4cc2baec82c5d0ea4eaf74f

SHA1
ffe8dc627c217afedd8b27b3346f772835687406

SHA256
bfb23911cb1aa6498fb0d28829b9806f45705666acc3e95abd660c8170b3abdf

SHA512
30b4f999219c5757e62c114f764cb723be18f9a7977ecbeac26d30637ac9bac3823db9bb4cb0e4a47c4bf5116567e8bc171d7f9eb387136a4939174e5b167b62

Download Submit
C:\ProgramData\omUcwscU\uSkkQwIY.inf
Filesize
4B

MD5
6a57d8b2379674b7690ae525b8c02d3a

SHA1
5d84f337bb6c6287c873c7d2f0bfecf7be3911a5

SHA256
24c638a3f2c3077e575451e6494af3d1c453deeac90501edf6382240ab632bf5

SHA512
6e3f7ab2849137789b4b4b589f1674cba352bca1b121a0133323dbb333045ebb98289cf504ad37367b301a49fd68429f2114f8123227fd96c5a3ac9629a5f3c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png.exe
Filesize
210KB

MD5
6ae255fd5793330206a6969b221fe11d

SHA1
95c030bb60898c3272fc9dfc9d138d986b4ef33b

SHA256
436d6d8dd938b7acefd96c5016c60083df3b531ea17e508919aea3064027496a

SHA512
6275acf9f28b1cbb00a2b4e1ea08e27577595cf4a63d44de39ccfdc5f186e026f9fbd1df61f216852c1df43f09fd8bf3bd54e22480ac5bd991bdfa597e5662f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png.exe
Filesize
201KB

MD5
f1f992963b5584672b6b40f9fd579c17

SHA1
8d66b6e3756448642cafafca7b9ce4ca00e73ab5

SHA256
16bb437129beb063d7be4eab8229aa56a11da1786e446151eca24f859d2ce553

SHA512
2a91ae1f5cceb5b47ad32f8617ba2288385c58817aeba9415adff6b37407809e9d610a8b3591e00da5acc874e8587f04f3106d0095d69dea33cbf3d5bb9bf28a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
186KB

MD5
f3e729187034f8890e78511a0b5f107e

SHA1
9b1d9d8fe7d5d9b27b619b2aaba681d095a8709d

SHA256
52ec978274cbe215a83f37b5837c0424bac5eff91aeeba73c603e14c1a1a3347

SHA512
316f645cf511cd4d214350f5b85dae2519fa9e25e74f9ffcd6657b95f0381f410ec2423eb2813ad73708b6521a3f8329f8ba21ec6a88a2ad732bf9d08d9ce936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png.exe
Filesize
195KB

MD5
67fb2095a135984362105ec4d24bf1ea

SHA1
15e89c5034dff28e0bb76f8a311bb67bcb8bb648

SHA256
030b1c9272deaebb0eab20f864ec480112e590677a71c546111a666b93d01aba

SHA512
264f3cbe54ae999132763f9df594b6c5834c167b2a19db9abe6e295e8b4e06e35e14e33ce42506d399baa4a3e213c88e584e3f84c9700cc938a83e8f6fb98540

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c82e02e0e6fbfe5e43567f7beab36c0_NeikiAnalytics
Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AAMA.exe
Filesize
700KB

MD5
2aece0203a7c8792c9b45f924be26c2a

SHA1
2a8aa27c8975d535632149132ed1f070ab9b4221

SHA256
29aea859c783c8f57e9b2b489a9bf2a529d7457ddcb869f2db7f08d305d8e0d1

SHA512
fd659cbe6ee87394ff362f85d6dd664b3ade27f9198179adf9a307fa1616213642420a712b1e3b3015fc864ec24b0e3eb1402442f73ee98f68138657edfe11f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEoG.exe
Filesize
226KB

MD5
7267d04710d9c008bba72397b42def0e

SHA1
294b6ffb80959e0822565e89e0b03c5498a06e43

SHA256
574f342928bffb85343093638ce24b767a93093082b497a3f74a2393ac8b3c84

SHA512
7f1fabeea09192b5b0d1f8219fd3479a0be4dd0f99c7037ba1bf823a58e2aefc2e39ada7fc9a39ff008e6694c01fd4cbc8aed03a293877558c8bd03a4bd48fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIAo.exe
Filesize
203KB

MD5
160d1545c5137465a50e335883bf15ed

SHA1
00b188540ab1e3df2975cadc4a2a6f72d73fdb43

SHA256
dffb720941cb170d911336c6c1a9566ee48e67184710b587076e7544d6fc4a82

SHA512
40269c9bcada7438d8abbcd6ed3301e3808ebce9cc02d428cde734d4f447d95f3e1e29aead6a18e3fba24adb4dac6482db08242ab36817c5be4935d7bf8a2c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIIs.exe
Filesize
196KB

MD5
2506484a75e2375be2456764e27eba23

SHA1
45bded21d158cc59f349bb259d7cb17a013fcac2

SHA256
4ccb41ce04b0b91b69e18ffe9a9f7768ba92c4ab4c1448fb8d909046edcfc63c

SHA512
45e191048ba3b6927b8670fbd249bcf52e00e56d8d610cd5b6101a8c7cccb1f2f9bf2263656b50e87d83dd15ae0b14f35f820413a00c17db2177c2afb3a16825

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIgs.exe
Filesize
427KB

MD5
fa251e0ddcd3e3aa9e535055cbb9d9ce

SHA1
8cf2ff929060b551cbe254605351ac61f29401fb

SHA256
e8af79e5ffeb019a6c88854799eb218e888e388932d72fca2607c983be51ce34

SHA512
94eef52ea8405e3abc29fb23c956ba4e9f66cfcf622be4ff43c316acecd9173eb3e921bfb9eb86107811101f8e0c45e3327eed0105020ce19887ab2ae4db6779

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMwG.ico
Filesize
4KB

MD5
c7fffc3e71c7197b5f9daaea510aac10

SHA1
23262fb8038c093ac32d6a34effbede5de5e880d

SHA256
71254090503179540435a1283d04301f3d5ba48855ae8c361d4ac86e3abd2865

SHA512
c3cefdb76a9fc74299a7042096a549e019db3f2cf79e81deeabab2f3ebf2bbc9f2924a84cbbbc4848a4bf84cc3a0886c6c738c6bb37c9140dfc57f1f797e9c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUQ.exe
Filesize
213KB

MD5
b888af5bb95729cbaff2c53f0c1d6eff

SHA1
bb87e8dad5f75bed269dc1f0d8afc843e32d7ed5

SHA256
db60d62280decf2141b63dd592c3b7eedadbad4fd7d566dc5f2ea2ab2dd43df9

SHA512
42cc9223bbdcbb37c0b8c916e2858409c883017ebfdeb6b521672b62f7fa3cd31354519a4d9cdf6edaf7e91784f5d2c2865c295e391efc26ece320fa43a6bfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoUy.exe
Filesize
191KB

MD5
7c410940710df213005684fd73775dff

SHA1
6f0f87561781771c4a3d4e19b600a74717812707

SHA256
c796f61069960dc37f37ef00067d3d62cc49ceee80e01293f94e274fdd471971

SHA512
d0ed5d4480d391742703daa4a4f7fb5e2a64644abd24b37475073509a8003453c0c6e1115878cb1b79d3e12b58b4b38b3c375ddec6a6ad6be68805a83f77af64

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoYU.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMgy.exe
Filesize
185KB

MD5
9ec09eb2c33a4ebbbd65a70ac6c42827

SHA1
258667f1e713051f4a0744bfffbae7262e78a2e0

SHA256
7cf9f123d9f61ef481fb7d6c205fa37e6d750b5ee07599fd57a548d164c19160

SHA512
5c005b0b269d311ca7f8e3dbb03f2d739051b62d69acc3a06531b22d70afcab4815018d43160696e3d6c55b4feada65d77451df4c74fe2f4fedaabad79e35f94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CQgY.exe
Filesize
201KB

MD5
485d308f2a57cfae82fe382f938ad873

SHA1
692910dfa317c95966a9e9912c441057c41e0251

SHA256
db5c5c81ef6aed059563b71baf9bdff94a198f095cc46873ed9c9a982c23eeaa

SHA512
471c0fa0341c529668f16f8b319acf6c547f033919da55b55bb08e4776ea8a2d48b1ee7bfe12e5a83491eb335acc571e2ce51d0116cb6daaf35001d5524a6cb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUAu.ico
Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EEEg.exe
Filesize
196KB

MD5
e5a4fd08a1d9923818193e09ac3ed987

SHA1
2a088d902142c4c6da5ca8dd079e16a1310c3140

SHA256
5180113f5fa6258e6b76f85af037a803050b50484161691d5a90e9b5bca0246a

SHA512
7e7cdf78ed2bb954c8d3536ad48be07ccaf29970486f680e484e203cda17d846859bd99633ddcc2463de11a66f993178898559a2a029e7002f3f82290c149072

