b43b7d0a3dc11f47e85c546e57c0ec7e0a5e945c3abeb5f1a185434e82503f22

Analysis

max time kernel
150s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
Size

209KB
MD5

60e52e5583a2290d74f0eeb48d2fe6a0
SHA1

264f92259d649a8e76a80b1fd5ef75dbb4e2d259
SHA256

b43b7d0a3dc11f47e85c546e57c0ec7e0a5e945c3abeb5f1a185434e82503f22
SHA512

88e1ab57baa369dd718c2ab5834b11dcc6b1a8a759f8c4461d90d0d759dfa70621cb703085c80e6f8426da381bb133e2f3788e9ed9d96ee9f312d92d207f61b0
SSDEEP

3072:5pr0dHh6GXiXkIMUra5R1HLI6pFKUiMalO8yjH6nxaRSSealtIb9HQ/m65HNurm6:5prGFIza57I85iMao8yj4x+mHuz5Lju

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (74) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UMEwkUQU.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	UMEwkUQU.exe

Executes dropped EXE 2 IoCs

Processes:

jIkooUIU.exeUMEwkUQU.exe

pid process

4836 jIkooUIU.exe
4852 UMEwkUQU.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4836	jIkooUIU.exe
4852	UMEwkUQU.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

UMEwkUQU.exejIkooUIU.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UMEwkUQU.exe = "C:\\ProgramData\\pkkEQMMI\\UMEwkUQU.exe"	UMEwkUQU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jIkooUIU.exe = "C:\\Users\\Admin\\SSUksUcM\\jIkooUIU.exe"	jIkooUIU.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jIkooUIU.exe = "C:\\Users\\Admin\\SSUksUcM\\jIkooUIU.exe"	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UMEwkUQU.exe = "C:\\ProgramData\\pkkEQMMI\\UMEwkUQU.exe"	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

UMEwkUQU.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	UMEwkUQU.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	UMEwkUQU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
4632	reg.exe
4016	reg.exe
1620	reg.exe
2332
2236
4428	reg.exe
824	reg.exe
2388	reg.exe
3144
3208	reg.exe
4300	reg.exe
3352	reg.exe
4684	reg.exe
4132	reg.exe
996	reg.exe
4704	reg.exe
2588	reg.exe
3204	reg.exe
208	reg.exe
2548	reg.exe
1984	reg.exe
4328	reg.exe
1864	reg.exe
2440	reg.exe
1784
1060	reg.exe
620	reg.exe
4584	reg.exe
696	reg.exe
3440	reg.exe
2336	reg.exe
4032	reg.exe
3144	reg.exe
2816	reg.exe
2644	reg.exe
4688	reg.exe
3208	reg.exe
1820	reg.exe
2852	reg.exe
1008	reg.exe
4988	reg.exe
5016
2516	reg.exe
8	reg.exe
3144	reg.exe
4924	reg.exe
3368	reg.exe
2044	reg.exe
3240	reg.exe
3848	reg.exe
1228	reg.exe
1056	reg.exe
2556	reg.exe
1944	reg.exe
5004	reg.exe
2208	reg.exe
4632	reg.exe
4424	reg.exe
3012	reg.exe
1204	reg.exe
1280	reg.exe
532	reg.exe
1496	reg.exe
4496	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe

pid	process
816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2720	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2720	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2720	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2720	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4452	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4452	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4452	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4452	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4444	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4444	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4444	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4444	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4628	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4628	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4628	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
4628	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3656	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3656	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3656	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
3656	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
964	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2076	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2076	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2076	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
2076	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
332	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
332	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
332	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
332	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1920	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1824	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1824	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1824	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1824	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1644	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1644	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1644	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
1644	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

UMEwkUQU.exe

pid process

4852 UMEwkUQU.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

UMEwkUQU.exe

pid	process
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe
4852	UMEwkUQU.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.execmd.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.execmd.execmd.execmd.exe60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 816 wrote to memory of 4836	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	jIkooUIU.exe
PID 816 wrote to memory of 4836	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	jIkooUIU.exe
PID 816 wrote to memory of 4836	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	jIkooUIU.exe
PID 816 wrote to memory of 4852	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	UMEwkUQU.exe
PID 816 wrote to memory of 4852	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	UMEwkUQU.exe
PID 816 wrote to memory of 4852	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	UMEwkUQU.exe
PID 816 wrote to memory of 4148	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 4148	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 4148	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 4148 wrote to memory of 4036	4148	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 4148 wrote to memory of 4036	4148	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 4148 wrote to memory of 4036	4148	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 816 wrote to memory of 2852	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 2852	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 2852	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 620	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 620	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 620	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 2732	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 2732	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 2732	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 816 wrote to memory of 5088	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 5088	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 816 wrote to memory of 5088	816	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 4036 wrote to memory of 2860	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 4036 wrote to memory of 2860	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 4036 wrote to memory of 2860	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 5088 wrote to memory of 2644	5088	cmd.exe	cscript.exe
PID 5088 wrote to memory of 2644	5088	cmd.exe	cscript.exe
PID 5088 wrote to memory of 2644	5088	cmd.exe	cscript.exe
PID 2860 wrote to memory of 3516	2860	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 2860 wrote to memory of 3516	2860	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 2860 wrote to memory of 3516	2860	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 4036 wrote to memory of 3124	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 3124	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 3124	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 4132	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 4132	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 4132	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 1420	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 1420	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 1420	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 4036 wrote to memory of 3816	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 4036 wrote to memory of 3816	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 4036 wrote to memory of 3816	4036	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 3816 wrote to memory of 1784	3816	cmd.exe	cscript.exe
PID 3816 wrote to memory of 1784	3816	cmd.exe	cscript.exe
PID 3816 wrote to memory of 1784	3816	cmd.exe	cscript.exe
PID 3516 wrote to memory of 3848	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 3516 wrote to memory of 3848	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 3516 wrote to memory of 3848	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe
PID 3848 wrote to memory of 2720	3848	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 3848 wrote to memory of 2720	3848	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 3848 wrote to memory of 2720	3848	cmd.exe	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
PID 3516 wrote to memory of 1620	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 1620	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 1620	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 1228	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 1228	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 1228	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 3592	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 3592	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 3592	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	reg.exe
PID 3516 wrote to memory of 3828	3516	60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\SSUksUcM\jIkooUIU.exe
"C:\Users\Admin\SSUksUcM\jIkooUIU.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:4836

C:\ProgramData\pkkEQMMI\UMEwkUQU.exe
"C:\ProgramData\pkkEQMMI\UMEwkUQU.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
2⤵
- Suspicious use of WriteProcessMemory
PID:4148

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
4⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
6⤵
- Suspicious use of WriteProcessMemory
PID:3848

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
8⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
9⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
10⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
11⤵
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
12⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
13⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
14⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
15⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
16⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
17⤵
- Suspicious behavior: EnumeratesProcesses
PID:4628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
18⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
19⤵
- Suspicious behavior: EnumeratesProcesses
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
20⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
21⤵
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
22⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
23⤵
- Suspicious behavior: EnumeratesProcesses
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
24⤵
PID:1244

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
25⤵
- Suspicious behavior: EnumeratesProcesses
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
26⤵
PID:2220

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
27⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
27⤵
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
28⤵
PID:4016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
29⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
29⤵
- Suspicious behavior: EnumeratesProcesses
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
30⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
31⤵
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
32⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
33⤵
PID:1548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
34⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
35⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
36⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
37⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
38⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
39⤵
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
40⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
41⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
42⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
43⤵
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
44⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
45⤵
PID:2076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
46⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
47⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
48⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
49⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
50⤵
PID:3408

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
51⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
51⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
52⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
53⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
54⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
55⤵
PID:1012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
56⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
57⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
58⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
59⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
60⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
61⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
62⤵
PID:5064

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
63⤵
PID:3044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
64⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
65⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
66⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
67⤵
PID:4148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
68⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
69⤵
PID:5104

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
70⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
71⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
72⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
73⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
74⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
75⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
76⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
77⤵
PID:2376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
78⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
79⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
80⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
81⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
82⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
83⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
84⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
85⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
86⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
87⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
88⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
89⤵
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
90⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
91⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
92⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
93⤵
PID:1072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
94⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
95⤵
PID:2456

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
96⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
97⤵
PID:5116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
98⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
99⤵
PID:2212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
100⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
101⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
102⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
103⤵
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
104⤵
PID:3036

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
105⤵
PID:2640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
106⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
107⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
108⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
109⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
110⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
111⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
112⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
113⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
114⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
115⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
116⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
117⤵
PID:408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
118⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
119⤵
PID:2824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
120⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
121⤵
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
122⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
123⤵
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
124⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
125⤵
PID:2556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
126⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
127⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
128⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
129⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
130⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
131⤵
PID:1036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
132⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
133⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
134⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
135⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
136⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
137⤵
PID:2816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
138⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
139⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
140⤵
PID:3368

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
141⤵
PID:3460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
142⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
143⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
144⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
145⤵
PID:3408

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
146⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
147⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
148⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
149⤵
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
150⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
151⤵
PID:1336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
152⤵
PID:2352

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
153⤵
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
154⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
155⤵
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
156⤵
PID:2640

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
157⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
158⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
159⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
160⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
161⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
162⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
163⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
164⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
165⤵
PID:848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
166⤵
PID:2360

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
167⤵
PID:4564

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
168⤵
PID:2592

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
169⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
170⤵
PID:376

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
171⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
172⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
173⤵
PID:4716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
174⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
175⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
176⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
177⤵
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
178⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
179⤵
PID:4312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
180⤵
PID:2776

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
181⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
182⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
183⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
184⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
185⤵
PID:4776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
186⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
187⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
188⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
189⤵
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
190⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
191⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
192⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
193⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
194⤵
PID:208

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
195⤵
PID:636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
196⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
197⤵
PID:2096

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
198⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
199⤵
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
200⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
201⤵
PID:2488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
202⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
203⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
204⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
205⤵
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
206⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
207⤵
PID:2780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
208⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
209⤵
PID:4300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
210⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
211⤵
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
212⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
213⤵
PID:4984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
214⤵
PID:1340

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
215⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
216⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
217⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
218⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
219⤵
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
220⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
221⤵
PID:4888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
222⤵
PID:3204

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
223⤵
PID:2368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
224⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
225⤵
PID:3724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
226⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
227⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
228⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
229⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
230⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
231⤵
PID:4056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
232⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
233⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
234⤵
PID:4704

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
235⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
235⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
236⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
237⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
238⤵
PID:3264

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
239⤵
PID:3224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
240⤵
PID:1344

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
241⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
242⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
243⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
244⤵
PID:3848

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
245⤵
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
246⤵
PID:4444

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
247⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
247⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
248⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
249⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
250⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
251⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
252⤵
PID:3888

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
253⤵
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
254⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
255⤵
PID:3736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
256⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
257⤵
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
258⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
259⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
260⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
261⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
262⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
263⤵
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
264⤵
PID:4988

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
265⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
266⤵
PID:1072

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
267⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
268⤵
PID:4888

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
269⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
269⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
270⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
271⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
272⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
273⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
274⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
275⤵
PID:5076

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
276⤵
PID:2312

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
277⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
277⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
278⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
279⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics"
280⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
281⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
280⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
278⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
278⤵
PID:1036

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
279⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
278⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKccwgEM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
278⤵
PID:4940

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
279⤵
PID:4232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
276⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
276⤵
PID:2512

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
277⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
276⤵
- UAC bypass
PID:5024

