9db0516f836e38aabdfaebfd08c5475a17ba21eb3b43c4d6d209ab4c143f5726

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
Size

155KB
MD5

9100525baa0f4926aec1e7f28ea97970
SHA1

25f1c3f842ca345b5f7bb86e215c6899f0ed038f
SHA256

9db0516f836e38aabdfaebfd08c5475a17ba21eb3b43c4d6d209ab4c143f5726
SHA512

7912045b5672db6dafaa2e5c6914e0f1ba6e39667cc0c35a35cc594759827870d4a40e9acc1ae7078c8fd64a40c623da65405aca14d7fb620cf04c20a795a203
SSDEEP

3072:2ajn2Zo/iJl88XE043iXv9MNm0ISbfGDLon4+m+tqPq:26nqmiD8800jbmJtoq

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found

Executes dropped EXE 3 IoCs

pid	Process
1296	IkEIsQoY.exe
3892	QQoAUEog.exe
1624	IkEIsQoY.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IkEIsQoY.exe = "C:\\Users\\Admin\\QUMQkMos\\IkEIsQoY.exe"	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQoAUEog.exe = "C:\\ProgramData\\hsEcEAwI\\QQoAUEog.exe"	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IkEIsQoY.exe = "C:\\Users\\Admin\\QUMQkMos\\IkEIsQoY.exe"	IkEIsQoY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQoAUEog.exe = "C:\\ProgramData\\hsEcEAwI\\QQoAUEog.exe"	QQoAUEog.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IkEIsQoY.exe = "C:\\Users\\Admin\\QUMQkMos\\IkEIsQoY.exe"	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IkEIsQoY.exe = "C:\\Users\\Admin\\QUMQkMos\\IkEIsQoY.exe"	IkEIsQoY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2732	1296	WerFault.exe	85