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYMM.exe
Filesize
803KB

MD5
f7ce676eeacdc5fbd3bcd7d3495e9d07

SHA1
e6622371d635697425f512d2e355b0bab1733f2a

SHA256
cc0cf317c0f1ace4464ad23c38f2a4b557b8e594b0fa6fe134a36094a384de41

SHA512
e44b6b08667759a42153fad2d580b5a23917568b61470815d4c7f6756107cf36f52ef4cc2817da49dd307d1af16acd937682af6bb535998767c142e4ba5a7b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYoq.exe
Filesize
190KB

MD5
a3a4823596f95addef3da4f8a7a1f738

SHA1
194c48ce027ba04419182c00ce18e48bc39aa7fc

SHA256
81ce9e0f03ab4c7b7ef976d89467f84fb5b4d4bfc36b30d9cee8c50a6f5adef3

SHA512
d5fe39a3024867aa9f7502aadfc967735bd71e5fcc2a09424bddb6a23ac35d28e2cf86a1bfba4f44f3249d4148a43143f0023485a6746db5663108b5198a217f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EoYm.exe
Filesize
215KB

MD5
0516efe4646d6f9fd77e551875a33ca0

SHA1
415137b79fa73dbdf39e61046ec18567a549d516

SHA256
74a3fce8976b735ceeea80c2aee603564c74c310831443a9e93ce8259f4a1f60

SHA512
a9bf704cb4e7eca571708f270d00ed10c6443b2f294579d0c97a106faeb7d3b00d6fad9847e54002ca60b86460c9cf0acb8afdc8165ac3cbf1facc316f38b943

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAAK.exe
Filesize
188KB

MD5
6de0cc05b315cd8e2440c1a3e31bdae2

SHA1
5f5635dacb2a49368f85baa63dbe865424864e64

SHA256
91d4003d9d558c6a33017e619f47c7ca72e221b21b6d0ab1f9d4a3055cce0057

SHA512
09f9cb3be8bcdae68a7a2b21f51bff30dc1ec46d4194a4f6fb86cc36fb855ab118015d48739d5c8f6ebe6c6ca115581ac683775b26690c2428935e76ee04fda6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GAgi.exe
Filesize
207KB

MD5
f647b7e64b06886f02b34e5d7bb52bd7

SHA1
0856056d63ad2ab984aeeb2d09744df80f035aac

SHA256
14ecebab7a4cbbfc13d475ef5c7cc8cd9551da86b5c8ed83f0c6fe60151f8748

SHA512
6caca7291fa068fd850fec51d414a4368730e4beb67dd6df22c3bb842e67a33b59c13af30d52fe77ed2050a38cfa9c335b1b1e6a51afc19b663e1d4f54386645

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwwE.exe
Filesize
188KB

MD5
a65c672e06781457f2ddaa0809210594

SHA1
8d643f1f1d21749fba1b652a48a073f83db8a606

SHA256
2f03e9ff749f4068de444a7b842f261a348a3e87fc6ed6c50437944366934285

SHA512
d06a2fe7022749f4fbf199e0bd822a2076148c1ee333eee38a3d132c2bbe53d2aa3cd6eb39ca0d1330f44d98130973ba35c2e53f5b892ac14e47eacdf818bfcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAEK.exe
Filesize
374KB

MD5
87eb952f74accc5a95607be1ce8dd742

SHA1
b0efe3ae4a77bb3967357c7f9fcb01fceaadebfb

SHA256
5be759437008109c440247c9a74c2ada20cb3245dd14a887cd01d4c654eb9c81

SHA512
43b30ae03a9b889b63c610683acd09b173668383d26c5a6596bb746c85b5ca282636924f7177ca6c6f7b029e3a58ca97b196070cd495017c1a0da77a1e95c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEMC.exe
Filesize
184KB

MD5
281be2402b9511f7c840bc0873a3bb9e

SHA1
c150371965eba6501723aa8f2b2c74b2a1b3d065

SHA256
13a880ed187bc5c9a98825ab0ca1767ec722ffaa3ee975da90af315d8eed3e78

SHA512
717ecb3e09336dfde021e1c652b8661fcdee600657223919a515109458f7fc0dc4534c38b40d1a3ce93f9180e3b5c016b1cb02f253f35637af444b5e59415af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcEO.exe
Filesize
189KB

MD5
0849f891ee5c1d77c804ff48aaff76c4

SHA1
c73751941215c5f44689d765d8d0ec7703ea43a7

SHA256
84d914b41ee0c25596604bf6d0554a9a835295f5c0fd1ac49b89d3f595f557e3

SHA512
c921e0c428071d324eeb544b6b0ddb818e3a8e4e01ca7d81c9eceaeede5bb5f055d5ce64268ab01a5775046ef1417d9a102eb4b1a30293cf65edbd48b1d83a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IkQs.exe
Filesize
757KB

MD5
ae98061188956d865491e23ef8568fae

SHA1
1fb0d08f7f4c1df6176f06d37c0e2b97a1d6e65c

SHA256
eacf2cfc6bd52e4ef3afa43955034df910ce47557c4d6c381fa80c42ae3b5889

SHA512
6d173b1acc9f18126408b7e327cb9613c48c1ac4993d00623d9e44c1abd8832a3b3304efc85f9010392e5c200b2f30913298f86f4154ebb29fc1971b55023c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ikkw.exe
Filesize
216KB

MD5
c02496c4773dd7dfc6e3236c8ef11a8d

SHA1
52e2b6533cc5f420fe10b21accf82a68994ef8ba

SHA256
c5340357c61d14b971dd9ea504f40b0d632450eb6a80198b6432ac51125cb2a3

SHA512
a61099d6e7fa09899f6e75272ee01d367828d41d7a52b00e22fc596b9e66ecdd389ffe7c6621dd21fb084748e302e98a7d4bb766cefcf57d6be2b5eef6b60e20

Download Submit
C:\Users\Admin\AppData\Local\Temp\IoYA.exe
Filesize
641KB

MD5
2e3b932a240a5b8300f1a7eb037e528f

SHA1
2e69482f5bb306bb251a1b9d6900cdec8d5876eb

SHA256
a63d3208d95421fcd84458a33bd1a8b2f70d5005153f3d4f4236f806f44b23d9

SHA512
750ded0495ce4ddb31c7fbb58a621b88f8f497a967d68871778bfff6a26efe75148c1bd08de753a4bd86c676f85844687f1184c9c43e2296074b0488272867e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAsO.exe
Filesize
836KB

MD5
15b81d2b61008d761f6034a8c19382ce

SHA1
d37d4dc0d2f97368246912b59f3e6a26567ab22c

SHA256
b0ee4d798f52e5d8f076c71cc5138e37c429a8e91e0a0d36f1b266ccf6f42279

SHA512
94ca9a28af01e96db0cc2f898ef58d2cd972abda8096a6880cc8cb1f67893aae77e5b16776b3c34cde159feb08f42575e48a7c6332fa211d35548ff9f059c0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\KEsm.exe
Filesize
204KB

MD5
0d41853f9c29ccf8e74e57d56eeaea3b

SHA1
73a24268c1c471884703fbdd9afd884261ba0f59

SHA256
5fff9b30fdf19f4788c645f6b05da6c24f59b0e4fec6a9772bd64d765b3e1e62

SHA512
014fa4757024ac6aa7e06d79bc922b45db51adb8ac265592c1442c507401fa6de1980e0e65ae5bef9557ce0d09089f9a12e9bf2fe3802fec4309451c3eba0ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KIoA.exe
Filesize
207KB

MD5
27534321292980282de5b35b4a40dacb

SHA1
4a350f33f83b4ea37ed49b2bec58bb0c410a2685

SHA256
d7b41e3af3035303b900ba694b936497fc7d382b0883aaf8cb2ed391d86da3c9

SHA512
84fce13ffc2a7663514e45493d946a57d64b802936ec33f3b7049c5f92e1a888a3cf039e4817179bdeefe1221a3017d182ff91e1bb933db28880701050f6fc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQEq.exe
Filesize
774KB

MD5
dac92b0d33731e65159ef32deffa7fd1

SHA1
d146e62daa31b6b3aa5917f5c16a1ca3b930771c

SHA256
5880a4084e33ada9d070ba17f77ecfddbd501a6c2afb5e7867275535ea3dc92e

SHA512
091f3ccc4bbae91f14189dd798a74eaee28bf818f278d16ba39a96fed0fcf0a2b22e9edad624eb6556dff61bd64978cb8831604bbff4142412d9656fc8e4919e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KcsM.exe
Filesize
790KB