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
277⤵
PID:796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NecgUcwQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
276⤵
PID:3008

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
277⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
274⤵
PID:2684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
274⤵
PID:3000

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
275⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
274⤵
PID:4528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HYEAgoMQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
274⤵
PID:4772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
275⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
272⤵
PID:2212

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
273⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
272⤵
- Modifies registry key
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
272⤵
- UAC bypass
PID:3244

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
273⤵
PID:3232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIQwEooI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
272⤵
PID:5072

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
273⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
270⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
270⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
270⤵
- UAC bypass
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ASEMAUYY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
270⤵
PID:1036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
271⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
268⤵
PID:2056

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
268⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
268⤵
PID:824

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
269⤵
PID:1060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gicQcccY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
268⤵
PID:4972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
269⤵
PID:384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
266⤵
- Modifies visibility of file extensions in Explorer
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
266⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
266⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cEEAwkQA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
266⤵
PID:4372

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
267⤵
PID:5104

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
267⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
264⤵
PID:3672

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
264⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
264⤵
PID:2044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SUwAcIkA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
264⤵
PID:464

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
265⤵
PID:2384

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
262⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
262⤵
- Modifies registry key
PID:1280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
263⤵
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
262⤵
PID:1008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pKgYkMQM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
262⤵
PID:2100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
263⤵
PID:4092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
260⤵
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
260⤵
PID:3300

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
260⤵
PID:3708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FsEQAcwo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
260⤵
PID:636

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
261⤵
PID:5044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
258⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
258⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
258⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hsggcwUA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
258⤵
PID:3760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
259⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
256⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
256⤵
- Modifies registry key
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
256⤵
- UAC bypass
PID:4988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\USQsoAcc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
256⤵
PID:2068

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
257⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
254⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
254⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
254⤵
- UAC bypass
PID:4820

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ugMEMooo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
254⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
255⤵
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
252⤵
- Modifies visibility of file extensions in Explorer
PID:4420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
252⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
252⤵
- UAC bypass
PID:4740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qWQAAoIw.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
252⤵
PID:1540

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
253⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
253⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
250⤵
- Modifies registry key
PID:2388

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
250⤵
PID:1208

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
250⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UeAwwkkY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
250⤵
PID:2692

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
251⤵
PID:4100

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
251⤵
PID:532

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
248⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
248⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
248⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaQkQsAg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
248⤵
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
249⤵
PID:2488

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
246⤵
- Modifies visibility of file extensions in Explorer
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
246⤵
PID:824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
246⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TwsYEQUo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
246⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
247⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
244⤵
- Modifies visibility of file extensions in Explorer
PID:720

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
244⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
244⤵
- UAC bypass
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vuYwYYIQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
244⤵
PID:2284

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
245⤵
PID:4972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
242⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
242⤵
- Modifies registry key
PID:2816

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
242⤵
- UAC bypass
PID:4332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyQMQAMI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
242⤵
PID:2272

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
243⤵
PID:2772

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
243⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
240⤵
- Modifies registry key
PID:2548

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
240⤵
PID:2604

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
241⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
240⤵
- UAC bypass
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miQkYwMU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
240⤵
PID:1060

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
241⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
238⤵
- Modifies visibility of file extensions in Explorer
PID:5032

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
238⤵
PID:1752

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
239⤵
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
238⤵
PID:1016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qOQMYEwY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
238⤵
PID:532

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
239⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
236⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
236⤵
PID:4500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
236⤵
PID:1496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cgAMMMgg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
236⤵
PID:1504

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
237⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
234⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
234⤵
- Modifies registry key
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
234⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dwYIUIks.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
234⤵
PID:2588

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
235⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
232⤵
- Modifies visibility of file extensions in Explorer
PID:5024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
232⤵
PID:2320

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
232⤵
- Modifies registry key
PID:3848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LQAEYcIg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
232⤵
PID:4684

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
233⤵
PID:2368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
230⤵
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
230⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
230⤵
- UAC bypass
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMIQQgcQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
230⤵
PID:1112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
231⤵
PID:2288

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
228⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
228⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
228⤵
- UAC bypass
- Modifies registry key
PID:1060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
229⤵
PID:4496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YKYkgQkA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
228⤵
PID:1604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
229⤵
PID:4820

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
226⤵
- Modifies visibility of file extensions in Explorer
PID:1964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
226⤵
PID:2604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
226⤵
- UAC bypass
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csoMAQko.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
226⤵
PID:1932

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
227⤵
PID:1668

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
224⤵
PID:2416

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
224⤵
PID:2312

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
224⤵
PID:376

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KaUoYMcM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
224⤵
PID:4984

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
225⤵
PID:4164

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
225⤵
PID:3224

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
222⤵
PID:4132

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
222⤵
PID:4404

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
223⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
222⤵
- UAC bypass
PID:4080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ReMgEEUs.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
222⤵
PID:1016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
223⤵
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
220⤵
PID:396

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
220⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
221⤵
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
220⤵
- UAC bypass
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMkUcYsk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
220⤵
PID:1620

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
221⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
218⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
218⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
218⤵
PID:4872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rcsowkQA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
218⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
219⤵
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
216⤵
- Modifies visibility of file extensions in Explorer
PID:4080

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
216⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
216⤵
- UAC bypass
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XGoososU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
216⤵
PID:4688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
217⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
214⤵
PID:4736

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
215⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
214⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
214⤵
- Modifies registry key
PID:3208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKkgwQIc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
214⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
215⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
212⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
212⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
212⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QQskMsIw.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
212⤵
PID:3708

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
213⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
213⤵
PID:376

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
210⤵
PID:4144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
210⤵
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
210⤵
- UAC bypass
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAsoYUoI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
210⤵
PID:4604

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
211⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
208⤵
- Modifies registry key
PID:3204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
208⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
208⤵
- UAC bypass
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zsEUMAMs.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
208⤵
PID:4924

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
209⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
206⤵
- Modifies visibility of file extensions in Explorer
PID:1336

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
206⤵
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
206⤵
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TuoAcokA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
206⤵
PID:996

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
207⤵
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
204⤵
- Modifies registry key
PID:4424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
204⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
204⤵
PID:2548

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMAcAIsw.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
204⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
205⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
202⤵
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
202⤵
PID:3708

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
202⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DsgkEEQs.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
202⤵
PID:1092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
203⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
200⤵
PID:4236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
200⤵
PID:1208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
200⤵
PID:816

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGMIYUYE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
200⤵
PID:2360

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
201⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
198⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
198⤵
PID:3524

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
198⤵
- UAC bypass
PID:5044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gmEwIMQA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
198⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
199⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
196⤵
- Modifies visibility of file extensions in Explorer
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
196⤵
PID:5064

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
196⤵
- UAC bypass
PID:2988

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
197⤵
PID:3188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SGgYgAEA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
196⤵
PID:4872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
197⤵
PID:3736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
194⤵
PID:4280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
194⤵
- Modifies registry key
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
194⤵
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\paEoccAg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
194⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
195⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
192⤵
PID:892

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
192⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
192⤵
- UAC bypass
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQgYgUAM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
192⤵
PID:3232

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
193⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
190⤵
- Modifies visibility of file extensions in Explorer
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
190⤵
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
190⤵
- Modifies registry key
PID:5004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LmwIgUMc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
190⤵
PID:4824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
191⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
188⤵
PID:4304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
188⤵
PID:460

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
188⤵
- UAC bypass
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCUcAQMg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
188⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
189⤵
PID:3264

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
186⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
186⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
186⤵
- UAC bypass
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wGoIQEII.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
186⤵
PID:3352

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
187⤵
PID:2904

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
184⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4632

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
184⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
184⤵
- UAC bypass
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CaEEUAok.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
184⤵
PID:2336

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
185⤵
PID:4380

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
182⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
182⤵
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
182⤵
PID:1448

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyQAsAYU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
182⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
183⤵
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
180⤵
PID:3540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
180⤵
- Modifies registry key
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
180⤵
PID:4772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tSowsYwQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
180⤵
PID:1112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
181⤵
PID:2360

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
178⤵
- Modifies registry key
PID:4300

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
178⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
178⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BqEooIsQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
178⤵
PID:2860

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
179⤵
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
176⤵
- Modifies visibility of file extensions in Explorer
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
176⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
176⤵
- UAC bypass
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FuEwwIcA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
176⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
177⤵
PID:3232

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
174⤵
- Modifies visibility of file extensions in Explorer
PID:1984

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
174⤵
PID:4160

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
174⤵
- Modifies registry key
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nKkkAsUQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
174⤵
PID:4784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
175⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
172⤵
- Modifies visibility of file extensions in Explorer
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
172⤵
PID:3276

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
172⤵
PID:3240

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cIkAkMIY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
172⤵
PID:5024

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
173⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
170⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
170⤵
- Modifies registry key
PID:4704

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
170⤵
- UAC bypass
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UegIUYcU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
170⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
171⤵
PID:5020

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
168⤵
- Modifies visibility of file extensions in Explorer
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
168⤵
PID:1224

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
168⤵
PID:2152

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EOgIMsAU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
168⤵
PID:2160

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
169⤵
PID:1448

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
166⤵
PID:4492

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
166⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
166⤵
- UAC bypass
PID:4160

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dWIkEMYk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
166⤵
PID:428

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
167⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
164⤵
PID:3596

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
164⤵
PID:2512

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
164⤵
- UAC bypass
PID:208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lKYMYIsk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
164⤵
PID:1820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
165⤵
PID:4460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
162⤵
- Modifies visibility of file extensions in Explorer
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
162⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
162⤵
- UAC bypass
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEsUIsM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
162⤵
PID:3440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
163⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
160⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
160⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
160⤵
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgIkcoUk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
160⤵
PID:3524

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
161⤵
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
158⤵
- Modifies visibility of file extensions in Explorer
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
158⤵
PID:3448

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
158⤵
- UAC bypass
- Modifies registry key
PID:3368

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eegsQcIA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
158⤵
PID:2236

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
159⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
156⤵
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
156⤵
PID:2772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
156⤵
- UAC bypass
PID:3432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EUYMUUYc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
156⤵
PID:3440

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
157⤵
PID:2160

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
154⤵
PID:3008

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
154⤵
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
154⤵
- UAC bypass
PID:4164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUkkwwIk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
154⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
155⤵
PID:2888

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
152⤵
- Modifies visibility of file extensions in Explorer
PID:3724

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
152⤵
PID:364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
152⤵
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wYAcYsgA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
152⤵
PID:376

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
153⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
150⤵
- Modifies registry key
PID:1864

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
150⤵
- Modifies registry key
PID:4988

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
150⤵
- UAC bypass
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZaQwMIAo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
150⤵
PID:408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
151⤵
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
148⤵
- Modifies visibility of file extensions in Explorer
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
148⤵
PID:4984

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
148⤵
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGQgYEQc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
148⤵
PID:3448

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
149⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
146⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
146⤵
PID:636

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
146⤵
- UAC bypass
- Modifies registry key
PID:4328

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LMMAEQMo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
146⤵
PID:3724

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
147⤵
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
144⤵
- Modifies visibility of file extensions in Explorer
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
144⤵
PID:1820

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
144⤵
- UAC bypass
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nekIYsEM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
144⤵
PID:2512

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
145⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
142⤵
PID:3024

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
142⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
142⤵
PID:1848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uuQAwoIY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
142⤵
PID:5044

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
143⤵
PID:5088

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
140⤵
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
140⤵
- Modifies registry key
PID:4496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
140⤵
- UAC bypass
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cigEwUEU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
140⤵
PID:2852