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
2676	Process not Found
1480	Process not Found
1956	reg.exe
4352	Process not Found
212	Process not Found
4256	reg.exe
2732	Process not Found
4772	Process not Found
3212	Process not Found
4612	reg.exe
4676	Process not Found
3692	Process not Found
2188	Process not Found
4780	Process not Found
4968	Process not Found
3140	Process not Found
4832	Process not Found
3704	reg.exe
4008	reg.exe
208	Process not Found
3544	Process not Found
2312	Process not Found
384	Process not Found
4844	reg.exe
4424	reg.exe
3348	Process not Found
1868	Process not Found
2528	Process not Found
2044	Process not Found
408	Process not Found
3132	Process not Found
4832	reg.exe
4876	Process not Found
2660	Process not Found
3348	Process not Found
1204	Process not Found
2176	Process not Found
5092	reg.exe
4024	reg.exe
3948	Process not Found
5024	Process not Found
3448	reg.exe
3632	reg.exe
2756	Process not Found
404	Process not Found
4356	reg.exe
4064	Process not Found
3816	reg.exe
1808	reg.exe
5076	Process not Found
4848	reg.exe
2368	reg.exe
4692	Process not Found
4860	Process not Found
4056	reg.exe
4832	Process not Found
1596	Process not Found
4172	Process not Found
3696	Process not Found
3816	reg.exe
2064	reg.exe
2464	Process not Found
4268	Process not Found
3436	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
432	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
432	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
432	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
432	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4904	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4904	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4904	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4904	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4964	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4964	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4964	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4964	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
5088	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
5088	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
5088	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
5088	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2492	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2492	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2492	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2492	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3436	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3436	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3436	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3436	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3544	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3544	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3544	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3544	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4740	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4740	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4740	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
4740	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3716	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3716	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3716	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3716	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3244	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3244	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3244	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3244	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3208	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3208	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3208	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
3208	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1820	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1820	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1820	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
1820	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2168	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2168	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2168	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
2168	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4692 wrote to memory of 1296	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	85
PID 4692 wrote to memory of 1296	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	85
PID 4692 wrote to memory of 1296	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	85
PID 4692 wrote to memory of 3892	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	86
PID 4692 wrote to memory of 3892	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	86
PID 4692 wrote to memory of 3892	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	86
PID 4692 wrote to memory of 3704	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	87
PID 4692 wrote to memory of 3704	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	87
PID 4692 wrote to memory of 3704	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	87
PID 3704 wrote to memory of 1488	3704	cmd.exe	90
PID 3704 wrote to memory of 1488	3704	cmd.exe	90
PID 3704 wrote to memory of 1488	3704	cmd.exe	90
PID 4692 wrote to memory of 4204	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	91
PID 4692 wrote to memory of 4204	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	91
PID 4692 wrote to memory of 4204	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	91
PID 4692 wrote to memory of 812	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	92
PID 4692 wrote to memory of 812	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	92
PID 4692 wrote to memory of 812	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	92
PID 4692 wrote to memory of 5092	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	93
PID 4692 wrote to memory of 5092	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	93
PID 4692 wrote to memory of 5092	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	93
PID 4692 wrote to memory of 1960	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	94
PID 4692 wrote to memory of 1960	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	94
PID 4692 wrote to memory of 1960	4692	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	94
PID 1960 wrote to memory of 4024	1960	cmd.exe	99
PID 1960 wrote to memory of 4024	1960	cmd.exe	99
PID 1960 wrote to memory of 4024	1960	cmd.exe	99
PID 1488 wrote to memory of 3820	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	100
PID 1488 wrote to memory of 3820	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	100
PID 1488 wrote to memory of 3820	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	100
PID 3820 wrote to memory of 2864	3820	cmd.exe	102
PID 3820 wrote to memory of 2864	3820	cmd.exe	102
PID 3820 wrote to memory of 2864	3820	cmd.exe	102
PID 1488 wrote to memory of 4172	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	103
PID 1488 wrote to memory of 4172	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	103
PID 1488 wrote to memory of 4172	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	103
PID 1488 wrote to memory of 2356	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	104
PID 1488 wrote to memory of 2356	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	104
PID 1488 wrote to memory of 2356	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	104
PID 1488 wrote to memory of 3720	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	105
PID 1488 wrote to memory of 3720	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	105
PID 1488 wrote to memory of 3720	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	105
PID 1488 wrote to memory of 1204	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	106
PID 1488 wrote to memory of 1204	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	106
PID 1488 wrote to memory of 1204	1488	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	106
PID 1204 wrote to memory of 4576	1204	cmd.exe	111
PID 1204 wrote to memory of 4576	1204	cmd.exe	111
PID 1204 wrote to memory of 4576	1204	cmd.exe	111
PID 2864 wrote to memory of 3288	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	112
PID 2864 wrote to memory of 3288	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	112
PID 2864 wrote to memory of 3288	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	112
PID 3288 wrote to memory of 432	3288	cmd.exe	114
PID 3288 wrote to memory of 432	3288	cmd.exe	114
PID 3288 wrote to memory of 432	3288	cmd.exe	114
PID 2864 wrote to memory of 3192	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	115
PID 2864 wrote to memory of 3192	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	115
PID 2864 wrote to memory of 3192	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	115
PID 2864 wrote to memory of 1008	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	116
PID 2864 wrote to memory of 1008	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	116
PID 2864 wrote to memory of 1008	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	116
PID 2864 wrote to memory of 4684	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	117
PID 2864 wrote to memory of 4684	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	117
PID 2864 wrote to memory of 4684	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	117
PID 2864 wrote to memory of 4332	2864	9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe	118