MD5
960a240be86368c631b0841eed98400a

SHA1
25a043cd76a98600531524bdd52fbc855fb3820f

SHA256
359976ed820c402a2303baa184e4c581fd34e17a7f94528605a2dd84605f2108

SHA512
dc72c368197a26c11f4a2bb38b8929765f037f871ca9e9ef079a7f8da4fc046aff9042c72dbe67639d2e766ba31f509e43f744eb7fae4f74f89e2b76a168ba63

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoMI.exe
Filesize
216KB

MD5
594629c97c9b15b64c79d1d9d5870cf0

SHA1
86ac309336a39f7046afb944532cbdfe09312a4c

SHA256
8dad69be17be1a8ca09afbc657bbbfae35f8f0ce311e24207604d8645a4c4ef3

SHA512
5dc7bdb92252454caf7188616a13f0582ef70bee7a5794cdd81da75c0396aec212abc5dc4383c487b90e2c89f9e8c1430dc93266f2a1eb27468a00c0995aaac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwEu.exe
Filesize
236KB

MD5
401068f39c8c850efcd0bfe013f33506

SHA1
cc8c79369c0b9b4f08fd3fd38e2bc426037c0013

SHA256
af076e4463bf3dd721fc355640eeda76ef0b289de4f3bae12274304313ccb3b8

SHA512
c9ef2f5abd1789b5126c3d992f691d84b89942a3e3ac038373b562f88ead8040f35610bd91aa3ecec7009a19f46824e8f4a8bfede17a81cfd031449e08c99e55

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEIG.exe
Filesize
774KB

MD5
67a160ee0962d256ae929d340a673d6d

SHA1
242bb5d91de29daa9b7018b2872e764bdeb8d1d5

SHA256
07f7ca7fa302f732046f11ff918e13ba1f263159308467b83086d764f2aceeeb

SHA512
fa95a261386a3773a5ce232c1155b2d306b1e6193cb18e5383652673e1490841c64f7b39b0eafd5ef0eb88f00d6c142ca99350e1e578d94781a16592253aec98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUEO.exe
Filesize
187KB

MD5
55308d80ba93b34f7ba9125908ae61bc

SHA1
76a313b2086e1531e96dc75e3293f9fcaa962106

SHA256
8549c51621b048016ee1f54cb64673badffe0c8181dd16bd3956716e4dbd42ab

SHA512
559c50595661b1218cd46ebf367052c1a396b61adaa6563934ecd67aec50f23a456c2cfd65b40f1577c0b1be6db06f2f9245a863d6cd772f272b635ed2590a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAAm.exe
Filesize
784KB

MD5
5df53b6d22c1d1b43f237d00c7e7b754

SHA1
833fd53befa78afb9f3878bacf2052cfee4ec948

SHA256
835d3de3e57d19bd885bd857147ac396485c669a6566cbb236addd7c1622504e

SHA512
f18f5b89f2a7812aebe9ebfa4552d76feb11d462f7e6388fd0bd2a2ca061fac2027917fab68bf2a5b14ed9272d0d650d5c8e32d82b92722f9cf648c324a73106

Download Submit
C:\Users\Admin\AppData\Local\Temp\OgwK.exe
Filesize
733KB

MD5
4a63ef73a0747198b756494fa74389a4

SHA1
cff0f57e328f999fd8a9dc773e9cb76e21824d88

SHA256
4a9777bca9c04e05dc67c808e6b44b8d2730105670c6c8ed20be2a041831a8d5

SHA512
28c6b977c230f3b94b5120b1f47cfd15ac72d06ef981ced8178f8b8b9bb52762ce9b69ab54e210befc3c3a8972cbdc7094445af7f04e7a8388381def4ab74d0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OogS.exe
Filesize
711KB

MD5
b44d311c142baf9588846ad371d4865a

SHA1
5373c62ab105308c4c030ae8fdc490d6732486f6

SHA256
62714064ff852823375a5275d8a55a9b04ab536bec89d26733044d9f807ddbec

SHA512
9381b16c494ab42d80afeb40172ba0ad3e4cbf2333473f4f6bed51a9c6c1e5fef397e71e303ee22e44d282af5a3834e2942f4beaf641638ec586c0375360f038

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQEM.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUYc.exe
Filesize
197KB

MD5
94f04d5866dff0b1888511e67760810b

SHA1
ab6ac5079b4be9bc8328382696493cc718d7677c

SHA256
b042b93e04f727e25f3f329c3c1bb437715a61aafcc38cc08c0094937507b11f

SHA512
df690623a8f45d6ae67d5284f13a8b53d4924d7234c3557cf67f75fdc38f57bfb198062f5aa6dd9b48c8254bac416af8763cbfbb7b4a561cd5c97ef2d942c93d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUsk.exe
Filesize
824KB

MD5
f317a175f22a21d4bef20cdc3339b9ff

SHA1
f29d5cd3ab098fbce0123e6e3ff025d50e3c493b

SHA256
7475d0de511a96c3f04d9b7b8e604ed762917eaa76f86f976ca12ea1611e3acc

SHA512
97c7c74745bbfd3472802b067e03139f87225ce36fc0804c5c989f2e41ba95e37e55c1670a7b2b3b3aeefd9032904e1abde8587f28d135202b08f9a283eb77e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\QcEO.exe
Filesize
203KB

MD5
04e6fe28d70ef306624838c87d7c2067

SHA1
821a4700b66267dd94bcd8cf1c693a1d5cada568

SHA256
060aaef92ee0586f15db65ea8e7b85f68ec8213734143f660cd5baf2182a64c4

SHA512
68a8dd425a906e095482490a4f0053d9ead403ab47338768b5b83afc1642721928475a8a4ad66b4b24bfbfb63d53be7111130a88ffcbc0730161c1f909b1bb91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qssc.exe
Filesize
195KB

MD5
68219866ec5faa4d80cf77a9f6fc1549

SHA1
48ff9a14fb573cf65ee88c05962ce4a55e87b8b2

SHA256
f356cf81f2a6ebdf72a8aa46d0648d546a731b4177147d0e5ce759b39c3d36ee

SHA512
5a5c106a10baa6bef79fff7d9c2c2cc6597e0f8a31da97e6f85fcb35f21aca197845e0a27a45e8370e322887af0596e0259d94938e37e6bb555bb939c7965f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwsG.exe
Filesize
782KB

MD5
cdfc6afa35a64ee54488039e6c897198

SHA1
a865e3d477489fa257ac7cdfe84d1637e83dfb3c

SHA256
48f29876538bde4041fed4bcdbe25aa087bac0fc68b57cc613b8e2072e14d953

SHA512
cb9abbeee6e88920a1e90dee03405c7458cf316e5d5be21b1add9a97605b902c916e704c054c5cbd0185a475f7a3726341ea8f4f7d0b14a2a30979c3019bc25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIAM.exe
Filesize
197KB

MD5
2224099059d520dc9544f01d8ba1ff87

SHA1
ef2f4dd3e46389a0811d7e6ffc58a6cc0898a197

SHA256
fafca119eccb5de29be6addf716992ed79cff3a106dd78c7f44f1e4197eb216f

SHA512
ba869b9c7c02af8722a1d1fda13715ce412b9059eb6817b6367494fb8b48809118b7ebad845c1d2a3aae193a7f45b1fc8bebbdfd940b9f1ba2a187c1cd36cd4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ssgy.exe
Filesize
182KB

MD5
782aec78664c8f1ad65ff9855b0d4442

SHA1
916f29247e04b2c3b1bbf12fbd27cec0e8704762

SHA256
662ce518ae6d183d541e5213a84801428b86c35ee3fb021b40fb6bae9ebcd023

SHA512
6b7448e818e8d22f88cd4e1ce3eb36e3dbe6883d907da9aaf5420400e2281d3d8a398b7e548c8a4f753d20c350d29047c4b5d9c96b972198d4390e66076b0d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAIO.exe
Filesize
195KB

MD5
881acf4c937c19c20c079d8d9dd1c83c

SHA1
0f925801aa28fa06c7d0550f5e5576c8483d6aff

SHA256
a5b4c83f561368d26fc7f67ef84c919ad51ab56ec5df8d743a5706588f3b638a

SHA512
58eebef599aec4024b913c920920915a21de4b95f6d35553dd733f72465e5dd43019c728739ab1491324134ec26d57691feee5a6aa9bcda05bc8e43e9e29c377

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQUG.exe
Filesize
1.5MB

MD5
f714909ba96b04127797830a4d5c2e70

SHA1
d66f83ea7f101ee9eac1cb8afb76e47452b54c32

SHA256
338d412c0ff5b47eaecac47952f3bfeefb1288bef7a5b11f47d040e4aed4d01f

SHA512
9a035347e6fe87a837259eb3348d3d724927fd03ab88ff854c83afa202969d199e46a737cb86f7d65ca1c51f517c978c0c3b06b3735d09b60f835600cf9cca68