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
141⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
138⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
138⤵
- Modifies registry key
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
138⤵
PID:4784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AsAAgQEI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
138⤵
PID:396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
139⤵
PID:1060

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
136⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:4924

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
136⤵
PID:1920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
136⤵
- UAC bypass
PID:1304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZyMwIYMs.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
136⤵
PID:3760

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
137⤵
PID:3644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
134⤵
PID:2284

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
134⤵
PID:3756

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
134⤵
- UAC bypass
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAMYkcgE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
134⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
135⤵
PID:3036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
132⤵
PID:3368

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
132⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
132⤵
- UAC bypass
- Modifies registry key
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PoMIkkcs.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
132⤵
PID:4332

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
133⤵
PID:1052

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
130⤵
- Modifies registry key
PID:4032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
130⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
130⤵
- UAC bypass
- Modifies registry key
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vqcAYUAQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
130⤵
PID:1244

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
131⤵
PID:4616

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
128⤵
PID:1420

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
128⤵
PID:4772

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
128⤵
- UAC bypass
- Modifies registry key
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oqQcccQM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
128⤵
PID:3736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
129⤵
PID:4428

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
126⤵
- Modifies visibility of file extensions in Explorer
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
126⤵
- Modifies registry key
PID:996

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
126⤵
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwIgMEME.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
126⤵
PID:5112

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
127⤵
PID:4688

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
124⤵
- Modifies registry key
PID:3440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
124⤵
PID:1092

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
124⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAQUgIgI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
124⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
125⤵
PID:3136

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
122⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
122⤵
PID:2700

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
122⤵
PID:2236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jkkkUIME.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
122⤵
PID:1280

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
123⤵
PID:2440

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
120⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
120⤵
PID:364

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
120⤵
- UAC bypass
- Modifies registry key
PID:2336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZwkwQAMc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
120⤵
PID:2816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
121⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
118⤵
- Modifies visibility of file extensions in Explorer
PID:4736

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
118⤵
PID:1752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
118⤵
- UAC bypass
PID:4236

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bSYMkEgg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
118⤵
PID:5092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
119⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
116⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
116⤵
PID:2228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
116⤵
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pAEEMEQQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
116⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
117⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
114⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
114⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
114⤵
PID:4444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cocMsAEE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
114⤵
PID:1304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
115⤵
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
112⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
112⤵
PID:4056

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
112⤵
PID:2884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CowcsMIU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
112⤵
PID:4408

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
113⤵
PID:4312

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
110⤵
- Modifies visibility of file extensions in Explorer
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
110⤵
PID:4884

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
110⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qucwcwsE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
110⤵
PID:2456

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
111⤵
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
108⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
108⤵
PID:3044

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
108⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BQsQIcco.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
108⤵
PID:3732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
109⤵
PID:2096

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
106⤵
- Modifies visibility of file extensions in Explorer
PID:4452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
106⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
106⤵
- UAC bypass
PID:116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nwoggAUU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
106⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
107⤵
PID:3828

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
104⤵
PID:1504

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
104⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
104⤵
- UAC bypass
PID:4588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\veQIMYIg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
104⤵
PID:3776

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
105⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
102⤵
- Modifies visibility of file extensions in Explorer
PID:4372

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
102⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
102⤵
PID:5104

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
103⤵
PID:2068

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bqIggIQQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
102⤵
PID:3592

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
103⤵
PID:1036

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
100⤵
- Modifies visibility of file extensions in Explorer
PID:1496

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
100⤵
PID:3760

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
100⤵
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WSwUwEwY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
100⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
101⤵
PID:4064

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
98⤵
- Modifies visibility of file extensions in Explorer
PID:4164

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
98⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
98⤵
- UAC bypass
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiwwUssE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
98⤵
PID:2732

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
99⤵
PID:3432

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
96⤵
- Modifies visibility of file extensions in Explorer
PID:2548

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
96⤵
PID:2068

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
96⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ESsIQAAc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
96⤵
PID:2556

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
97⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
94⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
94⤵
PID:4328

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
94⤵
PID:3144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QOMssAkA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
94⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
95⤵
PID:2516

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
92⤵
PID:4996

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
92⤵
- Modifies registry key
PID:3240

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
92⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hwwQoAYM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
92⤵
PID:1344

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
93⤵
PID:2776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
90⤵
PID:4100

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
90⤵
- Modifies registry key
PID:1008

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
90⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAAkEwYo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
90⤵
PID:4564

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
91⤵
PID:2640

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
88⤵
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
88⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
88⤵
PID:2588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DckUgYMM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
88⤵
PID:2548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
89⤵
PID:2352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
86⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
86⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
86⤵
PID:4420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iQEkUYgc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
86⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
87⤵
PID:4692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
84⤵
- Modifies visibility of file extensions in Explorer
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
84⤵
PID:4308

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
84⤵
PID:1092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wmIkgQoI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
84⤵
PID:3240

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
85⤵
PID:1072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
82⤵
- Modifies visibility of file extensions in Explorer
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
82⤵
PID:5112

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
82⤵
- UAC bypass
- Modifies registry key
PID:824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UcwMsYAo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
82⤵
PID:5032

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
83⤵
PID:1848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
80⤵
- Modifies registry key
PID:3012

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
80⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
80⤵
- UAC bypass
PID:5072

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoMsAIok.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
80⤵
PID:4820

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
81⤵
PID:3592

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
78⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
78⤵
PID:3972

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
78⤵
PID:1512

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkMMMEkk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
78⤵
PID:4396

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
79⤵
PID:1016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
76⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
76⤵
PID:1076

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
76⤵
PID:3216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\huAsUoYk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
76⤵
PID:1864

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
77⤵
PID:2212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
74⤵
- Modifies registry key
PID:3208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
74⤵
PID:3928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
74⤵
- UAC bypass
- Modifies registry key
PID:1984

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baIsIkEE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
74⤵
PID:4736

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
75⤵
PID:796

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
72⤵
- Modifies visibility of file extensions in Explorer
PID:2148

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
72⤵
PID:2416

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
72⤵
- UAC bypass
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gEkcYgQg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
72⤵
PID:2516

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
73⤵
PID:2824

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
70⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
70⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
70⤵
- UAC bypass
- Modifies registry key
PID:4428

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
71⤵
PID:1204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kigYUgYA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
70⤵
PID:4248

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
71⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
68⤵
- Modifies visibility of file extensions in Explorer
PID:4476

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
68⤵
PID:4216

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
68⤵
- UAC bypass
PID:332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goYMMYME.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
68⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
69⤵
PID:1944

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
66⤵
- Modifies visibility of file extensions in Explorer
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
66⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
66⤵
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQMYgsYk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
66⤵
PID:4304

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
67⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
64⤵
PID:3452

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
64⤵
PID:208

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
64⤵
PID:1344

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HIYsIsYA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
64⤵
PID:2780

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
65⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
62⤵
PID:5104

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
62⤵
PID:4584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
62⤵
- UAC bypass
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NmAwYAoU.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
62⤵
PID:4572

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
63⤵
PID:2536

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
63⤵
PID:1204

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
60⤵
- Modifies visibility of file extensions in Explorer
PID:2692

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
60⤵
PID:1548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
60⤵
PID:2152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
61⤵
PID:3264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gCUcMowo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
60⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
61⤵
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
58⤵
- Modifies visibility of file extensions in Explorer
PID:5016

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
58⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
58⤵
PID:2284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wisIgUUI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
58⤵
PID:460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
59⤵
PID:1540

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
59⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
56⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
56⤵
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
56⤵
PID:4100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eAosQYYk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
56⤵
PID:3452

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
57⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
54⤵
- Modifies visibility of file extensions in Explorer
PID:2588

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
54⤵
PID:3264

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
55⤵
PID:3424

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
54⤵
PID:2860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GOIAYkcI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
54⤵
PID:972

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
55⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
52⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
52⤵
PID:4724

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
52⤵
- UAC bypass
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NWswQEYk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
52⤵
PID:2416

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
53⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
50⤵
- Modifies visibility of file extensions in Explorer
PID:2236

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
50⤵
PID:1604

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
50⤵
PID:2536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RoYIYAQI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
50⤵
PID:4424

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
51⤵
PID:2364

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
48⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
48⤵
PID:212

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
48⤵
PID:3440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmQUIswY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
48⤵
PID:4688

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
49⤵
PID:2044

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
46⤵
- Modifies visibility of file extensions in Explorer
PID:4256

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
46⤵
- Modifies registry key
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
46⤵
PID:460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tcsQMUMA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
46⤵
PID:4612

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
47⤵
PID:2272

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
44⤵
- Modifies visibility of file extensions in Explorer
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
44⤵
PID:4776

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
44⤵
- UAC bypass
PID:4700

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
45⤵
PID:3036

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSgcMYIA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
44⤵
PID:4016

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
45⤵
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
42⤵
- Modifies visibility of file extensions in Explorer
PID:5092

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
42⤵
PID:4824

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
42⤵
PID:1920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcEwIQQg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
42⤵
PID:4888

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
43⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
40⤵
PID:3188

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
40⤵
PID:3244

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
40⤵
- Modifies registry key
PID:2852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KuUEAAYM.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
40⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
41⤵
PID:2220

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
38⤵
- Modifies visibility of file extensions in Explorer
PID:4480

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
38⤵
PID:5116

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
38⤵
- UAC bypass
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cGwcIokk.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
38⤵
PID:5036

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
39⤵
PID:3252

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
36⤵
PID:964

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
36⤵
- Modifies registry key
PID:696

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
36⤵
PID:2400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xqQUAkAc.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
36⤵
PID:3468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
37⤵
PID:1824

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
37⤵
PID:464

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
34⤵
- Modifies visibility of file extensions in Explorer
PID:4848

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
34⤵
PID:1304

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
34⤵
- UAC bypass
- Modifies registry key
PID:4632

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkkUcEcg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
34⤵
PID:5092

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
35⤵
PID:1920

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
35⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
32⤵
- Modifies visibility of file extensions in Explorer
PID:1280

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
32⤵
PID:1344

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
32⤵
- Modifies registry key
PID:4584

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XQwIkEYI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
32⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
33⤵
PID:5072

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
30⤵
- Modifies visibility of file extensions in Explorer
PID:2304

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
30⤵
PID:4148

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
30⤵
- UAC bypass
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VsscQcko.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
30⤵
PID:4500

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
31⤵
PID:1544

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
28⤵
- Modifies visibility of file extensions in Explorer
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
28⤵
PID:536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
28⤵
- UAC bypass
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAUoEgUo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
28⤵
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
29⤵
PID:3776

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
26⤵
- Modifies visibility of file extensions in Explorer
PID:4568

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
26⤵
PID:2596

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
26⤵
- Modifies registry key
PID:1056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yUYwkocE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
26⤵
PID:4548

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
27⤵
PID:4712

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
24⤵
PID:3460

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
24⤵
PID:220

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
24⤵
- UAC bypass
PID:4480

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SSAkUkcY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
24⤵
PID:4508

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
25⤵
PID:2144

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
22⤵
- Modifies visibility of file extensions in Explorer
PID:2540

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
22⤵
PID:2860

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
22⤵
PID:2304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ImkEwEEA.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
22⤵
PID:5080

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
23⤵
PID:3408

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
20⤵
- Modifies registry key
PID:8

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
20⤵
PID:3920

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
20⤵
- UAC bypass
- Modifies registry key
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LkQYQsMY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
20⤵
PID:4328