C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4692
- C:\Users\Admin\QUMQkMos\IkEIsQoY.exe
  "C:\Users\Admin\QUMQkMos\IkEIsQoY.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1296
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1296 -s 1248
    3⤵
    - Program crash
    PID:2732
- C:\ProgramData\hsEcEAwI\QQoAUEog.exe
  "C:\ProgramData\hsEcEAwI\QQoAUEog.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
    C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        8⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        10⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        12⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        14⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        16⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        18⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        20⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        22⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        24⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        26⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        28⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        30⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        32⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        33⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        34⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        35⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        36⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        37⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        38⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        39⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        40⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        41⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        42⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        43⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        44⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        45⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        46⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        47⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        48⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        49⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        50⤵
        
        PID:3948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        51⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        52⤵
        
        PID:1736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        53⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        54⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        55⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        56⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        57⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        58⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        59⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        60⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        61⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        62⤵
        
        PID:4424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        63⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        64⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        65⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        66⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        67⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        68⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        69⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        70⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        71⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        72⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        73⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        74⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        75⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        76⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        77⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        78⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        79⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        80⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        81⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        82⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        83⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        84⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        85⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        86⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        87⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        88⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        89⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        90⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        91⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        92⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        93⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        94⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        95⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        96⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        97⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        98⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        99⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        100⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        101⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        102⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        103⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        104⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        105⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        106⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        107⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        108⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        109⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        110⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        111⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        112⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        113⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        114⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        115⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        116⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        117⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        118⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        119⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        120⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        121⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        122⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        123⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        124⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        125⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        126⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        127⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        128⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        129⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        130⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        131⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        132⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        133⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        134⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        135⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        136⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        137⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        138⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        139⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        140⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        141⤵
        
        PID:968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        142⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        143⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        144⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        145⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        146⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        147⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        148⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        149⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        150⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        151⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        152⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        153⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        154⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        155⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        156⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        157⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        158⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        159⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        160⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        161⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        162⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        163⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        164⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        165⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        166⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        167⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        168⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        169⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        170⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        171⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        172⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        173⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        174⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        175⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        176⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        177⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        178⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        179⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        180⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        181⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        182⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        183⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        184⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        185⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        186⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        187⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        188⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        189⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        190⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        191⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        192⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        193⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        194⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        195⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        196⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        197⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        198⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        199⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        200⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        201⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        202⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        203⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        204⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        205⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        206⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        207⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        208⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        209⤵
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        210⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        211⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        212⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        213⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        214⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        215⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        216⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        217⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        218⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        219⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        220⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        221⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        222⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        223⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        224⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        225⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        226⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        227⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        228⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        229⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        230⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        231⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        232⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        233⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        234⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        235⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        236⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        237⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        238⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        239⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        240⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        241⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        242⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        243⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        244⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        245⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        246⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        247⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        248⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        249⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        250⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        251⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        252⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        253⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        254⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        255⤵
        Adds Run key to start application
        
        PID:3248
        
        C:\Users\Admin\QUMQkMos\IkEIsQoY.exe
        
        "C:\Users\Admin\QUMQkMos\IkEIsQoY.exe"
        256⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        256⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        257⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        258⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        259⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        260⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        261⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        262⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        263⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        264⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        265⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        266⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        267⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        268⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        269⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        270⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        271⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        272⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        273⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        274⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        275⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        276⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        277⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        278⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        279⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        280⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        281⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        282⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        283⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        284⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        285⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        286⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        287⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        288⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics
        289⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics"
        290⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        290⤵
        
        PID:964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        288⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        288⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        288⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\licsAkog.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        288⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        289⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        286⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        286⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        286⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wSAUgIwc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        286⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        287⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        284⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        284⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        284⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ogYIAQIU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        284⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        285⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        282⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        282⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        282⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IyIogIIo.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        282⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        283⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        280⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        280⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        280⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGocckgI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        280⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        281⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        278⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        278⤵
        Modifies registry key
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        278⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcEgMQAw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        278⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        279⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        276⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        276⤵
        
