18279188cd726f2a26f84008fde5dffceb7627b05f949a0372eb1f784b9f5ae8

Analysis

max time kernel
17s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 20:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Size

1.8MB
MD5

1b57983d2359953f8e59e4e2d5400730
SHA1

321e908f537c88f3af3c86871683b398860d496a
SHA256

18279188cd726f2a26f84008fde5dffceb7627b05f949a0372eb1f784b9f5ae8
SHA512

5eb0b064fd7694659aea03787f3552c3d9be28e006e6af070dbfe52673c2adae505564d1adf60a1e61c9c0f4d9a3e75223dcd31af6bce193c71814a41e887c41
SSDEEP

24576:ShFZs9BHAPScBmNvES3etG9lF1aHNnR0JbmvWg3prbs2oPt2XDM7tFtVFXovg631:KFZHqiQD8R0Jiug39wmMfdoYMswz

Score

7^/10

persistence spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 30 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
Key value queried	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2700-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-5.dat	upx
behavioral2/memory/3492-72-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1688-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2068-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3556-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3432-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5056-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4444-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3036-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3288-189-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2320-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5064-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2420-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2700-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3548-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3492-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1624-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1688-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3804-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2068-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3448-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4616-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4932-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3556-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4632-208-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5056-209-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3932-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3432-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3868-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1004-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3584-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4444-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4428-216-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4824-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5160-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5064-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2320-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3036-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3288-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5276-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3548-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5284-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2420-221-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1624-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3804-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5388-228-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5348-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3448-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5440-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4616-230-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3932-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4632-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5592-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5600-245-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5552-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5656-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5632-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5648-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5664-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1004-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3584-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5532-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5584-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mssrv32 = "C:\\Windows\\mssrv.exe"	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\L:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\T:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\A:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\K:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\M:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\V:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\W:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\Y:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\B:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\P:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\Q:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\S:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\X:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\J:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\H:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\I:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\N:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\O:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\R:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\U:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\Z:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File opened (read-only)	\??\E:	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\japanese nude trambling hidden redhair .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\FxsTmp\lesbian sleeping cock .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\System32\LogFiles\Fax\Incoming\japanese kicking fucking licking swallow .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\sperm lesbian feet swallow .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\IME\SHARED\beast several models .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\tyrkish handjob trambling public young .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\config\systemprofile\fucking full movie hole .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\fucking [milf] (Sylvia).mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\config\systemprofile\gay public .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\FxsTmp\horse big .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\swedish cumshot sperm big .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SysWOW64\IME\SHARED\beast [milf] hole .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\bukkake voyeur beautyfull .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\hardcore hidden cock .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\danish horse fucking [milf] beautyfull (Christine,Curtney).mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\american animal fucking [milf] mistress .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\lesbian big beautyfull .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\italian handjob xxx masturbation (Curtney).avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\Common Files\microsoft shared\trambling public glans hairy .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\dotnet\shared\japanese porn xxx public redhair .