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
21⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
18⤵
- Modifies visibility of file extensions in Explorer
PID:4324

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
18⤵
PID:4548

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
18⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCsQAIYI.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
18⤵
PID:3320

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
19⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
16⤵
- Modifies registry key
PID:4684

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
16⤵
PID:4352

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
16⤵
- Modifies registry key
PID:2516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xwskwkgg.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
16⤵
PID:3644

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
17⤵
PID:2172

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
14⤵
- Modifies visibility of file extensions in Explorer
PID:3296

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
14⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
14⤵
- UAC bypass
PID:3248

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCIcIosY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
14⤵
PID:1436

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
15⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
12⤵
- Modifies registry key
PID:2644

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
12⤵
PID:2404

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
12⤵
PID:2904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ssIcEUUQ.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
12⤵
PID:5116

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
13⤵
PID:4580

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
10⤵
- Modifies visibility of file extensions in Explorer
- Modifies registry key
PID:3352

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
10⤵
PID:2260

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
10⤵
PID:4144

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sWQYAwMw.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
10⤵
PID:4316

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
11⤵
PID:4472

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
8⤵
PID:3032

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
8⤵
PID:332

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
8⤵
- UAC bypass
PID:3008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WWggQgAE.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
8⤵
PID:4092

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
9⤵
PID:216

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
6⤵
PID:1620

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
6⤵
- Modifies registry key
PID:1228

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
6⤵
PID:3592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AYMAAQYY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
6⤵
PID:3828

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
7⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
4⤵
- Modifies visibility of file extensions in Explorer
PID:3124

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
4⤵
PID:4132

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
4⤵
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HuIcoIkY.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
5⤵
PID:1784

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
2⤵
PID:2852

C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
2⤵
- Modifies registry key
PID:620

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
2⤵
- UAC bypass
PID:2732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgkYEsIo.bat" "C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:5088

C:\Windows\SysWOW64\cscript.exe
cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
3⤵
PID:2644

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe
Filesize
236KB

MD5
9fb20627de8f611d34a6845510307359

SHA1
09284b34a2bc72aa29944ad61c7c668ca9997606

SHA256
ec1a2b6d5135909061a99fd26d2f1c97e05c726939636141f2e5cac4a41e6e32

SHA512
9891d42a88bf39c474dcb7b0c09e93b5289e2a716301889b76db15cd9cfa013861e2a36d50a9c82a1fe7a97fbfcb80b291d3643aee4982cc8565beb7dc366174

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe
Filesize
639KB

MD5
40ac653056a5a60b1c8a6501f57be5c1

SHA1
dbcbfbb58bf55774d234e9548f75f8f4a63c49c4

SHA256
41f5de101cae6e36e01225898d289b137d22324d5fb259bb88451f82b118094b

SHA512
223eb876dcb0fb157a13113dc9cc6de7b70d358133622abf76f17f1f740c498b4800168c1d56a650cc91e583a1f44620abaf2f997a7b18f614ea8108d71979b6

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize
815KB

MD5
94f8d6d8527c0f149e0fd43a8a408bdb

SHA1
7255b4d740197fa632c40956ea3660cb9669a3f5

SHA256
ea2894ca9546915ecf5456cbac1199b676b4a99e9f80c69ae3b6461c84156a5c

SHA512
2c46c119e098298be6e870f8a9451cbb3fb3bbbdf0cdf467639d24965d5d96a4d93bce2f30ea04f836544c74551baeba276957ee817dda990d75ad24170a6e68

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
Filesize
637KB

MD5
8f8764478751426e433dcd2ae9ba6b2e

SHA1
a8fb62b3c57a57c227ebe1ab42d2169fc303473f

SHA256
1fd7e031a5f7894128f4c4993b175ddf5a251e46bd64f6086152241adceafbf4

SHA512
db3b0a83e3b7dd35bb5a11acc5cd5ce887f8d2bbd29be9cc4e9ed3218c1534ab888ccc220c31df085d0c35f937b5a39ef52727f8bfc8751ef49848264ffbe0ba

Download Submit
C:\ProgramData\pkkEQMMI\UMEwkUQU.exe
Filesize
197KB

MD5
14781a11009e20931dd639a412bf16b1

SHA1
52193b1a1b53144840b6f1f90d8a0c07b125f7f8

SHA256
8caef43d6eec2cbae630a35857fe6f5fa45d2f4d3046004c2b82a575a2757582

SHA512
2e78532aa624670766c44236840e33b8cc9d5f417af242bd8c43dfc370a4e09c8bfcc6555f5ae7cdefd4cb3fe0d0bdfd71be1a7a8c00cba8d0eb4d351f7ac5ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.exe
Filesize
258KB

MD5
13ea52333645d0bb1c7ef44ab86c43e6

SHA1
6a8ae4b39f52283b5145222a6814880f2b3ed9a0

SHA256
2aac95208115bf76f50885938fe7e78a60bdfe226c3fe13b48785e059b30ddef

SHA512
7dbe8c27c4e185083f1a9404003cc8b6cc9f7ee1324fecd3764d18af88e91c5fa113102b41b0ec626d2eb5f6968bff9cbaf6f6db8667ae6e22df2e9642bfee90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png.exe
Filesize
196KB

MD5
205e1ef9a40c92997d932ba795c483e5

SHA1
d2b8f07976d70dda4305b9ef816b55dfc30d3b3e

SHA256
6a022edc29cedd9bbfdb95b3135a1d1a29c66c458bfddc59eb892d96380000ed

SHA512
d3864febb17217919a07e72c56e7e8225b4ad7e92daa09431c02cd3e84bdc2a7a29a65261fad787bce8bb26445c4ad9de14ab15d51ae35d19ccd093c07dba58b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.exe
Filesize
189KB

MD5
3f3a983c741b6a6e80ac2802fa43c5ca

SHA1
95f7bef305e8b8ae7593528381c10bf2ae3e0942

SHA256
1c1b17483cd1f7e2ef68e0949875d57ec888d93d59cfd43a88477974da6ce92e

SHA512
7587bae8fa67ef31987d8905dae4a56c778762df68fd6a959598158b9b1bf3edeec86e5f3d83a388e9e276031b45a736bf0321017adbff76252e42c44bfe7077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.exe
Filesize
185KB

MD5
0e407da59494d44de1382d82a68262fb

SHA1
927ee033e0a0a07f855f9ca0f67113dc4b319331

SHA256
be0592dfd68565c7acfc6c4c2902fb8840e5b39dcde99410a1f40a0a95a30e72

SHA512
0aabb4235da6772abf7e19b618744d48701f17ddbf524f5650f7d7bfb7aee74043839b653fef678cbbb682e7c6c6491a30bf94085a2b0807004cce87dd425638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.exe
Filesize
193KB

MD5
0824343e8a9e2b11cb6798ea90f2f7c7

SHA1
db945bab45f6d96c55bc64c2edece58958b1de61

SHA256
d07d6049c32397e47f5a930e975ba114a3d01b2dd8ec172dad83070c625e25f5

SHA512
713779eeb32e78d05f7cde24069787910d068a24a71f3562a552fb17ab6829eb5431467488260ea64f894faff887e660e4b88c6f19dea791f361ad52485b5f73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.exe
Filesize
191KB

MD5
449477b640687adf8ac002d19fa20d98

SHA1
641197c918bf46f028ad0f78a8bad0e8fcce77e3

SHA256
971acec5ededf1d7c6696e8735d9b73164a267b23ff253949401050ba115af62

SHA512
dabcb5fe53dc136a7b7f5bc28c58313f5b61f9334c918972cfe59844bb0995d7c715a0a8250f2da19a47ad9c00a1e934ac8299ba2a273d40005ba2f6071ac5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\60e52e5583a2290d74f0eeb48d2fe6a0_NeikiAnalytics
Filesize
6KB

MD5
8f18da9b77fc5cce760d1a87fa25a27a

SHA1
b473bce215c48d30276149b08576a8991e3750d5

SHA256
e2baa4c727ae4ae988ac1b38384cf043e2ac3a67767b37a6049e99fe2d1dfea2

SHA512
134e1b1e7da0f3e1fa217ea51ba47049b28408595ed64167f05a86e2e1b0cccd9c7d616255611ab50ec3848c8ce1982fdcc4dfcf4fd13d9ae436a906874caa96

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEso.exe
Filesize
210KB

MD5
ff2fe305781d486d1174a2676a21d19d

SHA1
201e0bdc350f2d214fec95077b643d39bca941a7

SHA256
003c7bfa3062241ffba7e9e9e7fe50832bf9e7bd64d913f141e4a41602d79f86

SHA512
65e2d4ffa2295a3690c1e1389010bc5cd7943a0be5824a4d7c003efaba8bf0a41eb562baf6d42c1b1c4cdbd0ea8729c003cf0ee65deadfb975fa3478d0561fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIsm.exe
Filesize
244KB

MD5
2d2a15a18a90a3e1dbf8421feaa9111c

SHA1
710acdf52ac5fab0334f842f3625be6244a36bb9

SHA256
58c68a549c1b1b4f70bbaaf7993138cb1dfd8a5e9e0ced2523a6baa9a0387d05

SHA512
329c9f87cbce2ecb769d7febba3fe6be7d363e894f4456e49b6d072edfddb07ccc76cf74582104fcbd1b2fd950d2f88379453615a9386e5cc94b7629680a1088

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMIk.exe
Filesize
189KB

MD5
f3b2566cc7f1eb7a05000f2c476d621e

SHA1
6242a10f98319f16daec740974ca592859932a78

SHA256
8a3be6320cdec6b200f8b7c939609a5c7120f4fa1e07098ccfbf706a338afc81

SHA512
30d559b392db65d1bb82fbcfdf09cd15a4e3a85303beb8c47e22148ade5bb5510c13edf530fa9ff74c991819ca9e8c99b3e664e4f75d020d38f0356637684895

Download Submit
C:\Users\Admin\AppData\Local\Temp\AcUq.exe
Filesize
202KB

MD5
00b96489bd3a14fe9a9b302fdbe5e1b9

SHA1
0fd7727ec0621f64be73cb8875d10aae67610de5

SHA256
0e73842011f4a0644344cd80cd0de3369456323d92f302c476578047d8860656

SHA512
b7690e5033b41cd3bf9c47166aa47010186639d1187e2e29d7cb4502fd612eab0eaeab868a6bbd274fd906acf7973bdccd9921170c1cc5e30ec92b0a50d8f54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgAe.exe
Filesize
206KB

MD5
f0e33105957eeba21ea4e0efc54bfc58

SHA1
cda7cddb374a5c79d82225aca6fc739b2521af1d

SHA256
8ef83c73b74e5d2e8fdc3cbab072b52bf688382cd819173284d5c065f744bf24

SHA512
13d947e64bbadb4529509a467d28067fb14622ecb5561066897511172d1068ad32ee211dce4ca0befbeaa7a288f2e01800f172c5d2fb082f52c6bf7bb9963dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkMi.exe
Filesize
237KB

MD5
ed601c946a39edaeef0a9d504309b0c5

SHA1
14c75a3b4ab8633de29c2239d3632e46185c297c

SHA256
95d8288eecab289f68e7979f0b09f1d571285002f52a77749fc9fa07210ee1fe

SHA512
33c82d03175a6ba8a239f71b2c2311a94c1969190caaf59a61427d1363580d203d33026bdb45042f5ba567bc68cfded254690b84929d49131ea3c739be5addb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkYe.exe
Filesize
193KB