        PID:968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        276⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\juEwMosg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        276⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        277⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        274⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        274⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        274⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tQYAcEcs.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        274⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        275⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        272⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        272⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        272⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mckkwEQg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        272⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        273⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        270⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        270⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        270⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kgIEkEYY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        270⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        271⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        268⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        268⤵
        
        PID:624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        268⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UuAUUQEA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        268⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        269⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        266⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        266⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        266⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XEwUksQY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        266⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        267⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        264⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        264⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        264⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGoYswkY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        264⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        265⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        262⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        262⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        262⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYYQEIkE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        262⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        263⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        260⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        260⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        260⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\riIIYckw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        260⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        261⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        258⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        258⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        258⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKwAooss.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        258⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        259⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        256⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        256⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\akwkcUQM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        256⤵
        
        PID:208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        257⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEIAsMIY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        254⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        Modifies registry key
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        Modifies registry key
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OioAgssk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        252⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIIosMIw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        250⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NaEccgoE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        248⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vAEAMYwg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        246⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQMEsoUU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        244⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\okwsUssA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        242⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eicMYsMI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        240⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\maEgAQYE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        238⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkEIEYgc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        236⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JqQYUUAU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        234⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RaEkoEgs.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        232⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hIQIEwUs.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        230⤵
        
        PID:404
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cuAUkYkg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        228⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEAYQAgM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        226⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IKkwkgQw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        224⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies registry key
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\soMoIEkE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        222⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leMYIskE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        220⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DQEgEkAg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        218⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lgMEYMMA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        216⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies registry key
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zCoowEMM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        214⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QcoMgskQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        212⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKcsggsY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        210⤵
        
        PID:228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMIwoMYw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        208⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYkcIIUI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        206⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeMoooYw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        204⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        Modifies registry key
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bWIQkQQI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        202⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWswgMAU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        200⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmYgoYco.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        198⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AGUksgQQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        196⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SEswAkcM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        194⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yisckYcI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        192⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hMgUMEEE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        190⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BKYsggow.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        188⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ryAcAIsw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        186⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        UAC bypass
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKEMIQoc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        184⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KEMYkUoQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        182⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OAAMAgcU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        180⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEsAUAAo.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        178⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kcAoEsYg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        176⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PscAcoUk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        174⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        Modifies registry key
        
        PID:4024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zEMUYccw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        172⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOEwIkYk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        170⤵
        
        PID:440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VuEcAQMg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        168⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qwkkIYkg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        166⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\scokAIQY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        164⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:4256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smYsIYow.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        162⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HgQEAkoc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        160⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bEkMIgoI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        158⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LcEgIcwU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        156⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smMsIAcc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        154⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yiAAAoEo.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        152⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cugswscg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        150⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CKUoYcQM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        148⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmQMEkYs.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        146⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkAUYIcU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        144⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        Modifies registry key
        
        PID:4848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XokYEsMQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        142⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        UAC bypass
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zeUYIIEg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        140⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EgQQIMIE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        138⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AUwwUAQQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        136⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKQEUAsM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        134⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tuggkEgo.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        132⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\roQwYkko.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        130⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZycoQsQo.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        128⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zgscQYAI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        126⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKMUYsUI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        124⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cYgQQIoI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        122⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QeEgIQYw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        120⤵
        
        PID:844
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        UAC bypass
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAwcUgYM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        118⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LGEgkQAk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        116⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZIAsMUAU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        114⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VqMUUgww.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        112⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUUQgcQI.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        110⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygQMwsIw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        108⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KqgUwQII.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        106⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JCQEMoUQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        104⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rUAYcoUY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        102⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:432
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        
        PID:696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RmIgwQYU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        100⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaQgEsIk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        98⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aGcYAEwY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        96⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:3948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWwMAAMQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        94⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCckYoII.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        92⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hKwooows.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        90⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tKYokYkE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        88⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DCYIIMIM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        86⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puEgEoMk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        84⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        UAC bypass
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YWgYMkQM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        82⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cCEkQQMU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        80⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wOcYMcgk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        78⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NqQoAIAQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        76⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FqYgkIEY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        74⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lIYIcsQM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        72⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        UAC bypass
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ucwIQQEo.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        70⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        Modifies registry key
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YkoQUUYs.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        68⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SgsoEsIc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        66⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        
        PID:440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GoYkUogU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        64⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JSYcwcIA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        62⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TEEkooYg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        60⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FyYAkIsM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        58⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies registry key
        