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQoS.exe
Filesize
198KB

MD5
b6eb2092ff65db5057bf3784ead0c828

SHA1
fa75d8726a881af30b74b58c77610e4f99940372

SHA256
eae7bfee2fda818b9e4c48c76dab1a3fa7b45699090e4407c097d911cc1b4551

SHA512
0cb1990dab137945c7b6c25ab1c42528d344c855096d11c44514d75397c3577b168332274439b4acb9e4c0b8f4851ef6fe73f005e1b70ddef166243b4a1d0c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\UccU.exe
Filesize
181KB

MD5
c972e8bade5afc30053b7d7170338354

SHA1
160bb3e4b7107f7be1fc930d91a29294c85d72d1

SHA256
2d21ba8d2c22577b1e32004c003551f948be57d8a3d50a9fda9f0fc0fb59bb55

SHA512
67192a907826ba201a8a6098b7c2296f40165330ef30c3aedd555722e1696ebcb0cf201328454b8d044f9317551aca303078cff60ba2f5ca0f4424895f6ec725

Download Submit
C:\Users\Admin\AppData\Local\Temp\UswI.exe
Filesize
207KB

MD5
f3e99d74d6ee88521535097df573de63

SHA1
b3a30cc39a1dbe34b7de18d15f2d535756270db3

SHA256
781afd92487820325c4ff2b02e86d0feffdd7d18ffa1f9b211a8fa750e482cb2

SHA512
95af46e05100ea2ecc428449ee0e3983756850d0985f4b7df078fb201b6886d78834d622970c5285e7c49abf89fa3b27836dca7ba43521781fbeb1c65b8e2853

Download Submit
C:\Users\Admin\AppData\Local\Temp\UwYq.exe
Filesize
189KB

MD5
0c76af8a50cbfab3d7f200d6dfa5e264

SHA1
e0f0b37034022553f2d51079b382c8d51ac6920f

SHA256
e93984bc25871472af7e45a9e439ae73b93fcea5fd33676d61bfe329b1b0644a

SHA512
41eadca66e5676fc5ea86df4b88970ce9b71213a27b0b90262f537306d50b9df00f6b1e1b7a6afc1c7b719b929f38a16c48d7c73b81ab64b83b8ba143d2c5e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEMG.exe
Filesize
591KB

MD5
7905f1ec76079af1014590a0946d4084

SHA1
ad266ad4a1efd5181f5447337d5280ea1b3572fb

SHA256
d2646e740d1df39fe9a77593b45cf2acf2157e975f8f39a420fc09fd0684d435

SHA512
8e0008fda518949dea4acf9bc8edaefd181d14e6149815f729603908cf22cef98e12a6770333971882c763a452c46f707d04acd4fa79eef06ac95493aa4420f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YMAe.exe
Filesize
1.0MB

MD5
c4f3c1b856a6ead809445fe8dbf9d12b

SHA1
675810dda6b0cd21668d82d9d4cdd66785d9769f

SHA256
181e80852db1045c1dd5f6a1ba30b1180fec49bd516b636c5fd2a0af40773181

SHA512
6422476dc21754f6b02d92ef3962c9a857d37c9dee7107a0a83400d4ec621d13f0d849d56e815b17ca1d281fc48fe04c3016e40af8ad42ca775250d62eb9c719

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYoU.exe
Filesize
916KB

MD5
ced7e6b591b3f5a14777b6119b88b672

SHA1
d8748f5c8c9989cc04c530da76036805ed4f7b82

SHA256
27f1bd025e6e9b97db06f523b8cf74704c54058e45248dad6d5759369565c53e

SHA512
7641ccceb16f6b69f2952bda95b1b7e7c1f5e54f9f6cbcd3372394a890de967dc69cac110fbab2e6b71f74466f2b635e51a77a9b9eb7e0536fe1239e1cf06dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\YkQc.exe
Filesize
633KB

MD5
9d0b3df4512a55e922d99d01866b4fbe

SHA1
f672e109649719e40076834f76475ae478548aee

SHA256
36dbf9682c83cd2559dae3f7ceaae03f8c95952a8ff957f8669a8caad1c1b1f8

SHA512
7c6927551523fb620b333b2ae06c204258846c44bf3b260130ca10c520e97fd85ddd87a0e72de1efef26b4084f351b07d9f7a781849bf21d17d2673356d804aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ykwu.exe
Filesize
227KB

MD5
03f8938c26d4d93d190959f4ebb670b0

SHA1
e5987f53fe20df3a3044b52b6c07bfa204547450

SHA256
908c73f68c280efc0ca02fb62d0b3cbcc5edcc9e21bdd0318e0dc4ccd2b9b8fa

SHA512
7ec95892249fffa164cfc6f56ef0451b920946d4f18db4aa4b6ae192527b584f89c8dbab5578f9e14820db9b038a68cf2fadb939c7f4a0a3bca9ef9045196295

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwUg.exe
Filesize
405KB

MD5
eff3892aaeb7c8193b3942be97a4c8a5

SHA1
7b14b0bc0d0a1d016c2144ec8465465000cebefd

SHA256
bc5f6c5ce2d1e2f3738cc6737e5721c1dcf1a2ebde110710f615a10e3594a268

SHA512
16d05fc9575eaf285a6f4e648559a2bf3b34e5e7ad7683e173073c435b27cff5e86082c34f1a4246569c6ac83d3cb4a6ad5e63bb4ee21232e0f0c39e63d92de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwkG.exe
Filesize
201KB

MD5
f6bd336fc48d2a7b08f6b14ca3ae1e9f

SHA1
28e37804db280c1ff61d333127a08d5fd92dd63e

SHA256
2674709facc36f8813be89e5a48013aab459bd32b1e25eb2997ecb2d1870c02e

SHA512
76bca9f66c40de3dbc030e33e3a6d3c1e618dcfd9562534ddda78b1915271fd0edbc329febd5708df868d5fc1a97c35cd06f5816f2a51a6cc6e06f231b72690b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aEwa.exe
Filesize
555KB

MD5
2db2ead02fda7744c8064e38b6082fd5

SHA1
22c58958c30fc455730a3b3785239f7279dee7b8

SHA256
937c6f372876748803b1fee22d7dc6809e587dde7da12acd8edaa7bb35f57eb6

SHA512
653430bed060aa3912c5186ff93ac17b9bc44eea9c2b90a0dce514120fe1ef83b61f1140900478be80d5dd7b3ae206c71b64f7ec971c7de10fd51a84bef3ccf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIso.exe
Filesize
219KB

MD5
c443b040a6b1ba3e062656ccd53ac91c

SHA1
58ddd49c1c48ec743ccc13047eb35710e98fbdfb

SHA256
aa0cf131566f0404ed755e2ee159e7400a971a83f1fbda3e2c7939742301e497

SHA512
121819231b10180be71e3fa499a77a7a13a9a90fa15c879f3ad6840cb5229f74087639b9647f680fb58be2309b5d53651b7c7b79775840f3a33405b1aa1ec1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIww.exe
Filesize
196KB

MD5
a0a73939d8672048a1e41ff6e5c16f0d

SHA1
063763e92b4f4c52e23617ddf0f25ff9980d4b11

SHA256
c01e214d6d2cd70feeb65ca960fba69be49e11cb9b6fea45c13b953dd2322855

SHA512
1bfdd4ba39f8374e4f893e58245344de2846af76407524db5bea9b676940ad6061a0ef0d92d891f7e16d2716f12f5d4928519f95cd0b0fe4bfb0cb356dbbf4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUMS.exe
Filesize
193KB

MD5
6d6dca6a76449bedfd3cc2267f4ee6f7

SHA1
b4b5039f25c6dd24bb19e6dc4c15432c5b214ef8

SHA256
e69eb8a588b84725dc282c29555639baa5175c86afcbcb2446beda0c2b581046

SHA512
b36503f87f3d62f2a709fa728d9340c2fc917423d8169a3ac951e7004ec1beaa4c0e5e85b91575452603f0c0c26a9a9b153c0ec3faf542d8ab1cee7bab47fb71

Download Submit
C:\Users\Admin\AppData\Local\Temp\agUm.exe
Filesize
1.1MB

MD5
ec6216ce913e073e540473430fb7b042

SHA1
2ed5050f5da66ccd909b52d27cbf40b3805d96d6

SHA256
59bc6a679d6c8a7bd5601d26cd55053deb4071df22a3c3f8bf9e7013cc1f7f5e

SHA512
dde8b76c326d9e1b38c1868793bb49195b2976995c1f5d566fc8ae1c3b51715fb7648d14760f39943f8834f51f27dc2117ea9bdcc916b8d9bf5a6bb68b5155a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\agka.exe
Filesize
306KB