MD5
12f9b365d259d299297831e9c4846e25

SHA1
bce2c6cb4e62df7e304cca2c35fad32ea6bb7a2e

SHA256
8efc6726b2995ee9ffc5eac1aa82098289c83a3473ea3835be139093046364d7

SHA512
9d3f0527354c2b65b09b9effe1374f83319ac3a37bc6a5663f82f1b4912ae265dd1330cd22b87d1c858666848792e09d53ef3e72289704d7b901750a35091878

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoQC.exe
Filesize
5.9MB

MD5
ba7fee7c1203c01c2e72bdfca2ac0556

SHA1
4cc644d19f113a34dce1b2535aa5225bc8f077f2

SHA256
21e007c9f0e5ff7387305a1fc0da7fc2b3da6db62e57d1847847abad791974c0

SHA512
00323c893ed5c7c5b49e7e020215e9b7e82d7c758c9fceab530602e9c04bb4e803efa278107e500a9dd3d8f4489b4c4e2894b98c621651449463996e3bc8df1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYUQ.exe
Filesize
198KB

MD5
af9bac653acde5f6549cf16331d7af9f

SHA1
bda33d3b9e470149f9343a83393d862431b42567

SHA256
8e57e4c50607d07547cab5f367a22b920063a300c5f4067b54a987935749cbb4

SHA512
9e5a90100fc45ace969d41df31cda9e5b2bed65ece798722d4133788610ccbadf574c9492d2f4d5e575882efbcd366fed80220a609c7de979c709adbc70d421a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgoC.exe
Filesize
226KB

MD5
2b86a7041de61ef208d9c19ea1a90bc1

SHA1
a5b2d398dc97fcb8ff4f54241b19a2825d9f8114

SHA256
6df93d368e09fab4f7456c591a890807b0517a4717c16a6127cf575c304fd9a8

SHA512
45f86a565abf5da344c70d52e835d33a464b7fa3d88702531238cc823d84db7a67d2903564b22ea3fe79230c4428f35f5b83c7983a26b49713c7d011b1e450f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EkwI.exe
Filesize
207KB

MD5
91ff60208b9abfa9400f420128892fb5

SHA1
f78aa8b12d6fbfe7f1b1f94f7a81521c3932af34

SHA256
0c1265d66941a5b0d050071d9af5f18dd73769c7d89c092c85fdb4b569d19c83

SHA512
ddd0a5a335fef992718523643e47d537079b92ff33eaaf9bbdab9dd246e52d5be9f17c07765dd5579a80fbfa8e4ae2e24bd70eecccb6d22c08369e75b77a7c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEoe.exe
Filesize
203KB

MD5
c4a1cb9f35cc71d9bbd9453426b358aa

SHA1
ab0dc2ec407af6d0fb05f05de4a087082f2a66eb

SHA256
ef17c4a1ff65d72400a77dd21ce59ccbab0968998c05a43bc7c93f96fa715554

SHA512
2f85926d8d4e2d6615c0b08d87439ff41e68f26bec2165c9ea84c199a583590f72431415de3dae170e2b81034b13e81c70177fa0cd7cb228c9a1ed128f207183

Download Submit
C:\Users\Admin\AppData\Local\Temp\GIoW.exe
Filesize
211KB

MD5
f511d3a5c40007c2cf4d25686e2610db

SHA1
7243b9c16db8303770bfc7247a412ef89371588a

SHA256
7065fa8e797ef34a2c55293ccf734cfc1b542aebb2058ca7e148707bb0115455

SHA512
8fe487786fa3ab56bf37cf59d4aea1eca6c8ce136bdeba4cc2f2cd879e29ca44dd54b3c21d479462ccd925cebff71ea38e9d17a23775ccfe0c7e93fdd7abc38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMse.exe
Filesize
204KB

MD5
5753caebec7418e63aa8eed2247ed31e

SHA1
bf08eba6e9b96ed1de3ee4a3d820de6e7ce3763e

SHA256
de09d21110666ce776a992674ca398a5ddd233047578387a52f30189109afd92

SHA512
63860a257da26f4affda50bd474629164f0db9d9f2444893897d61eb40bb9a483a7c7611c43f937fe87df7e3802e7aa9a7bb779ed8cc5fa16bceaaede3d63e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\GwYU.exe
Filesize
191KB

MD5
e50aa5f74dcc4da6d68f5dec43625f25

SHA1
51b9f83fec843b08a36bee49b99a26af0bdd21a9

SHA256
748baba6552be26a10993718497141a8690ee75545df5598f63785ff86464d72

SHA512
c729fd2ed9357ac40185f03009cf28bcd5b3aa6be4884af778c0167c94e0019c44bb6f7d5f4df280425964e67b5000a43c0ccced69d4652c8ca66a843fba9cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAsw.exe
Filesize
563KB

MD5
c23b8327f2b417c430b538cf271c672a

SHA1
e8870dcb494ec0bf1f8501f02495f7af471f39ca

SHA256
5e3d8be34829699c4f089daf100e72d68c35424d4c387940c0e0f1f37f6aec09

SHA512
5e9a5b6f60a8ff3f4939f540da1674e41e8cc24098e96350b3b0dc49ceacff02d1d203f35d6bf091cd289e82f5d085da7d44f66c133bf2cebadf027c215db923

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEUE.exe
Filesize
198KB

MD5
1bbf3eef477df48a3f829672510ebbd8

SHA1
b2cb9770dcfe0bd0f8f7087f4d4378b0e25a8461

SHA256
e454010e313401bbaa7887a781f8d1d16a492be9bd8b8246afc068d020a5ab11

SHA512
76d84729c3ceb33ef8fcdf9e187af68c3d4c056fe22b70fcd0f9b4c5cd9e01d12ac54320f5db5eee4a5862486a64a9362a9fe665b08561cef898420b8bc486ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIsW.exe
Filesize
203KB

MD5
e64e511089733047de99fd3d393f1a92

SHA1
e96e5ee8d60605f01a1f2a9d25e4ac9a920e9ca8

SHA256
3055a25d48c2425dca5615d221805a648992406a6d7bc86ea0392a02968b3fd2

SHA512
ef56e5a61a346b734ca7e5f314eee65ba81cb9035e5fbf10cb3224b3e7391ef39f93a433c8c7743e061ec22fe8f92fede0ea09e5f53d1e849db8d823d0abbfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQQi.exe
Filesize
198KB

MD5
73b7a97fcbc400a97f54910b4d4909c4

SHA1
095eeb099403aed01687618d1f61df6b46d7d76b

SHA256
90af006decc6ad8d9419d3779f0a5e595292215a9e25d269637ed5e86960b87e

SHA512
321d122bac6617d3fd426104c12eff7f4d61c80eb350c1c9feebf5e03a5fa41a22dc2a750b389c9372281233c379c07fbac93d272b1af0e0ace2633550e2daa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQgQ.exe
Filesize
197KB

MD5
27760acae0a223a6f4ea5898fa352e7c

SHA1
3fdd5dbc32573766dab8fb66e81a62e48c0437f0

SHA256
0e1b77efcf90e2accd51b0fbaacfd86b4288051ed4083ad618f705851a17bbef

SHA512
30a7def9b489072766472bd6c1acb882cff3a17c37413a9ef71c40b6b8587f608c55e62a925128cf3af8318e6166c85cd557553ce55b1a86712f55053aa1302f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgQc.exe
Filesize
209KB

MD5
6ba5bfd2d00e23028f545dc3453849e7

SHA1
b41be77debbe78af67755cf1b66234fcf95be7d3

SHA256
264ea867b851e3a34f5302ad2bf7987ade8f55053fe1b778201056babd45234f

SHA512
ed0102303b963210026d5e96520149e7bfaedf01fc6d37e139d8791c425bbfdae45daadb982276dbcad3064600a079320840bf89b5df01012a6f94263a703763

Download Submit
C:\Users\Admin\AppData\Local\Temp\KkAa.exe
Filesize
636KB

MD5
e95ac02f919b773144ae77a341907319

SHA1
46f01e370ad7c10b9b345b9c65d9443ef36e8ab5

SHA256
78b0c8a156cd1477828bc13ffae548bf9f18944a3f941ef9ddeaefe531bc29f9

SHA512
703de828deb03cb7e0dc927c8d82567e6e473a8a841552b78567c4490960d002488f6739547eb672b56f6aeb7cc409d93524236346e562ea82c89ea54a054bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mcos.exe
Filesize
186KB

MD5
19349a31ca029e09d3ec8751d7b051a1

SHA1
bd55c8f41f894f299c11916d73a66cd0f4b77174

SHA256
b24d0904b226b1ea068445fca54986f38b9ae5cda177bbebf328479c9b833610

SHA512
8361487753e0f4313eb95fcbdc3698c18bdd140e0bee03a19626721a539aceb51d4243ce263af1ad44b4dc5e31f695363eea75828dbb50682fc34f6a6169df1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkIs.exe
Filesize
793KB

MD5
762d28497704b6c2f425b77f7a04be59

SHA1
f6b855e4d908966bc4b32e800869e6e4e7915d12

SHA256
04c0581de02c601dcd54da9cc9bf703f17b47bd8dfa733dc8006d7808f66f951

SHA512
369fab4232b3f76e45085e455fdabd7885041b08276b713c48c4b64b0866fd97b0d98ec37a158a03322ecdcc388ca91c7401eb2537c6fd131b82a2258fab4773

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsIU.exe
Filesize
224KB

MD5
f9f50b64718d261f858294f5a6ebbe1f

SHA1
6fd3615647fbbf8f07bfbff51e4cbc1e8878accc

SHA256
ca2e5399d39cb1d42bb88956e6683368bfafb03a28b3cb7645e25608186f66fd

SHA512
82d9ab52db8c7ae07972903e269dc4b1c319b63fda048bfd454f454ceb94f4992d603ccf179e548327ed92cc1c89451f36632205c61202ee01e85c886dcbc516

Download Submit
C:\Users\Admin\AppData\Local\Temp\OUoE.exe
Filesize
203KB

MD5
373388aa6136d29feb34007f3f2658a0

SHA1
6e4b97add270d4907177f956bef3c5c219885805

SHA256
603596bf520ffa77658e45c51c1439ce1ce8bf4e8dd1ee3f4ca53c3fcafb6ccb

SHA512
f945d476ae3bfa8134a538ede289c943d1c28061f78f5a4b75991427a644e11481dbcddfcef8e2fcec4b011042e617f50fa6a97c262b4dee58430ac4c0cb7c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYUO.exe
Filesize
1.4MB

MD5
9fe10e1de844c2b7d0be55ecd0604516

SHA1
f16005e58e543897d6137e55f52862324c334029

SHA256
b504b0d0140bff527e12b17c687d128a465505e0e2fca4029c471ce0d6eb39f7

SHA512
cab1a095873447ffb3115b80a07804299e6a76da6ecd6e949b9dc7f8d2de9e46432ed34c163f01221bd01cfb3d33d161f4c9cdcc00a3f8cb3fb460106442938d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OYks.exe
Filesize
191KB

MD5
9384f5f0e320ca6250e525ef0ec3e3d6

SHA1
a5bad680598f864e2244975b729b52f0dc1a6faf

SHA256
b42c3a4e336f0a4a82797f6f909d9bde162b6f6cf0da15daf1c5d2c0b90d97a4

SHA512
76f3d2ab2473207420fcacd0d4cb92f171292f4fb8953ff3ce6607447ff5928a90ca431cdf4d2643e53471afbe1430cda5274e960d40754bf819760f76ce9c95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Okwq.exe
Filesize
1.2MB