        PID:3436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:5020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIgsYokU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        56⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wiIcYYoQ.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        54⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        Modifies visibility of file extensions in Explorer
        
        PID:812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IUoEYUgw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        52⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WaYMgQQM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        50⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:2044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CSEYsMAY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        48⤵
        
        PID:432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zMUIgosA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        46⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        
        PID:384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        Modifies registry key
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pQAQAMsM.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        44⤵
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\deUwIUMU.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        42⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FickYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        40⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQUgEAAc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        38⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmkkUcUc.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        36⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ieMgwIow.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        34⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AmYQMAgw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        32⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tkwYMwAE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        30⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies registry key
        
        PID:3704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bkoQsIIk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        28⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\leMsYgsA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        26⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zWUcAYkE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        24⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEUEAcQY.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        22⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EucoAMos.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        20⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uwUcsEYk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        18⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qaUgsQwA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        16⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pOcQwcEw.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        14⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiwUgUwk.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        12⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:4980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RqkAEsgg.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        10⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        Modifies registry key
        
        PID:1956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKgUUAwA.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        8⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:724
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3192
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:1008
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AKoYIEww.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
        6⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:3536
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:4172
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2356
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwQMIkQE.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:4576
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  PID:4204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:812
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:5092
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sysQswog.bat" "C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1296 -ip 1296
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\User Account Pictures\user.png.exe

Filesize
151KB

MD5
8a8a30de62bb7e0e12441897571e9c2b

SHA1
a7831d4aac07d77e445e66a51fafe59dfb724825

SHA256
a43129097a32c19991f86c1d23b5e43a371505fe769242941449b0657c986f59

SHA512
4417a27b57a8e1ec3c3bdcff3991ffbd699f4a428784dedb4191558dce5aee5b2b10f351c11d6a34523c506344c6fce3ef5e517f6b0ae3225a64042276781792

Download Submit
C:\ProgramData\hsEcEAwI\QQoAUEog.exe

Filesize
126KB

MD5
9c302032881c42fec61f5963c47d763c

SHA1
27972cef87e72ee2595d8cbe04dd2cedaa6bf91b

SHA256
57c255b1a2a5d6c377e9421c8665fda9ca3ea41d3c3eb51f385607ec1ee5c335

SHA512
cb53886df1880aac82110bf5c6d0c2cc8fe9c7afec31a45af0585cab0b4e5f1a5808562339ddd1da76fc152d2d01c31d50e590aea092f73793d09caa1a6e5343

Download Submit
C:\Users\Admin\AppData\Local\Temp\9100525baa0f4926aec1e7f28ea97970_NeikiAnalytics

Filesize
6KB

MD5
59513752b20c9e3510db31c99dfc5c60

SHA1
cbfd0cd3f52fee958f730d8d31b2372370bf26f3

SHA256
4cb21f95bccd80bca6baa955d8f9dcc1837e5a561d1585c9aaecdd7d377db8ab

SHA512
08479b2361a3b3d6a80d47260442718a7ce0f72547471b2b674aefa3dbeed7fa012df9c37efae73d729cf973f579672ca996a48552359ecc1fb2b4b32eeeb560