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\Microsoft Office\root\Templates\brasilian cumshot bukkake [milf] (Liz).mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\italian cum lingerie licking hole .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\italian fetish horse voyeur traffic .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files (x86)\Google\Temp\tyrkish kicking xxx lesbian titts .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files (x86)\Google\Update\Download\blowjob several models cock sm (Jade).rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\horse hot (!) hole .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\blowjob uncut titts .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\blowjob uncut hole femdom (Karin).mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\swedish cumshot gay uncut blondie .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\cumshot hardcore [bangbus] cock 50+ (Karin).mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_es-es_bf79b5fcc06b3128\fucking [free] cock Ôï .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor\russian animal xxx licking .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\view\templates\blowjob big fishy .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_5b152a8d329397ec\action horse public girly .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.GroupPolicy.AdmTmplEditor.Resources\horse [free] blondie .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\animal lingerie girls .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_1bbb9ab9fc52bac9\gang bang bukkake [milf] glans mistress .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_adfc5e0bfca53431\horse blowjob [free] sweet .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\spanish fucking uncut .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.1_none_f42978969c79336a\porn xxx public castration .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\gay [milf] redhair .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\fucking masturbation black hairunshaved .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\brasilian animal gay licking femdom .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_30d7585a049f5b52\chinese lesbian several models .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-devdispitemprovider_31bf3856ad364e35_10.0.19041.867_none_c29826784f9429f8\british lesbian public .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.1_none_a7ad1894592cfa12\danish gang bang lingerie [bangbus] cock (Christine,Sarah).mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..olicy-admin-admtmpl_31bf3856ad364e35_10.0.19041.572_none_cf90e12518baac85\norwegian blowjob hot (!) .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_14c898cc82025c76\japanese cum hardcore [free] titts .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\swedish porn bukkake hidden (Karin).avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\InputMethod\SHARED\indian cum blowjob big bondage .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\american handjob xxx full movie boots .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..s-ime-eashared-ihds_31bf3856ad364e35_10.0.19041.1_none_e8996b7d3512363f\brasilian cum xxx public mature .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\trambling licking feet latex .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\german gay voyeur (Sylvia).avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_cb389cf57d74d691\canadian xxx public hole hotel .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_ee7ea14f7d8a3ee3\american porn trambling masturbation hairy .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\security\templates\sperm [free] .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\french bukkake public circumcision .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.928_none_33e0d5558cdd7c61\spanish gay girls shoes .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.1_none_a80cea873b2a6772\chinese fucking sleeping sm .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..se-shared-datafiles_31bf3856ad364e35_10.0.19041.1_none_2f5f00d280dce9f6\swedish horse horse full movie .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1_none_0b596e2a33be7d4c\asian fucking sleeping titts shoes .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_89c0bf1761110f07\spanish beast [bangbus] (Tatjana).rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\assembly\temp\blowjob hidden swallow .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\bukkake several models hole granny .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1_none_3cfd44d351b1a8ab\german trambling hidden (Sarah).zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_en-us_5af076e0a3cb0fa7\sperm catfight cock .rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_5abbd3c4a3f2014c\tyrkish nude lingerie [bangbus] .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_fd7349c396c417ae\action lesbian sleeping bedroom .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SoftwareDistribution\Download\indian fetish trambling hot (!) shoes .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\cumshot gay [bangbus] glans ejaculation (Sarah).mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_62312bfbb33d478a\spanish lingerie voyeur blondie (Anniston,Melissa).mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p..al-securitytemplate_31bf3856ad364e35_10.0.19041.1_none_a3d9a07cf2290837\russian cumshot trambling lesbian sweet .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\bukkake [free] leather .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.867_en-us_49453482f1fb5356\russian kicking blowjob sleeping bedroom (Sandy,Samantha).rar.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\asian xxx [free] 50+ (Sonja,Jade).mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm_31bf3856ad364e35_10.0.19041.1_none_ae957c4c35a7bf73\japanese porn bukkake sleeping titts gorgeoushorny (Tatjana).avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\japanese beastiality lesbian [bangbus] .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\canadian horse catfight .avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-p2p-pnrp-adm.resources_31bf3856ad364e35_10.0.19041.1_es-es_e5c3ad79c4e34ebb\norwegian gay big cock .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_5fdc43acc1be690d\hardcore masturbation swallow (Gina,Karin).zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-a..gement-uevtemplates_31bf3856ad364e35_10.0.19041.1_none_0d66b54875835a49\handjob trambling uncut pregnant .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\malaysia gay several models hole .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\swedish kicking beast uncut glans .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\Downloaded Program Files\sperm public titts .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Templates\japanese cum hardcore sleeping young .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\malaysia lingerie hot (!) wifey .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_2fe79eae2833b9b1\spanish xxx catfight high heels .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-g..n-admtmpl.resources_31bf3856ad364e35_10.0.19041.1_de-de_16bd831fd16633be\cumshot bukkake [bangbus] (Sylvia).avi.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\tyrkish animal fucking lesbian hole .mpg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\nude hardcore [bangbus] cock mature .mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\SystemResources\Windows.ShellCommon.SharedResources\swedish beastiality xxx [free] feet .zip.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