MD5
3464269ecd73c1803ad7bfb558041772

SHA1
1f3c4dc7a04424f957815ff6adfc96d3c2b9c442

SHA256
168328ab47cb105ad7836d334c5e56d25dc443b3e33ef6e5d2ab756a2088dafc

SHA512
9618806610028f62ee72336001a68bfc6570c8a87f5e2868081bc3898d8815da6756df46e0c6d52201fc58c64ef193c102dc9edb91fc947f568943650a5d6e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oocg.ico
Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAgc.exe
Filesize
187KB

MD5
a9aa36bcc48b28838a57d5f55d0f5977

SHA1
d607579b3c40122b3af545e267f499fb313d7754

SHA256
d262a365577fc670905ef7715d2a5b6516a769a6e1651cdfea6e70c03d6d397e

SHA512
185074897fb51b579161bfb7d7b4debc388e9235f888b75757128acabb86ed2bf96d491e7a69ef182a30aa4e7904438e7ab221c4231e83538645740b0cd25b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEwM.exe
Filesize
194KB

MD5
ef38c36f925bdfa9fd51287cf11a8e26

SHA1
71852035272ea6763dc4b207b5d8dd18dcd7a32a

SHA256
862554cb8aa52eadd207ff8c9240f81a4eff31d1a5d957dbd4e2a14f31508956

SHA512
185cd123ec6ee2045c390436be4e619b44f4ce32830ecbf51f3be8c9264eda3cd7f1a10855259b42fec4fa39845086b60aabd072544788e8d8e313f9bac35204

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQcK.exe
Filesize
637KB

MD5
4e6fb1d8c75d41683befcecd0c30a2cf

SHA1
d2c6fb099801454b274c18f6015c82a909c9b44c

SHA256
4be4767ab1772f3aff28d9f7ed4239e28a413215b88e345e7ab3066eca609f3a

SHA512
03b6ededf42c6a6e4bccf4b6f2da2d913948ab938009e45f1186e3e2209ff48be0e5918b5eb080d5857dc40155da313f146fa9851760ca17662b5813926f700a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SEEy.exe
Filesize
832KB

MD5
8545b8135c0276b3e12f2ee4f76b0c63

SHA1
2debfa619aca50604106247cfa0eea2cc90908bb

SHA256
c72f34539096d663c6bc47c3a57bfa0094b31c99dd80c1ce4c1e0722ab6571dd

SHA512
b21eba1eeca8fcedd4fa6db168e7d3c5cfb20031df4dfdd264887e0d78f822b93c114bb37f37a6f2aedd9f62fa0220cdcbb3eae357579c884d2782375e3b498c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SYsK.exe
Filesize
194KB

MD5
a1dce6eaa5833f87698dec5427c2f1c4

SHA1
3a21f469f7bce2a591305910d4b220a6ebdb8255

SHA256
57b01657614994289d77cb2dccb1b9359ce4e3f321fec58e8c793cfb35a20c28

SHA512
5c5196d54bc154347455ada5a009bd29538156021b6bec825ebe82bcf00ec372b5bfc785bda30e1f085b2d411fa06fcf809f1a57d21b7d49cc211f315b3645ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\SgYg.exe
Filesize
200KB

MD5
ff7a012109042cfb36d720ff9566c3e9

SHA1
1ffea35774c2a65c6d4bdc20dd4f27fa8a518d1d

SHA256
9104fe0c95a41ef978db95fa1b1e709a5733b9063dac84bec6367d1c907fb1f8

SHA512
fb459bb0a5d7c042d5053b8d5255f2ac57e21262c14feb9d5e0ff49180d41b1a5dd10e29d96c8dc443cf77510104be669fa0cce3527205ece067b1fe47d9f229

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgkO.exe
Filesize
201KB

MD5
3a6470150ea210f7c25cdb19f49eff83

SHA1
577fdd221d52ae7debb8fed1ca6f9648664c42b0

SHA256
ca2bcac6c222096f5cea19e849320410f8091dc7fff52aca19d4160e25810bd1

SHA512
a9e2972c0648e219cc4998764eb7fecef7a77d48ec6a0dfc25ebd7573e29b3ee364a945eccb5c4ebdb3a760f44994527f6646835079936e6cc19585d83097e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UkUk.exe
Filesize
183KB

MD5
452891a25fc14e2cbd0744a7cf089bd9

SHA1
c3af3cd3741dabef03d34a404c652be1cbcdf885

SHA256
c2c20046e2d7ad6d287dc3f16b4f56c9e3a629102c9c2ab19666a47f370353c5

SHA512
a3a0aeef994585c64eddc0b0c3beae9612cb31242aa925b34b098477b6994a27d1d5269ebca9ac38f82e561a405c446ba6d3718ce47059ee306f2c00a696812f

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIgG.exe
Filesize
209KB

MD5
b87e84ad09498f5e1c2507353daad149

SHA1
05d7881d63dacbd4aec91bf7b3056ab029516c7d

SHA256
d131c542be45c09ab603b03a1c9135014b5dfcd0b9a6c60aee8a9a8cbf6c2749

SHA512
fcc9836c17a0672b865d5a5530c05cc4b8bc432ecb1f684a80487b46c952f712bc7c2db0ee2a4e7935295a72762385840e102d3bb00f46f418ebbc9f8f0cd583

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQEu.exe
Filesize
191KB

MD5
e74fac80bb27395662cc068963f7d7db

SHA1
0f257288986f37274a95e7c5dbf0215898badb26

SHA256
86ab68f84d8ff07262f89dbd8207388a66d817f873c5768bf5cd01433eebe8be

SHA512
90d48d2b3ca67ecfc164f6b89d19f57fb307f5a08758dcd5528f25ecf4a85aa83dda4f0aaa72ed3d277a7c7695480c5a8ac9842d1fb065ca8dc9f8c23500aaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQgy.exe
Filesize
554KB

MD5
a85471cef8c9aa7d1b9fa67afe69cad0

SHA1
74134cb537422283b3831ee5aa5535ac5bc4a288

SHA256
c144783d27192354e23e558c8fc89a223ce908bcd5ad9621d713d995641e7a33

SHA512
5be7da4ecd20fbf4c7ac15d416fbe80f1ac5be51972e4e3006f7e06dd5f184346d78e1859840b90c4967927403dd205e65e2f3349d9991e7f7fda8580d6b2558

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYkO.exe
Filesize
780KB

MD5
681422eaeb2b25b6ff158c87adc26b15

SHA1
c6450ec377f2933749fcc0c3a997c286edbba826

SHA256
4e52281af31681ef791cf544b6ce67e8ea0007b33239a16776615c7eed491e89

SHA512
d40ef478e767f6ccdf1d3ce0996fa3987dd2f961a9089480f8d1a7e4df7e71fd0b57c5f1ef6622e4c60f0ceab0cb8b467786846be1b0439ecb3cbd384b0f7d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycsm.exe
Filesize
207KB

MD5
c4392941dc22b46d1d9f996fc16a6b2a

SHA1
121a9b51c1e91ed86757ea65b06dc51c120974e8

SHA256
115d7fe68006b22d404a1036d6bec795cdad7f4ca9567d3c1e6f3eaef683a7e8

SHA512
ea834f87c2bc07a50d89613d974e2262d03da9b2e7cad449ea3b33c78fda7460c917e79128b62b185d851138ff75648ac871f784119c18f7e496df482c836ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcwQ.exe
Filesize
673KB

MD5
171f20f6a1869249c9b5d09bf7e79c23

SHA1
ad6a934fc8e4af3e533d2aa067ebb74b3b3d8c32

SHA256
47d45c2308a4e739dc15d1008e9433cd0e3e6c6377745c596de2d1f0dffcdc71

SHA512
9d1379123f517bdced3126e46924a01e05f7ef77de1a3f765ef45191a77dcc7071dedd51074450a27139687924af6cc0c9b8fb048b2f98bc185549605f6dc57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aAgK.exe
Filesize
205KB

MD5
d39c38e205e3bfe48665dbf2adc894b0

SHA1
c87576ab86af56ceb9d8129c29f6316bbcf4fe61

SHA256
98a56ab64e60d59c20d9657e5f58358475c2b6188863317d58b9812970c7c559

SHA512
784c0ae469312d201c5a8c3a26aa231554af722531210032cf9fd8bbdd91ec2c439857853e14563b158b6804fe972796222045352b80eee3387814c21124a6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\asUa.exe
Filesize
5.9MB

MD5
cc4674b728c8829ee4a2d9a3efad7153

SHA1
1e93c47975b1790f4e5c4da76eab6b37394e052d

SHA256
46d036107566fb1c42e516de8493e0ac4f5a7de962ca8a96bcbe77ece1b2b84b

SHA512
1a4580ecaf77a75485493943975180864c9f64207f339dad0573202b8a60ebd625250badce50fce7781516fb7868e55bfc38d1722067aec22e8dfce1e6c439ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cock.exe
Filesize
191KB

MD5
9db254406d08512fe8485b4f8271d615

SHA1
7680e72127fa30144a7fb006c47a3c35f3a1c271

SHA256
4c6e86a695682cbbce32df8383dd97fe370d2f816b67dfc180c200ab6cf34b65

SHA512
c47e57cc5470c04207c942b1f90b276f51a44db0004ebfc8d41e7986302d5bbfb9b32f3e7b848d8762994602f762342ac62eefc26ce807f515190437f859616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwIW.exe
Filesize
190KB

MD5
c0c348b9549bea451142b1a1c66fe5c1

SHA1
eb388d1e61fa5ec00f2e093f47a6c12d6b3aca1c

SHA256
0893c1afdc7b1202bf873004775c46a29032366506f9c9e818c3d2c59f8bea0d

SHA512
33428331bf4ff3f6717c01f73bfa93b8f27fd4769447d399bd8db2e5e9370c75213608d3023fe72a9c3abd6fbdc1cde85124db63436688b9f8ef8262ad7674b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\esIq.exe
Filesize
210KB

MD5
3c9809a1b7a39fa4ab2966bf5460b860

SHA1
64bd1e8c88752a5b0478bc2ed591d60b95ddad65

SHA256
bba287cc01d07c3851c2cf5950b15299b012d72767861ff310f7f4594ac15f15

SHA512
6d522b9b083ba11e7d37529e768365862c7bfea8c9c66095bb905347a49b93c076ca897bf422d87a9e381b496d7c4bf99bfa1b045e8e95d28508483abfd1e324

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs
Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iUIq.exe
Filesize
194KB

MD5
eea4eee5d66e661bb30794a02401eab8

SHA1
439ee6f3ad03dcf423d8ca356b886c9d43d10116

SHA256
0ba02ca6245db6e34e8b68e35951bdeb5920d510f2046912c6e7e71895c5fc42

SHA512
00c4b399d443cdb8963aa62bde3fccea309fab6333cbeb7f40e11d117455de7d9e8f10570e0af42656cd8b1aee1fb8247f7ef23733f83d8e95a2f629aa35cd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioIa.exe
Filesize
204KB

MD5
1404282643a989e2f00975e3a8f40556

SHA1
ab2d097ca96e44dc41cbc30ebe6a9d1a64834e0e

SHA256
bc57481753469776c0c6bdc855c4046ccd5da488537140ecfbb441596e23ffb0

SHA512
6ff691e1f52d7d1bd75a163d122301dc9e2bf9eb57924310b4a9fd64fdccee51d3eb17279a682e0bf54666c8f2f2efa08e71c3bde1432c8cedbefdb597cd8d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\ioMs.exe
Filesize
308KB