Download Submit
C:\Users\Admin\AppData\Local\Temp\AwgE.exe

Filesize
261KB

MD5
1f2c1ef06da3561a255708878276b653

SHA1
06748e037be7dcbd6fd2a395d2e4c8aae74c7cf1

SHA256
741a99fdec435c8f3c6ce2fabb3b49eefcaf53acd9d67bf0b64770f7538677d3

SHA512
04710e3779c5a95883f30673426f3a3e573e4344421b5fda92bc5a09e7728d3a286ecd7d31bdc5d757c781b5b3a52e35979700c548c25f25c5ac09e95228b631

Download Submit
C:\Users\Admin\AppData\Local\Temp\CEMc.exe

Filesize
169KB

MD5
67b347661cce9d5f84159dbcbaf28eb1

SHA1
ff2ed3ef8e50217a0e07dbe15f20552e8e8b2603

SHA256
6b8e13e04c9d74941bd9731f7e1de4603e5f298a5efde95125008c5ee13d76eb

SHA512
079f18f365e39d3158ecd6f77a2df3920bcb537279226199870421c4c11dc3cc443070bcd9d864db7426152dee1546868463d7a8dbc8e80938fa6a0c5dcad499

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoAE.exe

Filesize
165KB

MD5
e0ecc7143fb188085e314c1d0251a22b

SHA1
5fc2545fed3b2ef72416c67c4cd6771d5d8daa6a

SHA256
e389761c3248de873db67f6ebea3af695e3573cd30d71022f3cfc8e0fe8aeb14

SHA512
d7a71ffa1589613c7d4b633bb0d3eceed81c38234beefbf7580161bf0d465b21878cbfa4ef537eaf370d57ba99671b3271cc260b9995dd426290d78b3f7f5614

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMAA.exe

Filesize
175KB

MD5
0570e79f980ee9b34e06aa13704f1368

SHA1
7730e096695ce57915b52b8abe8ff8f103ae6b36

SHA256
e1f9735aa7af3766764f894e53ca4a5092d820008017c74c58ef7cda572a041e

SHA512
2375e149d768eefbd7dfd1592b623dcf88eb63726b89d41789f6db8902606f6365915d194608c4a540c57f9a222a6ff12d3908383e75e458f7a1c6975d44df90

Download Submit
C:\Users\Admin\AppData\Local\Temp\MowA.exe

Filesize
597KB

MD5
e7e4abe66ae63a184c08d5fbd6572412

SHA1
970e17c87c2d0307a708edeef6ef52f23fcd1a4b

SHA256
2827eccadf6bf5f3992f484fb6a1d4eb2b8a9d27b136ce8ce676593c93ab2b87

SHA512
a375fdf010b501275726856bde694f873881387e53aa960776f76fa4914026d81b6e66256f649ad3faa505c4241c307c36fa5504b27312b83a5b90c07c3432c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwEq.exe

Filesize
732KB

MD5
428c9ce8488ff417db303e11d6def056

SHA1
58695faed3f1542cae49fd6ae3569f2ed41b0a2b

SHA256
93a33d233671b4a0795956573d08befd8200c44e58ed3168245ff80837c68b0c

SHA512
eb099570ea2b65127561ea09788b2e1060ed454216b42caec37dae4db27538eae31c9f26d21086030e346eb8d680657939468b46c2e129ff3d9762006967ddc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WQEg.exe

Filesize
157KB

MD5
904934754fac67eae27cbeb8e2c2aff7

SHA1
cefb6b1684b37c18ced25f8570f8d4dc925ad4df

SHA256
c28ccf4201dd61be224774b311ac4ba1324ba0f959df5ee15aa58a737215ed03

SHA512
9dab6a35b35a02c4907059fdcd58ce45fafcc9e6fbb3770c3b51fd8f670bb2dfe2c1d09ab0100801868060a3e3e6b29da452bae2a4d9bff7b7009b464945020e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQcm.exe