MD5
9e506a643d15b3abea826a21eefee6e6

SHA1
747e5a1dec43a7a2e93d486122589f13e35e349a

SHA256
9f9ea1095da59e13c86e91f5904d34addc36f59ec991a6ca0d89cee9202a5db4

SHA512
1f6c4c465da113a374b2c42476fb2eefb810cd8071397806110873d744974927ea79cbd64576fab1b12da21314f19367a74c02cbf58fd3b30773ff487a12d784

Download Submit
C:\Users\Admin\AppData\Local\Temp\agss.exe
Filesize
323KB

MD5
55d5f99d57a7d9cfd45e31980093dde8

SHA1
4cbea0aaf236bf675a4420a1e0429e685ca12198

SHA256
66ed5564e42f286be2ccf07b9890f86a72d3b440150151a626d7ae7957a7dd15

SHA512
46ca2b18b54d4ba3d566fcecdb5e485b9b5ae4743d5c1902587e552e16ad75ab2d7c0684aac6d5fe3d5cc6014a3938e2c7c9b67f29fdfbc87cc4e93b3137b944

Download Submit
C:\Users\Admin\AppData\Local\Temp\aokW.exe
Filesize
208KB

MD5
21d703bf7a41a686e9587c98e6ab2f47

SHA1
1625fbd77a0b0dc8b8da4b20a6251f7de2c83ada

SHA256
fe0e8d976769b18ce55e30aabb98edd3e378db433ff4e4bce8016e58ea75fe0a

SHA512
14c814aea0d5683661aa1a15b4535f8c9dfb4aaa441ffc23cf918c8fc40696f9e72d90f005a480eb20eccd5609f576f3c575b7d831d50db0219838130a0bc5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascY.exe
Filesize
201KB

MD5
3b7849d0b96cd065a3f6f449c8e02a8c

SHA1
a1bea2ff6ff3e6aa12ca057e5fabf0e810082ad8

SHA256
4791f4406b45048d8e3ccf85b6c39c9f3a783b1e65a2ad7eb67c3ed41b7aea3a

SHA512
9a4ff4e12f6641557520a86bf5a368bcc8d6638e58741b8702b2d214e9582a9e1c316bb45a7a4ef8204ca1600af9edadd9b773ea9b1493f32e883ba318776c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\awEa.exe
Filesize
192KB

MD5
940181ec7b91a5e16c685038c758f670

SHA1
6eda530d72812f2eed14a07ab33cfe0213ad5904

SHA256
1c0bf2942802a68dc1c993014d90792906483e40b95b71bda3ac11feb51d2c16

SHA512
23d95d9ddc1573dbaac1239291bd14cd76bbe0a54df7cb275b67fc0903a88cb950b80bd6d0a01a54ba3be817652acbe09fb445e8fd23a93bde53bbffafb69304

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAEq.exe
Filesize
211KB

MD5
7f9f98ebac53a99fa88d712f115e0a6a

SHA1
b5a48f6b7e45c44dba2787ab1b872494292a0b45

SHA256
aab57130602553d5d808143ac0eb37f10289ecf993722823bfcd014c5640eb75

SHA512
7538ee6e0b2255661d06c627f91ff2bbcaad966b206fb646ee8c1c05c7033896c9e7548d06dcd568cf686a3abdb3d1fa5d829228bba01456836f531c4006fe22

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEgW.exe
Filesize
203KB

MD5
c00796d70af92c0a86e80a2a2d5f81fb

SHA1
0c7aff3bbeb62e733aad1770c0a6aed8c8c17094

SHA256
2f748a6c050ec6a8c814a2f1d7ef5e4b68967c12b49482b671c50ea7bd927464

SHA512
287fb87476efaddbb1ca65af9bec833e1d58475fda4a8b850bf7389188337f1372800a1b892c53f3281e8a04f35f467049bdf7332a35f1c9fc85ed0561f73e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMgK.exe
Filesize
228KB

MD5
689284da491d92970c6871da4336619c

SHA1
19a9936f0d79e143ed9536056e305b3e035a67b1

SHA256
e68202abed8e1c80c54e21ec4af12cfe203a924fd7700158274f1419a4e8dc8a

SHA512
c9c35401503106f6e9caf49144238c640e6fa7b4f520ff36409d1db7a21b585a73d410f0709d4c0ff1a661bdfba6ef7a3f138dda4fd383a96d12a486f5399a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\daUYgcUY.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIks.exe
Filesize
334KB

MD5
c192c6618c41324e8e447d38b5c1bd1d

SHA1
422b00ad2ab18512d4d0cfdbcfa0de410dcc8e12

SHA256
2376c76640bf438114f45db32d713d4caa875c369840578420ddbfc00a2122e6

SHA512
bf988caf30de648bf0203e5fe620bda3046c54520b70bd0cdef935b81722d5a7a53fd4f190f0baa22c1f064151d1c981bd5e6e625558127f41705236929ba75c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMEW.exe
Filesize
647KB

MD5
f1fa937c428c800c08f8aeff2ab86d20

SHA1
bb543d32cebb1106cf8155a50171c32d5b601c49

SHA256
b246990344615f82082473b9adbc8d059e2fe3d5823bf8efce5c351d65c1195f

SHA512
3762cc0304ff55073bc0658bb1204d46c69e477fc5eae0e2b581c4c4649438c3de2851d38371a3cc104b03ed03e8729081ea9d9ab927eefb9958389d3b6ab0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUEc.exe
Filesize
749KB

MD5
4ece35525b3c950381ef7ccf63dbf15d

SHA1
684deae984a698566b516ffec10104136c281894

SHA256
3f5f0ea65c765ec2913cd41fb16fb483019fbcd5a6d95c88ece01e8eda461d13

SHA512
fa3050a99cbf508e348d219aa2607622d5ac7c3efdf739acf5e6d153a7a4fb0deb9df963e6ef05a159d99ea742d04a0a5ca6686999a056a6b327465e82ebc425

Download Submit
C:\Users\Admin\AppData\Local\Temp\ekwK.exe
Filesize
207KB

MD5
b48f8a96c5159e66c324961d8a9060fd

SHA1
995abfd8804796e449d2737e238575feb360bd5d

SHA256
205cb0e1fed897c4dc8410cb7200c2c5508143123fbc6953eafe9f9568a9de5f

SHA512
be14a77afca3e95aa162007b670c55e2c0fc87f32a96a6dabc59c66b8f45e19ce66cb0b20b88700db1469b729f8c47f391419a3caf7653cf2135eb498bb7260f

Download Submit
C:\Users\Admin\AppData\Local\Temp\eoIO.exe
Filesize
595KB

MD5
aae1a6f783cded21bb5e0ed4c2919263

SHA1
713f1a9e51f19bd4f350f6a856587d17c201a74b

SHA256
a50781eb8d82da57807377d5fa07b520363f3e3f4e795361fbd76436e6ee0db8

SHA512
cd1cf8096a1e0a289d11a6055902905850ea3576d06b7a0f352714a9697efc7bd5f6b50ce6ea28cf4ef570d72ed9369fb4d50b00bf97096758fa289096e7010a

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAIq.exe
Filesize
640KB

MD5
11e861ee6d82b81e2498cb330e800b24

SHA1
aadcbcb6a7a886fecd0cb1804ac098656022d286

SHA256
a60ce7d962b74d9fab178e8ed139bc2d6f275fe7461519ae40e372f5c8a63961

SHA512
fcf0819ade416087f0aa5d733c03bb0fa7c3b1d3ec2bc15f9d2d916719a89bd079d49454b2f9c7de7b314b0901ac050b52f1818d69498e56a04576b94047ad70

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQEw.exe
Filesize
222KB

MD5
f509cc228723e06a4885831972764503

SHA1
5d3240859c1e39e1953321c0642cf2d69ae144ef

SHA256
8230435b456d691a7190a826194751c971fb29ab09b0f1d020d3e1a300d92d6f

SHA512
e190717158c694bebc9dc09165cdb6575da62528d1e1038df7fdcaa97102f57928a6929e2d4793337f9827d8a74a9e5168901c7aa17e936dc4d0783933f019b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\gscS.exe
Filesize
452KB

MD5
25026d7e386b72e4ddc54f63e66b3e84

SHA1
77264ebec82deddf6750623360ded04cebb5ca1b

SHA256
373460ddf6391ddbbeb4b5ce3666c515e93fd2c745126c4bc1fff8f26f373f1f

SHA512
e144881f588e87992f4837919aecd36895d307cab1947362a4dcb3c5acb7bde9c851977ad4d6020907bd572acd9456911806a332e977f167755598bb05a70b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwQI.exe
Filesize
185KB