MD5
e5b6aacdf8e9ba33f3b62590409c06f2

SHA1
012bd23493c95dfdf50dbac8cee54c623966e3e0

SHA256
568872a5e87882cd84eeec54d85d31dd9c0a399b82121523ad9a7345fb2a0432

SHA512
84deafb42196fb9a80a8e1cd85c45919577d00e4dae95efadb0d3529b447fa885eb0c72b5808413051f4e539f93b9da2e4c18f20766c6cb74d0eb53cd92550c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\isEE.exe
Filesize
183KB

MD5
63460fc6dddf266352d11880ac3f70b8

SHA1
fee6173269530255f345c69c0b64375500d9f70e

SHA256
49c4bc5b9880fdf8875b303b94d18da6db9897eb812b3d371ce59ef0f53ba9cd

SHA512
5c749ab73f49be595cf8cbad9efc4cac06c74e33c4022d2872054983da280bbe39e0531f2e73199b24611a1a706147cbce3a236fca2e43fff4ee318e42feb765

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMQy.exe
Filesize
205KB

MD5
03acf55f4c76ca76a995e50e51169203

SHA1
0581e74d5cadb9e5a8fdc4c72d257ece1fc872a4

SHA256
098a047569fea8156fd7565b57a254d7887bf8edee3913934a1ba55c4305d445

SHA512
0e22b9be08c1d1e4a7ac69cb7d83149369d86cfb0e62f45648ff68ee1c923d56df38b5b36e74714eba603aaa25836e7b1e7fb0eb06419ffa33434e712bc15759

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUQa.exe
Filesize
195KB

MD5
60d4f91ae71bb2beb6263aa6aaf366d7

SHA1
f194bec92372a9e3615c045e5e093ddcc809e88d

SHA256
64ea82ad56b5dd4c4584d19a87b0c28f7ae4eb1ebcd49fcd3c9ffa5c437b2127

SHA512
1121a856cb9ab1db363eab276cd03060bb2d0f4924701feda70c16a417f70cc91c6d379d5666a119c206fad045454586393b836c756ccb3f32f13990d12655f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kcUY.ico
Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kgMK.exe
Filesize
1.7MB

MD5
32cef6f17e3e0f3995d72668743d7177

SHA1
c56e1a7491a1f01af4c8112cf1f4169c427e12dd

SHA256
890ffb00aa5f0e9211aff1c5a3e5617d002afb8ce39203a538a1add8bc504d18

SHA512
5a7171fa0632a7b9ea7dc0585fb21a2700efecf4ea340de9dc0277cc7ffaf9ab1cf72589c0c0f873bfe959ff0f5eb5a511231c74349889b1bf0dc5831ccad559

Download Submit
C:\Users\Admin\AppData\Local\Temp\lgkYEsIo.bat
Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMG.exe
Filesize
831KB

MD5
254c8a3f874c5833bb00520163074ab7

SHA1
2839c47e48e08b8c27e00c8c39655e5761d0c423

SHA256
a9b10ce39e90e957ea12d6ac10e668be486587c95675603e30bc9bc53041ff22

SHA512
48db3f8eefca59c25d070ac4ce97330f5f18e9eaad2e24db88e173e1c5a649734888564d2fed258ee19283d86855208d82ba7a8670155ad93dedb97241c915d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIAG.exe
Filesize
199KB

MD5
2b44e74e745548b647cdf7e95ab4482c

SHA1
af81470bad854b35378cd3188c1631638b895d99

SHA256
22c8673f4852547f9b9dd220a5f4a73320cb39b1d7ea1794a3e7d4db4b3fe9b9

SHA512
51c19b92323da0c39955a6735c3d86874d360e325f0cf1833d02e87dee4e12a263a95ae96d075eae3855b9213faa51ba1f977bb74a248f6672ba0362c9bd55c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIUG.exe
Filesize
189KB

MD5
a25476f0f860fb7e9d020e2faec01f67

SHA1
a114b394bf3d37f3f1737210a0f563553daab8a0

SHA256
c055cf2419bdcb9966f14306612d07bb10d3e63ba3e5c01ff49dc646f9903c0e

SHA512
8d41f19ddcfc2b1abfce54c314b95950424fbdac3c93b3f578f7e85353222759eceb27c0fc16a5cf0810868f7eb912e1f3451bc47b7341a8224d97c750f8ba31

Download Submit
C:\Users\Admin\AppData\Local\Temp\mIcA.exe
Filesize
189KB

MD5
955daf0d1c0a5ff267fbc6ad46de9479

SHA1
d1c596f2a5d8888f3fbd45c52de1f69c0631c7dc

SHA256
6771a3e2c83964a2afff30133e3b7adf6ec1c4cb1e9a25d73ebdda05feac6d1c

SHA512
01161edfcea0a21bf7a424f1610084c24b236e06e07b28cc1da1c436ef9f3562ee70970f613b985956e379db0c8a01f8dbcc603038f2cff1d08d6da468ddd6f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQcW.exe
Filesize
776KB

MD5
707e081e73331cbbdbe824a7b582f404

SHA1
ec22444e952335a9221ed47b50f658d53ca1f26d

SHA256
e39812b4b9447f4334e332301ae011f6df151598517bdbefd9a8bdc8130a67da

SHA512
012e9423f80ece8144ee993a266ec53b06949805f55b59a5d80cb385763d690a8dfcfca6b1e4eef2a6ce8db6ca000b8b5a68fb64c564207effabeea102296138

Download Submit
C:\Users\Admin\AppData\Local\Temp\mUsK.exe
Filesize
191KB

MD5
0afaa7492197995d2bf96c62cfa52ad1

SHA1
587ac49adece9e518edcbac4e6b08bf4b630a2f5

SHA256
ae47ac140f6fb7b70a75c12a9d3ec769f1e48d352457b60b99c2141df287708a

SHA512
414cb57adc63340d65e86e6455977b8183e18d0af4b46c57e8cf97b5cfa0093d8ea2a6e3acc80698a9befd5799a69799f4fad78dce3bc6041976addb70c8884c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oAQi.exe
Filesize
185KB

MD5
09025091ac1e55c34618221deb2516c5

SHA1
e045af6321d3be0fa345f909904e0b36959a1e81

SHA256
3b66ae1c6dc43c2b39f3bd751c263ce5cdc9bfa0d2b3cb1754465c30e957850e

SHA512
9fdeb76f19f681b49e77ba1822d244b0d9de71221de1e25f9aec9571bb071f7aebbef6fb99bff2588af58d3ba36f119b7b3880a10b571c0b602582ab7092975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oUsk.exe
Filesize
789KB

MD5
82296792710a3d5da92babbd03d0c12a

SHA1
d534a57d8e1aef0007bf99682814d165211411e5

SHA256
0124aa429ba7dee5dbac8c1b2ac6a4dced05dfbb41ba17b520cf6d43254425e0

SHA512
757f1c26959a595f30067ec53a95cf742b1d6f44e2264bcdbc4e71bf7f70ccb00ed06061fb4a6bd03244428ff3f6c89b9fc37df5b62c0d0c73cdd3c921f64769

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogMC.exe
Filesize
1.6MB

MD5
7bf95e40dcac80aa1c4c0ec1863c5d82

SHA1
72051173030e28ec21e97042bcfdbc3df8f45b19

SHA256
46f95afe5f82af7831ebc859cc07e0cae83531a47470311d18dd0b348b80291b

SHA512
50969ff7fce1bcb6c8945202119b66644c99ec8f595bfc0aeb770b8f4953ab4a750028fcbc374b44aaff9b8844ea4700266756be78b8fd04e0acbef0152fb0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\okYy.exe
Filesize
205KB

MD5
64b8a4256eedf6751641025a3ad5375d

SHA1
61ee4d8ea7fd3dadbf33a196cd63213182794d33

SHA256
acbfaf740d250b79063e3d634f837bfb421fc1fab5f2cd775f6b917b4b9bd23f

SHA512
0b77280640cdb40fd1e6b133439892b5770c32bd3c2910805666cb7df3715490bf0a18f6ea5c4efdfec22f962f312b394bd7177fc7bcfc048397b71066dbf3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEMK.exe
Filesize
207KB

MD5
09cba898f8605ea0d08b964c96bf1479

SHA1
54b04388b6b6beff0a8d6c33460dc2dbe3b4695c

SHA256
be8f2a63026e0e7c2feed27810a4b0456c0afdd58309d8b172a8def33a6818b1

SHA512
d2184a95d2b80558fb25cac090e3d15791dac682191e4d40dcc6a40e89ebfa6dd50d0b409c1795df1e1d13ae61d41c2b9a3b0ce17397b7de8d41a6683b1a21cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMMs.exe
Filesize
187KB

MD5
166a30556c92c2efe00c02b5efba5283

SHA1
b9e373fc234840c11666488224d2966cbcb69a50

SHA256
b6901b4aba1a5c84314aa339849aaff7b43d7d9ea1eafea6f17b652c69e077f7

SHA512
d75bdbe5fb8ca99ac066636d6065681d728c763eb31be17d61fcc61095bc242e9a5f59007b82709ee15186ffecd366627e698bf854d550b4bc47257336ee1d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\qMcy.exe
Filesize
592KB

MD5
25c63eb0f734f0ea4ee5b6bb041a3c25

SHA1
72ff17aef29d800b9800599a983bae7419e2b1be

SHA256
0279bf389228306488a085c8aa61b7a33bb7dc85ed3421d4605fa44c8ba78735

SHA512
a44111ca1bdc2e435f17d5db4e967a0f9698ffaf1b3714733472f0ffd4280dc6c23d0fe08ddbbeaf4a9b857ad533b9e2e03b8af03ae6abfe9877b21093057dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qQgi.exe
Filesize
195KB

MD5
caec3137250cb9007bee8e2004b2bd20

SHA1
91c65820c0fb87e73c615cde0676c1fe8e85948c

SHA256
508d9ccd640efc4367012e59e9ef941b3d85a9e73b8d8671f8820061c6064065

SHA512
f02a4a38472a777b2e2b76b448cc749988cfb5082504ac89efeeecc3a0bea88bfadf119a847abd90a39250fa220b7f6fbc76713cf8c9e05e986ee55c70b13cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcUA.ico
Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\qcky.exe
Filesize
306KB

MD5
b1fabb3ec65c65df8dff3339ff2e94f2

SHA1
d94ea59f1d64a1e6e940dc4a4397647f740be50c

SHA256
260001047011226c7e52ce255e72f3421969ec547f664521972505615e76f534

SHA512
4e1dc79bae27ca62817080c59526d3fb2920d46bd199000bc28490842439c47de6a4a3426137c94eb99e19dabcf6b8b6ef22e277a1aee4b4bd520ca58847d65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qoUE.exe
Filesize
218KB

MD5
ebf8569fbf2b3199135f1c21abb7265c

SHA1
ca487c42abee035ce6efe2e31568f6ecd47600a0

SHA256
d26eb28164b7efd5900a43c35c12cbbd56cbe0849364c636dac57371b55c2c46

SHA512
467d675fbe5b7325a62fc237821d95bb35d3ae47fe6786ac73437eb38eb92ce2e6c178c277a1f1cad4225b5de75a06d7c2657851b61d3ec9194bcf5815273761