Filesize
135KB

MD5
790411f871b0ebe78a43e540ef5003ab

SHA1
d457a40ea0a14a6290cbba8a73905277e9fdb785

SHA256
0e17a64c09f2cd2fbc65f42c3c7840a8d1c75f4199077148caa53c96b15f7c93

SHA512
60d242e02ef426828b0f6125dcb71f5caa45b28ca6bd41ca9fb3e5386b36609613fc086ad29a7fe33ad2d08c73adf91fd153ea3e4a971ef79b3c9d5cd7d779c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YoMq.exe

Filesize
734KB

MD5
59d3ef22aa45b9c8639d84142459904e

SHA1
70f715126de78e84fa643fe2e320b759c1eb3a44

SHA256
7476f44f491d1e870942e6b207370bb649f5fc8be36f1caae580abb15b4c5e47

SHA512
5f7311e833959f56f4d09bb5c25317e5b9d551d810723bc4cb2c31824f34c68a51c9459e766bf6c819e4d62b47aebfa046f4f51861af2272fd350931fc9c4823

Download Submit
C:\Users\Admin\AppData\Local\Temp\agQO.exe

Filesize
151KB

MD5
48263d51fc0fc2db2e225708d2b47026

SHA1
2f7ff3fabd9c948888eac773901958c969de1487

SHA256
05dd0cef48525c6bea935094be868c7306c9eee520ecbeebf148f6c9d0b20bd9

SHA512
af049809ac4d3cdb4c332f6b50217faab7a032afd870f9e1bff84be8926cb6784cffd992c9f8dc15e430d9aaac05668cd2e70a8323d5a63afb34d0e65f6c59a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\coQo.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsog.exe

Filesize
261KB

MD5
c69c7e44875951d457cd2affde3ffaed

SHA1
a3406052f167abe119a3bb3ce0f655f0d653b4de

SHA256
7e4b5a10f832773d85fe9010a095329d84cabf69f6a4f8432ea28a7dd550481c

SHA512
8e6787ac1f3d931c2d7a635837f07b79d7836428fb72bf89f94f5f2454af0f12ffe5af1216fdf080f56453251a4791850f247c7af6498a30f276e6a609596d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\sysQswog.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\QUMQkMos\IkEIsQoY.exe

Filesize
137KB

MD5
9ef9b1d2ea961b3361e7d227520bb573

SHA1
2f064f01db7f7a8ad3a5746354afa284e91ba9b3

SHA256
e6790010260e482d28b09acd6fd578edda3c6b949b90d72c683a055dae3b035f

SHA512
f30997c4c280dcae090b48499f6fce1d9198fdc6d06e19ccda1735c11e0f8fdcbed8ab0842207b202f3a95eb24a14b5700a346f555a996227a003ae2353ff14d

Download Submit
memory/432-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/432-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/964-256-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-282-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/980-271-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1296-11-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1488-31-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1488-17-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-185-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1820-170-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1932-496-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2092-244-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2092-229-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2096-471-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-438-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2160-429-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-197-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-181-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-514-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2368-502-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2456-446-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-86-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2492-101-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-393-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-385-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2864-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2880-480-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3008-299-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3208-157-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3208-173-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3244-161-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3276-524-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3276-532-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3300-290-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3436-114-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3436-102-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3524-316-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3536-506-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3536-497-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-110-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-126-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-533-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3544-542-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3572-463-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3572-455-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-312-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3632-325-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3716-137-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3716-149-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3728-350-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3892-14-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4080-221-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4080-233-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4184-454-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4196-205-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4196-220-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-359-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4332-351-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4404-321-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4404-334-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4456-274-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4456-261-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-342-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4576-330-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-488-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4592-479-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4692-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-430-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4700-421-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4740-307-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4740-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4740-295-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4740-122-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4792-384-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-209-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4820-193-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4824-523-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4824-515-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4828-360-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4828-368-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-402-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4848-394-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4864-252-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4864-265-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4904-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4964-78-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4964-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4976-408-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4976-420-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5048-376-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5080-403-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5080-412-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5088-90-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5116-538-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download