MD5
04938777f3803853c3c1db45d6c26a69

SHA1
e2965e1e9e63587518c6b8c1bc370f54823a606c

SHA256
304fc78000cfebedb1f4e40b284a1944b4bfad3e95730dabffc8ba18a4a85654

SHA512
9f8a4bf58372fe36507fd86a7753b59681ac6761c274a399e4b9cb06279becf2a22a67f8ab1c786f145f5144768f1ca06b7876783fa673efee4792d88d53e29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEQg.exe
Filesize
195KB

MD5
1fe82bc78784dddc1d86e94b01dc6a09

SHA1
dff01ae9b9b8ef5ca3c9641ac6e96f99e714983a

SHA256
74610a76de85ca9cb19655c535896952c865978d418b87580c14421d00407564

SHA512
72addcc868f34a38ea01fcc1ac3a2277ed534bd12f571643cbb88f36bc9c5e4bd9f14737e0f91857505df4fd5e209a0f6fd3530b7c654fa0d4e1300ee36bcbb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIYc.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIsc.exe
Filesize
554KB

MD5
8fd9c0f34d296eff10a562ef359783dc

SHA1
81d6b21de8b6b6c637c03aabdfb66ff14c09da8e

SHA256
23c1e1dea18b21c33386be7e9f8beea490a615d67bf179a9f33820100b7a456e

SHA512
d27f1e2ba0967469cbab775b108a25483a021cb2bc48e66a6935bc461c98cc5f67136bcedb14cae7ecea38a526f91c0ac88675fea6c5827d16a96d5ba6a25fcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\iMkM.ico
Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYkG.exe
Filesize
485KB

MD5
f80c078349f41c5c713edec5e573a858

SHA1
411cf5b8af56398e746d966f94ee0864fef4a477

SHA256
071bdb2fa0b7e2b7355cb94956747b037912167c36879154ee20c348b4c01058

SHA512
fbb9e41ecfe4e791ff325cf7dcabfecb3e6ea717fd8a88a79046f6c4e05558afc4c99b7b416fc7a3868b661331cf175a90ffe591e38056f45043922b9fdeb797

Download Submit
C:\Users\Admin\AppData\Local\Temp\icUs.exe
Filesize
655KB

MD5
67f85ce10ee2db74ac49b81118d15b4d

SHA1
c46a7dafcfc2f2b308292658a425b3e8e05124b2

SHA256
7114b0cae021515420c35ecdba73c7fc84de0e902b97b93dcfb8e83a8f603105

SHA512
ac330dac6dd50b1f22f05eba6b176172b7e275ae6b11a746c7ac8877bd0fcfd2f0a307708276b641102d53cbec9ae8a10a4437eed31c585a2b442e2ad48693eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\igIy.ico
Filesize
4KB

MD5
383646cca62e4fe9e6ab638e6dea9b9e

SHA1
b91b3cbb9bcf486bb7dc28dc89301464659bb95b

SHA256
9a233711400b52fc399d16bb7e3937772c44d7841a24a685467e19dfa57769d5

SHA512
03b41da2751fdefdf8eaced0bbb752b320ecbc5a6dbf69b9429f92031459390fe6d6dc4665eebe3ee36f9c448a4f582ac488571a21acc6bba82436d292f36ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioEA.exe
Filesize
313KB

MD5
575c6d082226e27de3add1e83392f66c

SHA1
1dcee7fc4e22142cd354f117baf746dc42c4aa0f

SHA256
b143225f6e90fd5b478d449cbb8bae86c8954427d6cda1ebfa63deed6e31f1c7

SHA512
f7ee98a5e66306595d85f7f516ad4fb077947097500766883037dab97fc4f763c19777300719f2787510a0cecf41b4de290670085f4b66c3ac00639caaeb998e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioQO.exe
Filesize
852KB

MD5
c4b6be8979dc8c5731894b415225c505

SHA1
b9e182c1418c875d9cd006e959b3c7f79ca752b7

SHA256
9e06b2bdd177b041287380a128ff7f08ffc32f07ab2e1516bc6c73886e6327ff

SHA512
6bf832e79eb5c024caa9f7f0f370f9cdb3bbc69a3ec3d8f643665d232b5c4924c91e32865cc999d4b91432c831b0674e4c78ed510398d4cb097ee035f4715c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\iowG.exe
Filesize
195KB

MD5
fadc826363d89c1b41249fc07fa04c22

SHA1
da16c739df8b4e31c8953171766bcd0ef176215d

SHA256
dbc0277e5b4094633f7309b5ed41411bd4d2fb4ca72f476052da6252ac318e76

SHA512
0211d0381a9e5150a39a761209efc87119c44567e62c593edf480b7fbd76b5e6496962472785decfc0bccdf1c84a274d2f0f374483436c49e9f770913688bf8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kEou.exe
Filesize
581KB

MD5
af445b7cd6ecf39f57dfd42e30ae1539

SHA1
c0250a2505b535187c0f23c557fc9dc287803e23

SHA256
0902239ab33038574c36eb6d41d63d707b4dc7d5e2d1dad37e83c83646dd7f9d

SHA512
eaa0acf1533dca30d35c84820ab068ab20e3321e04c4d8662f83ad2bdbd1e868fea35a1caf2fa818203782c302d175c4b4368eab03ea9b09d0491a8a25169357

Download Submit
C:\Users\Admin\AppData\Local\Temp\kIgG.exe
Filesize
874KB

MD5
23d31df6254101bab428c60d130f4219

SHA1
f1b3cf49aa17d8de0073df76c85b2e910b16c0ae

SHA256
31b3427c4fa0d82e06124e05fd087a749d3670d8bc523a6316730ff6cdb756a1

SHA512
7c176801f1f2378b25b1c7ce70048cdbc7f7d3850027f907dd476f19ed93e2130a50b648fef658de3ae477f6800a14f4eba2956a4a2db7c8a2fa92bc51fa68fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUcE.exe
Filesize
189KB

MD5
528b6f69e234ee8895004a759f1bdba9

SHA1
f1994d1a7b743ef093717a730d6d68e44995794a

SHA256
1ac1c8b9c9c1f0a77bfb10aa5530091ba43d753568d8937976047b6b3387da65

SHA512
e5e518c38f63d2903e2af225fb5b9dc057021ea32156e2560cc9be9223f9c36c745a23db496d3bdffd06d3b6362a1763975349aa76f6295d4126d899af6e6b0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kkIg.exe
Filesize
638KB

MD5
dfa463c993cd7d40fe52f360de3432e8

SHA1
c457975bb80c7542d95c8f72b4f8e709dd89d309

SHA256
309d50a72da7a33b1e61a72312646456aeebf92e3c141604a5a8cf9e4b53387b

SHA512
e403995e375594320233c3e630f4bfb5b2f00fb5c3345787e25d055365d807ab438d5259e80deb3b5cdd48bd6dbf92d8c9e0e7d0c2ef45f0631e98a3ce6b6f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQAa.exe
Filesize
222KB

MD5
1359ff4c9ab3a134e7f5df1f150cf64d

SHA1
8e24757d31f0e5e38968807b89140ce5b60c1025

SHA256
f2c7207a9de0a60c28df46c7a911c6544cac56ec1b509e613a7f709b0c4e323e

SHA512
6dcc9fb20cb642088402422b16573135005e9957ee92c55cd8bd7cee5ec79fde0af4ce45a0bebdfff3b5307ef15671264d169cf443304b841cfdb46a8665f26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUok.exe
Filesize
201KB

MD5
50587311a2bd42d028788d8a434c2c7d

SHA1
dd5c159c813d0d4e48c2e5dda5ce399cb50b4027

SHA256
ac85638d67f7f8b01c9ea26414da5c87316ebf5c73f8ed15442782a8eb1fee84

SHA512
5caa2141cb3278aa5eabaa304ba9d2ef8f404815a46c368f7828c527c8a34bc8e55cbe4614c8619289311dd9c1e091ef064a3d74ef0313503b0e169dcee3997a

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUwQ.exe
Filesize
491KB

MD5
88124b8baf155654d3666025d8873b69

SHA1
d9b260c85137421823e7276d7f367dc140daac46

SHA256
683499f424c51a8213960a3236d29ccfe5007076752a035b7738c1973ee935a6

SHA512
bfc9bdbecf2be60528a7ac097a30042b37b647e151f8156fe5fe0e99956d7bb3c58175f57b0025404ddcdd214b2ec2d3ceae9d223b4f90f24862fef13c158a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgMi.exe
Filesize
407KB

MD5
448ac4a2a23412cf4187c9ab6e58be1b

SHA1
f9f6a87b06fab2f585fabea680db983b0e16d0b4

SHA256
e783b05dc2733239284ab00ea615293183b0c63635f2f33d7a5eda8d90bc479b

SHA512
e92e63d9dc34968a6c4f68b2d6f908265b15f250af51c1d6beeebe8db98e1f29528cc2e724bb208afb317ef28c82e65c7da81e1ece21a6e9c6d877e0592565ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgUi.exe
Filesize
653KB