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwgE.exe
Filesize
194KB

MD5
ba9283fdc0096d177799e1fb2c294f36

SHA1
b9a3b26f1d135a4981cf999dadf4cac2bb4c17f9

SHA256
169481c47dee86b305f19b46a576d8b396858c62e740e0dadacd48de20938616

SHA512
3b74a5b0fa2db73df12c9d1a19326ed0e3e7979cb21f554969a42848902cc31b422a4700970890c451f9a2e58353c22c29c3e33d5a6b12e84e50ee067631f412

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEQk.exe
Filesize
206KB

MD5
8bbc17193a20b5462a37ed33aad36823

SHA1
bcc54bd71b1d255b4e4a8eaf3bbd974687a4ef0d

SHA256
dd3e2cc264fbce85ed9ad5b46ccf63ceea55badd2a34f200d23fa48b3f02fcb1

SHA512
ba316813bda323898327383c6d641fe04616e62aa644366ea0c0d5738da9150027689e2c7725e9bb22c8a231fe168f090a9e5adb1246c807385f79c0f6283afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sEwo.exe
Filesize
184KB

MD5
1119ddec6e3e297392ae0075bf43efb8

SHA1
7867feb6dbf83be39b6e5d78a4351f9df50d0766

SHA256
fd5a63b69300a051b84e4b76fc61f0174ca523ad18cf629167266a07bfa71c92

SHA512
6d8bc198649b3202e9680b33b319f52ebaece4a5eae65effc5e14bd67137f0ded1b8b866f758c6b95d7bd85bdc34aa0b16cd7ba8db1df505f26c7543d2df2061

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIUE.exe
Filesize
424KB

MD5
067f70c821514b900123a35bd901c441

SHA1
07f020408f12379d43fa7cf25a1f75cd785fe5a9

SHA256
ad141c62ae2e66dc55b2741ff089fb02b5c671a363397308902e817c31b82155

SHA512
65dea09ea500d54bf16c8c41dff41e2d6e89921a89570d938014a0c79009db30e80980918e2dbd3d9fc6049c728251f1312f00030d9615f57523ce5a5fc06c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIUQ.exe
Filesize
328KB

MD5
a646ec2a55f7a799ee2d0c2d0b45c75e

SHA1
3ed518bb64aaf774f3524c4af747297be84e9d09

SHA256
6d4924208ffc17108227fa4ef2a3be18fb2fd0c2b97761d5fd960ef5e345f1ee

SHA512
165a2d759c910fb075c38795cb4566c21d874cafaaf61b38015300ac1d0fc2b3d0d1aa2139ce646e38abe50dc09932b435eec0385aae8a4e228beb72200ab94f

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIsS.exe
Filesize
185KB

MD5
4a123e0c34617e5060547836e434b1d4

SHA1
a09c3ba2eef82f8cacf7fe0ba6190c2eec8d8b34

SHA256
67ba38ee5a93b4e5b0d797b6c6eab22a4c5cade6bbce38cd8b3117df754c677d

SHA512
788d8cfa7a1d110f46a8248705b95755f67ff5df7f59275c0ac825b63da31161be09b1d59ed01200e812930875316e8157ef9361668eeaa534c33c367b54e0f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\scIm.exe
Filesize
230KB

MD5
e59625bde5bc05a8f6a765637693114c

SHA1
9c5d230a2bd77ea9bca630b163fb8970eabb153e

SHA256
15ae921842df6dd8a4ba4e7d2e40538b0b491d5c5c7350a1c853d9b2719badfd

SHA512
ae36e0291de6c310914d42117148d28ff87a914c552a9186073e6c2fe6487751c8d6feb7513273b89f7c3fec5fa8813c77d847c03d3af2e2bb7a657117138595

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIog.exe
Filesize
199KB

MD5
aa65c31f4556580a2f0d2a9aa0148338

SHA1
9c1887c8fa70ad9490f700c2613d201a303e57d4

SHA256
03a0af897cef944b328d71909d44a4182a52f53dfe1d64b0ed5d4ac2f4ed4f52

SHA512
be2f688ef337f5273502373b3865a733b6c64e3830c408477baacf51457fec60949b1c79c7519d025fa2f528c6916f430c9f493307a6eb9fdbba8184882c121f

Download Submit
C:\Users\Admin\AppData\Local\Temp\uIwY.exe
Filesize
1.3MB

MD5
dc3fbb369c6f0484fcece34973eb7436

SHA1
bf8ff8d207e1e7f21d968d5be2ec5a63e2ede552

SHA256
80e921535c3b5dfd0381a512855aa904ebfe7bb28a8204b637b381b75a3a3a7e

SHA512
32cd965715bc33b8460f78957e073e1b0e609ef6a9eebed1d5b7e71798b3b266cb58fa08bcf0d9953fae9281f94705ae64c45eed346f5388398d9fb13c602c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\uQQG.exe
Filesize
778KB

MD5
6426f591b731a1617725f323cc2db431

SHA1
3cccf5017daf5b788af53b68776ea003e6aeaa59

SHA256
f7749a9fb0d780ee40512a07c0c5498a89ef36b4d5a047e8d2924c7b473ca053

SHA512
2be0f37937da7f0edfca462d8dcb4d9daccd2998f50f39cbc72f2bcf8ad305bc2290c7139d8ddab8feca1a4632385e3fe2fb316dd22e3b45a3d37724d22cb2f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ucoA.exe
Filesize
5.9MB

MD5
67f45acd448c550e54681ebc51b0f558

SHA1
5ed24f444de47c058a4c2b85e200e9357c90bb2f

SHA256
5b5711c7447546d4264429381856619d7d143283d9ad6baef003194c7015672d

SHA512
e76eafba1031ee0b35f1e9db19834abcf9dde720b6ccf21d0e82a644c713f960d589cae437de421a0054bde1f06554c9da09550c45f743d85f63b5a408e21d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\wAgk.exe
Filesize
314KB

MD5
ada9cc258f6ce2259c8e69d53c3d5d46

SHA1
c659537eee336d1ef281fa58d217016863b08e38

SHA256
5a910f7f8c52e1a58b7712233e43b5288f8591a8a7983345dcc0d7d03d43e0d4

SHA512
006fe0a3395d41fbe3ca0a1d1f68abe6a61c910225177d7e4ce18a4e892c193d85d84edb3c69fd453bd767c8c17e7319619c3fbfc8b93f4645a63ab134edf4f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMok.exe
Filesize
191KB

MD5
41025c3bc7b8358bf0c6b748eec6e715

SHA1
82fb43e41222c7b8f4564e3b463e110fa56cdc13

SHA256
7d4d587501982119c70f6c81da474eabf83dfad0b1d54789da85b52436cab887

SHA512
ece87024d61fcb031233f8d5442bdac086f41c2a556c24886ac18010fe9d0e838758153f5210f0ba4510bdf393cd94c8ea96693155d07488b88743f03bf4a9aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEcK.exe
Filesize
187KB

MD5
8f618fab3f5cbc6769230c0fed274484

SHA1
84d3bb24ef87c37757ced04983628f9986e56f13

SHA256
7a1697362cb104a996b0a93846944bb245a51066c6a739b03a0e8a153abdb333

SHA512
b96ce3c55fb7b9dd8fe3d09e544da31b4e86c063cc3ad6f9bee3f9e6e1fda3e8fa1318c079aaefdacdcfcaba1d7e36195c006473a5d012faf69941bbce326c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIou.exe
Filesize
198KB

MD5
6c40278279c3e60fe5f8d2163e448858

SHA1
4a507ed4667d8b575ebf36ac3f37471b01172130

SHA256
1e3dce0262490d91a9db343ea7048e59b856256486bf132884899325912025e2

SHA512
a111f5ec966d7bb54d6d4ad52b509bd7c85e58b6f13e9d177afe595212c6c209ac42d08ecd1c95f97d0b3c480e7a613888fb4ef587da37a8a0583207c54f64f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcm.exe
Filesize
195KB

MD5
a22ec56df1edc826e0c802b39535be31

SHA1
d6ad0e3da750055befa76246dc4df2e76f0cb733

SHA256
3dd6f45fde4596c3f6715698198745fbfa3ada0c5abdabbd71262bf77c25c3f0

SHA512
ce023b001d30f577756c7688959a0717fa22e843600f15a2641085dbddeedea55e875ba08544875fca0955d2c782d127c85d1f790df592a04ec6b6937a1c85b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yYcw.exe
Filesize
647KB

MD5
f0f2f8f300b5906919600fbce76db94b

SHA1
9fdca5827ff5ff0aa9939495ffd43e3754831b99

SHA256
ab3d0818a3013afa80f8f6dbf99fcb1e9eaff62e1f4bd1c75377ef39850a02f6

SHA512
446bb592ac5efd93e2059e03ccfdc9ef994adcab8a423e0c682fd4e0ff83b98b6d24d583ef2f333cb54705d62f0695f6600292a163967e625816373a8f0772d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ycMS.ico
Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykQa.exe
Filesize
200KB

MD5
999f3489bed3a1c026f887ed5f6e640b

SHA1
e8812807106b6e117f35480753d50891f2eace6e

SHA256
9b84973d7f7d91dae57351d07eb84e975cd8989d846bd6defa92238a2da2e0a5

SHA512
641c9ea0df67a18b22820c5e01abcb311effff228022b968fa48912787caab0fc8c442b9bddb0c2deaad652e330fe1373a2ea775325e4a6a4aec0b0827934eb4

Download Submit
C:\Users\Admin\Downloads\ConvertEnter.mpg.exe
Filesize
1.1MB

MD5
dd134e2f994923c45e10ec695d79060f

SHA1
8816fb2c38cf159412993ccc13e5b8944a391cbc

SHA256
65648efb9a9212bca86bcbe2a2cbd57e4967e64b9414ce16717436bfbf5843c1

SHA512
ee4ac052ada95230d2f300f9d48d7a4038d59a3c355752fc6dfb6317736321421e222d57e520c2b1cbd3bd923882ad5bac00812de99e78c5c638bf1c3546521b

Download Submit
C:\Users\Admin\SSUksUcM\jIkooUIU.exe
Filesize
203KB

MD5
e909b596731ac7bdb4e6c6cafe5975df

SHA1
a9ca75e47472e4da3dc962b950bbea61e05d2dd0

SHA256
03faf488e43c76f1aae96dbf66d9f2e2af35a4e8635a07a21c9b78617f759c77

SHA512
5b080338b4f41f4d5893e779b75b7f16f2676e7854fb09eaf64487cb59a8cc40bcc483f5e2c09e5a53f7697cd571f87a7b23bc50ab3d4ee8f9c3b2195b08e19f

Download Submit
memory/332-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/332-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/428-548-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/816-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/816-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/848-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/848-408-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/848-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/848-445-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-129-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1012-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1072-511-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1072-501-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1092-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1208-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1208-417-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1420-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1420-302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1420-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1544-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1544-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1548-201-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-368-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1604-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1644-193-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1824-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1824-177-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1920-181-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-285-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2076-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-540-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-525-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-463-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2212-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-340-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2236-326-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-421-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-436-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-510-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2456-520-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2516-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-43-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2720-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2780-313-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2860-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2860-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-227-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3036-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-356-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3216-502-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3216-487-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3240-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3240-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3440-253-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3440-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3516-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3516-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-114-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3740-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3740-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3920-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3920-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3964-106-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4036-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-387-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4148-379-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4304-474-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4304-482-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-538-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4420-549-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4444-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4452-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4452-58-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4580-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4616-406-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4628-118-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4736-464-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4736-453-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4820-491-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4852-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5104-396-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5104-389-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-529-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-517-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download