File created	C:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_de-de_7860bee9439c3ae7\beast full movie cock stockings (Curtney).mpeg.exe	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
5056	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
5056	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
4444	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
4444	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3288	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3288	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
5064	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
5064	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2320	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2320	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3036	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3036	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2420	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2420	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3548	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3548	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1624	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
1624	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
5056	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
5056	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3804	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
3804	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
4444	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
4444	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
4932	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
4932	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 3492	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	88
PID 2700 wrote to memory of 3492	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	88
PID 2700 wrote to memory of 3492	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	88
PID 2700 wrote to memory of 1688	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	92
PID 2700 wrote to memory of 1688	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	92
PID 2700 wrote to memory of 1688	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	92
PID 3492 wrote to memory of 2068	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	93
PID 3492 wrote to memory of 2068	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	93
PID 3492 wrote to memory of 2068	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	93
PID 2700 wrote to memory of 3556	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	95
PID 2700 wrote to memory of 3556	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	95
PID 2700 wrote to memory of 3556	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	95
PID 3492 wrote to memory of 3432	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	96
PID 3492 wrote to memory of 3432	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	96
PID 3492 wrote to memory of 3432	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	96
PID 1688 wrote to memory of 5056	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	97
PID 1688 wrote to memory of 5056	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	97
PID 1688 wrote to memory of 5056	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	97
PID 2068 wrote to memory of 4444	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	98
PID 2068 wrote to memory of 4444	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	98
PID 2068 wrote to memory of 4444	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	98
PID 2700 wrote to memory of 3288	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	100
PID 2700 wrote to memory of 3288	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	100
PID 2700 wrote to memory of 3288	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	100
PID 1688 wrote to memory of 3036	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	101
PID 1688 wrote to memory of 3036	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	101
PID 1688 wrote to memory of 3036	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	101
PID 3492 wrote to memory of 2320	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	102
PID 3492 wrote to memory of 2320	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	102
PID 3492 wrote to memory of 2320	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	102
PID 3556 wrote to memory of 5064	3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	103
PID 3556 wrote to memory of 5064	3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	103
PID 3556 wrote to memory of 5064	3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	103
PID 2068 wrote to memory of 2420	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	104
PID 2068 wrote to memory of 2420	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	104
PID 2068 wrote to memory of 2420	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	104
PID 3432 wrote to memory of 3548	3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	105
PID 3432 wrote to memory of 3548	3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	105
PID 3432 wrote to memory of 3548	3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	105
PID 5056 wrote to memory of 1624	5056	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	107
PID 5056 wrote to memory of 1624	5056	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	107
PID 5056 wrote to memory of 1624	5056	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	107
PID 4444 wrote to memory of 3804	4444	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	108
PID 4444 wrote to memory of 3804	4444	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	108
PID 4444 wrote to memory of 3804	4444	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	108
PID 2700 wrote to memory of 4932	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	110
PID 2700 wrote to memory of 4932	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	110
PID 2700 wrote to memory of 4932	2700	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	110
PID 3556 wrote to memory of 4616	3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	111
PID 3556 wrote to memory of 4616	3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	111
PID 3556 wrote to memory of 4616	3556	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	111
PID 1688 wrote to memory of 3448	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	112
PID 1688 wrote to memory of 3448	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	112
PID 1688 wrote to memory of 3448	1688	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	112
PID 3492 wrote to memory of 4632	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	113
PID 3492 wrote to memory of 4632	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	113
PID 3492 wrote to memory of 4632	3492	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	113
PID 2068 wrote to memory of 3932	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	114
PID 2068 wrote to memory of 3932	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	114
PID 2068 wrote to memory of 3932	2068	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	114
PID 3432 wrote to memory of 3868	3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	115
PID 3432 wrote to memory of 3868	3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	115
PID 3432 wrote to memory of 3868	3432	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	115
PID 5064 wrote to memory of 3584	5064	1b57983d2359953f8e59e4e2d5400730_NEIKI.exe	116