MD5
7ff7e12270c804e7e2f1fb56cfd05c8e

SHA1
3b16747fb6da0a2c3a48cd35789eea30ba0463a1

SHA256
e3a75b991a6561446e6ed58258ed9040edec53ebd8a8fa99f52a4a7dfe14258d

SHA512
673ea862965c4a718f1b0964179defed6d9d78077b5085ac26feded6821d707c003386c924773769d9555a8d61c57c6e5b83bde49cfc771c60a9c7d75f124caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\mkUQ.exe
Filesize
192KB

MD5
c3e05b5989bf99e23766f490c0195d34

SHA1
20fd655fed38120a30728b68638e358218f6f1ed

SHA256
b2fe98d8248397d7e96635652c437cd349b0fd18eb408854d1e10dcf9ae9da64

SHA512
a3649b38818fe9e9cf3c51137864114971d32cd8c6ec7df1460a4181bbe7e97f0c5696e2ff61c2d6aba7be9130b7477056a6e1c7a06ae05bec697ff8db5d8a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\oMkG.exe
Filesize
790KB

MD5
3adc85a52b71768e88f8a50e56b87079

SHA1
ce4bafef90f5e1d1878aa41d043849bcdbaca5fb

SHA256
ac0e6f44ba4d627a7fb232a1a335227f9ba420ff80da6c9596c9c77e3652297f

SHA512
2b1026b737ae2ec35ba04cde4aedcb4e5cf9ea75f92cc083651d13cc7bb5a11c248c6206d2b51a66954ff90642e4a3ccc3e5016198b6a7aaf0c03d093455ca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUMy.exe
Filesize
205KB

MD5
07a45c53218e505ac3d1d69b8d6a31b2

SHA1
1f2dac98d24ca5fa1c09cfe87c2120a5de18d803

SHA256
75d0d3f19ef80eda21cdec70d75e2e68d3de8d84c93d38d2ecd44d64ac45241b

SHA512
f36b37e62cb170d374b46d19c0c99771705a4f3875076bbffef39c5bbc97823f86c8891abf45df5ca19a5acdf1e5bc5ef9f38ba3158378158248975f93600ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEwe.exe
Filesize
808KB

MD5
e5ab52c0bdda81ebc6b834d205b0dfc3

SHA1
bdc3391bfe846b756708a43148dc00aa0f5f37dd

SHA256
aaf17267f5ce56a37cdfbbf032426f924ac0d670334d8d725bfef389ea42fdb5

SHA512
b184091511e52cb98ad31f5810a3e36e335b901294fde5014c40f6c12caa9670a952b872e548f8fbbe415d666a8b6dd41c5500d77a55be175c5b37692d41acac

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMYk.exe
Filesize
205KB

MD5
646bc2dc119d9f846929f549f0b2388f

SHA1
551a411bd951e21e4c01d10c76a37aaa9946b946

SHA256
cd3340fa53f494de5441275f80b5c0ac00417a952b434e28fae9c62adeb93a80

SHA512
f7b8fe5e8dfaab3f358b4ca0e9debb2db2ee214273798c386f1196d4a4797cfdd486fd3f56489d030164566b9d74a3fa8bf423b0545fb6b9b3c576e77eee837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQYY.exe
Filesize
202KB

MD5
0d1bf53d7902d77b98fb3b7b95f67ef6

SHA1
a12fc9f7c21453d82eb4089b97c6c7855f591980

SHA256
193362e0046cb7332b628bfa946b3e26f54bcbe41ede6976551bffa6872c25bd

SHA512
11a65abb34d28e307b742c471be581d10a113add9e8e57f1f8f3598c569ab423bb0d8021c1b300a19b9a29befce96298f4cd168c390c67f34ff39ebadc5dcf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qgMe.exe
Filesize
189KB

MD5
e8ad9c3427d1d8759922738031f60c7d

SHA1
1b4d3fc5e13a2e02241c0a9a52e0d938da2877d2

SHA256
f17c068ad4aaf7c784060e8afb5c0c946ccd2078f97c8bdbfc768ad3a750d4bb

SHA512
1c51add0145d3d550a855f6b4873692adac389d1c92fc5c073655794bf8873275e55ae071e0b4b409b909c8a63945f4501c54824e69b3ba0dd0f0f8670367ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIYI.exe
Filesize
200KB

MD5
781609a2ff6b1c206a18f34a9d1897f9

SHA1
d518f01a91e601838f8f593a3f6193bd11928953

SHA256
a8ad0f7c2ae30ead30999555399925118e5baf17a91104775178796d6c1ed26c

SHA512
748ea98d8637912201982d205bb664b9e1fb443a792684168bbea1fc1daafae88fc7cc8294c0a103c6f8eee4828c6392bf898165b8dc3b23200b95301247a738

Download Submit
C:\Users\Admin\AppData\Local\Temp\skMa.exe
Filesize
1.8MB

MD5
27543f828a4e4e9dda59448da891fe83

SHA1
e817dceaa0f7c06590426d17b627ed674554bb48

SHA256
df18af0aca7a8356f5351fd7af9ec423b5f7ab2bf73f1c215f1a2310664b27ba

SHA512
f113c436879b74a95348fc488668c94d842c01545eb45c68e923303b0e42c35a71b4e536549fc2ef050cb0fc4b0b4cc25fae6b887d63d37d792f6412f6c76ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAEg.exe
Filesize
535KB

MD5
e561ab8c0fce03d57644a91522f77a94

SHA1
f777c343ca84bb95a125eabe5147dd8de37ed75c

SHA256
625802fb47258488a779ce8a03146cb81ab25e2762efa6c760ede62916152dad

SHA512
3fbfd14c96bac57daaadea71b75634eea7a843c5b62ecc2a889ecbfc3acfc978ad56ffdab07914275f4d7d0ff8637ffd3c8aa0a44b4c01444c72c7a705495060

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMoG.exe
Filesize
202KB

MD5
ced98aaa632cb4b373f0acbea77f779b

SHA1
43163c195496bfd72c52f84b211c3d026e427e1b

SHA256
44291ddcd5bbd3644c4d41087c2e44d00b271b5666429044e90d6393b1a5781e

SHA512
1057beb484be1a09c58088d7a15b845bd03345d7bf83e226d705b47307e58b3fa403d022df76827a6e5fc759750f850ccda24523456dcc7e3b69392912b3ecdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQgO.exe
Filesize
881KB

MD5
9aa2c2d1d3aec6b3ee6bc21fc4f79021

SHA1
665d529d4bece4194ac1ae7e8724ce37ddd529ae

SHA256
ce8c32d35940ae03e63423c7948445ef858848fb92450737db6116ccca58b8c9

SHA512
41f0cb64f102818f8208b68f01c7e9fd367a161ed1768797f0c3c2382a744b9a2a3b2fc552a4270815a601bd455a7b579781d46d518de94ef8482e6c52cca8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoEw.exe
Filesize
227KB

MD5
d42fa3ec66e6f040b4a7d14e3854de1a

SHA1
db8ac344600ac9214303541557afb17d8f2cb23c

SHA256
3c1ab79b6667a0402f072a40a663653da6ae14a788a3a456680910f6d47931e0

SHA512
05d073ed8173c60943fb4ee0130678be0c941e7d5b5cee66c4110688903d7feb377918749025701a5c1ed07f3636ea3d50d9537b30ded465810f461e0686d62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wEgg.exe
Filesize
627KB

MD5
1309c55a1491aed7c42a4852731b46d8

SHA1
ae628099f18b14be72c657517b89048c846256d7

SHA256
3ee53fcb8632ea7e94c5c79178980abdb28a3603d792b943d7c979b6a61e2a6f

SHA512
9e44b69a9da81bce1b8b60d4fe87db7162423c6f406b3dea04cde7f83ee87f1ed50dc2ba0d75989c97faf13ad06b11f84052b3da7958ba17cef3a1de4648b45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYMC.exe
Filesize
611KB

MD5
f3cba99da240a601f2cbba0b7680cf0f

SHA1
9e8c355e42004b16ade43dc0335371dd81fb75f0

SHA256
ed03dd5e1794c0d922aeb63bcfc5a6569d11c1862d25033a7a18b7c40ed43818

SHA512
5b67113d421b953d70788a813f57f1ee3dd42f4254c0fa499bb102c3535e290430d44ed98fdb915774ebca66c453701950eb76ca7042cfe37d386f3c29c088f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwE.exe
Filesize
184KB

MD5
b297aff2642f259f098129cccc44219f

SHA1
43e5fe3def36e4faea807cb190d0dad8c71dad18

SHA256
8f04422ae8e6467b88d56d3a5090bc4396ac57e69d585cac8d6c1dbaaba1b9bd

SHA512
adf317c3e45afd09334e91a7c454b953bdc55e5a15e3ba559ad0a657a503126814b64727cc39812a2838a5f4f363306ae7322447257bab130d617a9771b824eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgwS.exe
Filesize
201KB

MD5
16a69bf579ed5b92d16e9c1b290319b3

SHA1
2634964d488c241992c1436e511266cad8a79966

SHA256
fa5d1dfed2fe815d80e7469033eb7e916280d30bd633833dfacca486fda11094

SHA512
c28aacbf0b08263c3c06e9571d7f21adb8a20a6591110fcca1233326f470765fa2026530b39a3a60191a27577c468f3dec5427e30b62b58fdd2dc38710142d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAoC.exe
Filesize
540KB

MD5
95203a83032d43ec04492fce8bd7fd10

SHA1
5d3ac18df5408e3c45a21b82b4d40a5ea860b359

SHA256
4865d6781b99cf24e2c020a222147d97354963ddf03d4f913cab958247034de6

SHA512
f8539931d1716fee4c55bade1b7281da479a05ab9a81ca68d2eb71682a1a8fa33a5cbf7520371f9d4940dc80c5cad1e4c8fdc3d6530a47bb8501f5d51bfe2a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\yMQM.exe
Filesize
192KB

MD5
0be6b5976ead6da52ec954953e4715c7

SHA1
27c6331539e605ad5eff293ba4fd5229a8c8b6a8

SHA256
238202ed6ce6d34e0ad3e26fbccc36dfe19d821f42301e02a8483fb75d3c2473

SHA512
c1682d858599a04cd86d78d45130a4ffaa97e6f70702f1d8eaed05de7ebfc4110991f0619dabbcc96f4b5d969f6f04fe4ac8ad96c2ffee9f15c39e075b816f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycUq.ico
Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQs.exe
Filesize
204KB

MD5
6f3c553dd7d93ca6d15ec5aa72d75cdf

SHA1
55e74ca671b278d58fece8879bfc0995d4fc7813

SHA256
9fd30a915625b41501ac785a1baf8c467d9f60fd44d996ea245c4ded44c90850

SHA512
3f403de5cb85bd997152ebef7b2d91b9795c530e7d76e35192d9a01d5469784bb09dbd2a8e1948287bf2c27f78b7c5280c52e9ac32224818b803a3375be483ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\yocO.exe
Filesize
566KB

MD5
78d7ad1f6657dba6db9c2ce28a7d2977

SHA1
87f338d9c21b2209968df58c50436f0ab2e56987

SHA256
e8d4686e9f5b357d790940e502c33b2c07043af0c6be6a20a48186b6873107a9

SHA512
4685f096fc458e90934c12f0aea789df3795c8535aee1f4fc2bc38d519b2013a214b41919623375c0de4e2249dc644ed9418f9a5c0ca4cf4399205b8e8ff9ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\yogO.exe
Filesize
192KB

MD5
369c1824418b1b0a947b6b11009861ff

SHA1
a10dbecea088f95fa403bf9b5d888242f7bfbcb7

SHA256
3fb2edec62e47deafd19fd0de17ddca681848e0e4fd9a28fc25050743c9b7e06

SHA512
edb9747e121d018430cf3947b5957eb4c05a2c4f0c3f9982eb1a4c85c59610819ac930bb8f2e077ce1c31c50e065474a540bdde8bbc3b36f5a322e9de71284a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysUm.exe
Filesize
251KB

MD5
a3cdbfd315dea85fe913ec33a2b3855b

SHA1
405bafa264c2279934f9bb5a8d7d3f171f8ebe85

SHA256
da3b657b295dfff29eca2e24b8154ba1de61db79fe8983acae6a4d2a99c85ff2

SHA512
41018ddc733596d48695f48873d2fb9d73f84fb67b5969e4a3abf4e92a6077b2201f0827e82795874b71787b12bbfe1aa1fea090337b1245a68910d84503d600

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywMq.exe
Filesize
204KB

MD5
055c47c90b17b5b01b18da9257502a0b

SHA1
935a126ce84df874a033b783b54be73f09e32d06

SHA256
53bbf94b80b8c46f2676556a2a38bed01f5255eecdca4c5e3f60456a4dd897e0

SHA512
1e4e7997c0945cec49d41508ea0a256a053dd3ca6f86462e09ef14e9fb00c7ea6b4d387ebc4885f327e0c916f6f2b3bc8878f8a3bd0c1dbd48153dc8e8668741

Download Submit
C:\Users\Admin\Documents\PushSend.doc.exe
Filesize
1.1MB

MD5
b50499c02fcdccdf7baa885ae5d2a624

SHA1
da4037653c9e7eb36f1562af6e542d3884897e24

SHA256
fdd4aac32dbe17bac49b12a30f26f7fcb4adad95aac6a389b87134f3289a5ffe

SHA512
1ed0eeb9d13df5845931bdb38808a45297bf27a1a0aa8dbbac244e21328a0de75bddb91c7fe5c4f9fd2f3a4b59d25cced5728d03030b8b2e8848b2f019015d2d

Download Submit
C:\Users\Admin\Downloads\ExitUnblock.doc.exe
Filesize
443KB

MD5
9813f305b5f43279893e3571c4029f80

SHA1
274b01aa1c2d8a2822cb244a3813a76460d9d85f

SHA256
399f8ac00a501fb90eebef7ddd272674c6b6aca6c720df8486398856bacc431e

SHA512
f17197e54daf2e87f374c423b099d9901476ed463d97a7e6ff4c84ef85d3aa6334fb522fff9db73522096e0bc4587df5135b27c91aed3e41ebf48ad6253dda21

Download Submit
C:\Users\Admin\Downloads\ImportRename.ppt.exe
Filesize
643KB

MD5
fab7cd76ef6245cac4837364c248ac23

SHA1
b191e687de5266ccd0ec6fa6f95c2b919a131f17

SHA256
5343cd075b7b9be23cf887682b247a89113ef81d2c222bac09bf87f337dfd0bd

SHA512
0118f4356e7a997bd1aa169c0e9916918caf5053dbb3446bf57bfd4bfdd08056fa327b142685a0ab99188a1050289c955bd7904ff9ea39685f9dbedfb8f3b49f

Download Submit
C:\Users\Admin\FwIIQYEM\qowAsAsw.exe
Filesize
195KB

MD5
829ed03072ec50cc35134f00fbef7742

SHA1
0f982c28d9608ecb65b0cbd4c0dc73d8d8f986c6

SHA256
a9836f22a030703c7db32ff3f9b9bfb3fd71a7170931fdfe54f57ef4889a3ca7

SHA512
b2e8dc47ef9956804a03a1f8ad576166efc7e58245e1833f3ff34d89f4041e3c9c26a61ab155b4ce329314a096ea3107a23dee696ebe80c844d9de118a15047e

Download Submit
C:\Users\Admin\Music\GrantReceive.png.exe
Filesize
463KB

MD5
fff63c2eeeeed88ce1cdfe729ee7950e

SHA1
31c704142751d423c8311bd6cb16df1bcc1ebaf0

SHA256
140a1584a12248e6c4b946df680948bdcacacbcb6c8d1116f387e43796037419

SHA512
e08e7cc0da83a718668458592fa403c4242b4a72b83eab690c99105e7d384c6ab851a02faa0b2a1be9dd9b48f07b7f91cc80d8f783e5a168dfcf7d3de9c90a4e

Download Submit
memory/372-516-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/404-456-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/404-470-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/640-387-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/640-373-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/860-284-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/884-579-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1076-32-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1364-258-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1364-243-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1512-94-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1620-189-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1620-206-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1628-414-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1844-339-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1844-327-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-410-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1852-423-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1952-201-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1952-219-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1956-90-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1956-106-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2232-294-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2284-488-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2284-480-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-168-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2348-154-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2572-276-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2604-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-181-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-430-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-442-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-171-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-242-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2628-228-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2668-143-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2668-131-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2676-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2676-19-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2688-479-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2688-471-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2768-367-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3148-498-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3208-302-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3300-419-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3300-434-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3304-331-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3304-316-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3320-53-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3320-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3444-307-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3444-321-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3532-348-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3532-340-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3556-11-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3668-45-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3668-33-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3792-118-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3792-132-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3964-452-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3964-461-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4048-515-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4048-526-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4140-554-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4140-540-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4292-405-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4292-393-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4352-535-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4352-544-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4480-349-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4480-155-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4480-359-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4496-534-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4508-499-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4508-507-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4560-397-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4560-382-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4616-368-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4616-377-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4720-450-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4768-571-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4768-560-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4796-268-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4796-259-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4928-177-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4928-193-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4948-42-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4948-57-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5040-82-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5040-67-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5052-231-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5052-216-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5076-103-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5076-120-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5096-563-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5108-311-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download