C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
"C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4444
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        
        PID:3804
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        Checks computer location settings
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        8⤵
        
        PID:11456
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:7500
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:9860
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11344
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:9348
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11368
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11448
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:9212
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11568
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        Checks computer location settings
        
        PID:4824
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:6280
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11752
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:7404
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:9872
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11336
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:5592
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:9336
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11432
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6812
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:13692
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:8928
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11440
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:2420
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        Checks computer location settings
        
        PID:5388
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:9424
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        8⤵
        
        PID:13384
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11416
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:7412
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:9756
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11328
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:5552
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11640
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6780
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:14728
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:8848
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11520
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6304
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11648
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:7396
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9764
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11384
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:5632
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9364
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11424
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6716
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:14656
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8536
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:13704
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11512
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3432
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        Checks computer location settings
        
        PID:5276
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:7724
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11632
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:6788
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11916
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:9156
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11600
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:5564
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:9148
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11608
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6836
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:8760
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:14720
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11544
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:3868
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6428
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:9416
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:7508
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:10056
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:8724
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:5624
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9584
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11408
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6804
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:13944
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8812
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11584
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6388
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11656
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:7516
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:14344
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:10032
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11300
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:5600
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9076
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11592
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6796
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:14672
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8476
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11560
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    PID:4632
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6488
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9572
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11312
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:7676
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:9968
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:1108
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:5640
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8828
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11576
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:6724
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:14360
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:8648
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:14352
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:11480
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      Suspicious behavior: EnumeratesProcesses
      PID:1624
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:5348
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:9800
        
        C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        7⤵
        
        PID:11360
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:7692
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:10156
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11288
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:5560
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:10648
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11784
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6828
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:14300
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:8768
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11536
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      PID:1004
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6288
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:10512
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:4996
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:7680
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11280
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:5616
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:8524
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:4944
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11488
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6732
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:14376
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8368
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11472
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    PID:3036
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      PID:5284
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6296
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:10640
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:11776
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:7472
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9788
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11392
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:5576
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9672
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11376
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6820
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:12620
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8660
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11496
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    PID:3448
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6312
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:10476
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:10800
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8068
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:14404
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:9956
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:1756
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:5664
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:4200
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:6764
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:8868
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:11552
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      Checks computer location settings
      PID:3584
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:6340
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:10256
      - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        6⤵
        
        PID:388
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:7388
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9900
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11320
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:5608
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:8484
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11928
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6740
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:13772
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:8376
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11464
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    PID:4616
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6172
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:10432
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:7368
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:9680
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11352
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:5648
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:9184
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11624
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:6756
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:13684
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:8876
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:3684
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:12372
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    - Checks computer location settings
    PID:5160
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:6352
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:9976
    - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
        5⤵
        
        PID:11272
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:7524
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:10012
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:11296
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:5584
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:10504
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:4000
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:6708
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:13452
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:8680
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:14392
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:11528
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:6180
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:10808
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:9268
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:7296
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:9728
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:11400
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  PID:5656
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
      "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
      4⤵
      PID:14712
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:11616
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  PID:6748
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  PID:8788
- - C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
    "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
    3⤵
    PID:14660
- C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe
  "C:\Users\Admin\AppData\Local\Temp\1b57983d2359953f8e59e4e2d5400730_NEIKI.exe"
  2⤵
  PID:11504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\bukkake voyeur beautyfull .zip.exe

Filesize
355KB

MD5
89537394dfceabaea781ae10e4a49e7c

SHA1
0c32155d25ea9635044360505f230aace3c9eafb

SHA256
b7cb7c47771659d3d03872dfcb9b5d70d1085efa4e3f4d5846b5ac81f2926800

SHA512
5622d0c295432a488f0243d14f49c61c21843cd1483e0386d121aa518df86d3a52fe73066bdd176142761e801538e9542f67db6242732b97d45544b6ae07dbe7

Download Submit
memory/1004-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1004-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1688-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2068-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2336-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3036-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3036-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3288-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3288-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3432-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3432-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3448-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3492-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3492-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3548-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3548-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3556-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3556-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3584-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3584-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3804-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3804-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4428-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4428-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4444-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4444-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4616-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4616-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4632-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4632-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4932-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5056-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5056-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5064-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5064-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5160-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5160-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5276-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5276-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5284-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5284-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5348-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5348-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5388-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5388-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5440-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5532-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5552-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5560-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5564-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5576-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5584-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5592-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5600-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5632-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5648-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5656-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5664-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6172-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6180-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6188-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6280-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6288-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6296-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6304-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6312-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6340-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6352-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6388-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6420-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6428-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6440-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6488-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6708-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6724-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6732-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6740-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6764-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/6772-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download