27b5f2426d36bd9ea8954db23d3252d84262d7fc383daf2ca166a25fea290da9

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
Size

194KB
MD5

c8d136dedf82a0d5a1457276390f2fd0
SHA1

18fde16cafcde2ad9c94077b1b96b84444f9347a
SHA256

27b5f2426d36bd9ea8954db23d3252d84262d7fc383daf2ca166a25fea290da9
SHA512

5f6be37d84441424a8ff800b6c4250f5583d45b95387f1ab274c55c3869ecebcb5683304cfa6eb657b0be23a96bdddcba88451d13ecc4b4f5a5f15c4876502e2
SSDEEP

6144:gGatRGlokdIH982PoucNI1LtdKFJCnPXFVR0QrGC9hH8X4XXXG9D4D9SDHpbqHin:IROS98b1uw

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Process not Found
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	yyUEYUIM.exe

Executes dropped EXE 2 IoCs

pid	Process
1548	zSQEUwwI.exe
1076	yyUEYUIM.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zSQEUwwI.exe = "C:\\Users\\Admin\\zyIcEkYI\\zSQEUwwI.exe"	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yyUEYUIM.exe = "C:\\ProgramData\\VQIIcgkw\\yyUEYUIM.exe"	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\yyUEYUIM.exe = "C:\\ProgramData\\VQIIcgkw\\yyUEYUIM.exe"	yyUEYUIM.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zSQEUwwI.exe = "C:\\Users\\Admin\\zyIcEkYI\\zSQEUwwI.exe"	zSQEUwwI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
520	reg.exe
4572	reg.exe
776	reg.exe
4376	reg.exe
652	reg.exe
3148	Process not Found
4488	reg.exe
3076	reg.exe
1400	Process not Found
2860	Process not Found
4744	reg.exe
3632	reg.exe
2340	reg.exe
1624	reg.exe
4968	Process not Found
552	Process not Found
2744	Process not Found
4388	reg.exe
4416	reg.exe
1784	reg.exe
1404	Process not Found
4580	Process not Found
4192	Process not Found
3912	reg.exe
3784	reg.exe
3676	reg.exe
2324	reg.exe
900	reg.exe
468	reg.exe
2124	reg.exe
428	reg.exe
1436	reg.exe
2864	reg.exe
2712	Process not Found
368	Process not Found
1052	reg.exe
2384	reg.exe
2952	reg.exe
1312	reg.exe
604	reg.exe
3776	reg.exe
3344	reg.exe
4924	reg.exe
2368	Process not Found
1612	reg.exe
428	reg.exe
5096	reg.exe
4372	reg.exe
2820	reg.exe
4964	reg.exe
1280	reg.exe
2656	reg.exe
1440	reg.exe
1680	reg.exe
2384	reg.exe
1508	reg.exe
4012	reg.exe
1856	reg.exe
4500	reg.exe
3128	reg.exe
4384	reg.exe
2956	reg.exe
3796	reg.exe
2476	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2344	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2344	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2344	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2344	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3356	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3356	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3356	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
3356	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4940	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4940	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4940	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4940	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4740	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4740	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4740	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4740	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4372	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4372	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4372	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4372	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1164	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1164	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1164	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1164	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1460	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1460	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1460	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
1460	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4676	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4676	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4676	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4676	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
384	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
384	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
384	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
384	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4272	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4272	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4272	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4272	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2744	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2744	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2744	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
2744	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4720	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4720	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4720	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
4720	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
448	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
448	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
448	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
448	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	yyUEYUIM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe
1076	yyUEYUIM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 1548	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	83
PID 4196 wrote to memory of 1548	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	83
PID 4196 wrote to memory of 1548	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	83
PID 4196 wrote to memory of 1076	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	84
PID 4196 wrote to memory of 1076	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	84
PID 4196 wrote to memory of 1076	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	84
PID 4196 wrote to memory of 1932	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	85
PID 4196 wrote to memory of 1932	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	85
PID 4196 wrote to memory of 1932	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	85
PID 1932 wrote to memory of 4380	1932	cmd.exe	87
PID 1932 wrote to memory of 4380	1932	cmd.exe	87
PID 1932 wrote to memory of 4380	1932	cmd.exe	87
PID 4196 wrote to memory of 4388	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	88
PID 4196 wrote to memory of 4388	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	88
PID 4196 wrote to memory of 4388	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	88
PID 4196 wrote to memory of 2284	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	89
PID 4196 wrote to memory of 2284	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	89
PID 4196 wrote to memory of 2284	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	89
PID 4196 wrote to memory of 2252	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	90
PID 4196 wrote to memory of 2252	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	90
PID 4196 wrote to memory of 2252	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	90
PID 4196 wrote to memory of 3064	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	92
PID 4196 wrote to memory of 3064	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	92
PID 4196 wrote to memory of 3064	4196	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	92
PID 3064 wrote to memory of 5008	3064	cmd.exe	96
PID 3064 wrote to memory of 5008	3064	cmd.exe	96
PID 3064 wrote to memory of 5008	3064	cmd.exe	96
PID 4380 wrote to memory of 3680	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	97
PID 4380 wrote to memory of 3680	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	97
PID 4380 wrote to memory of 3680	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	97
PID 3680 wrote to memory of 3472	3680	cmd.exe	99
PID 3680 wrote to memory of 3472	3680	cmd.exe	99
PID 3680 wrote to memory of 3472	3680	cmd.exe	99
PID 4380 wrote to memory of 3440	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	100
PID 4380 wrote to memory of 3440	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	100
PID 4380 wrote to memory of 3440	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	100
PID 4380 wrote to memory of 2724	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	101
PID 4380 wrote to memory of 2724	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	101
PID 4380 wrote to memory of 2724	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	101
PID 4380 wrote to memory of 2532	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	102
PID 4380 wrote to memory of 2532	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	102
PID 4380 wrote to memory of 2532	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	102
PID 4380 wrote to memory of 1432	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	103
PID 4380 wrote to memory of 1432	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	103
PID 4380 wrote to memory of 1432	4380	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	103
PID 1432 wrote to memory of 1440	1432	cmd.exe	108
PID 1432 wrote to memory of 1440	1432	cmd.exe	108
PID 1432 wrote to memory of 1440	1432	cmd.exe	108
PID 3472 wrote to memory of 3400	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	109
PID 3472 wrote to memory of 3400	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	109
PID 3472 wrote to memory of 3400	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	109
PID 3400 wrote to memory of 2344	3400	cmd.exe	111
PID 3400 wrote to memory of 2344	3400	cmd.exe	111
PID 3400 wrote to memory of 2344	3400	cmd.exe	111
PID 3472 wrote to memory of 4028	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	112
PID 3472 wrote to memory of 4028	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	112
PID 3472 wrote to memory of 4028	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	112
PID 3472 wrote to memory of 3988	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	113
PID 3472 wrote to memory of 3988	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	113
PID 3472 wrote to memory of 3988	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	113
PID 3472 wrote to memory of 4552	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	114
PID 3472 wrote to memory of 4552	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	114
PID 3472 wrote to memory of 4552	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	114
PID 3472 wrote to memory of 1232	3472	c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe	115

C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\zyIcEkYI\zSQEUwwI.exe
  "C:\Users\Admin\zyIcEkYI\zSQEUwwI.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1548
- C:\ProgramData\VQIIcgkw\yyUEYUIM.exe
  "C:\ProgramData\VQIIcgkw\yyUEYUIM.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1076
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
    C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        8⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        10⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        12⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        14⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        16⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        18⤵
        
        PID:912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        20⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        22⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        24⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        26⤵
        
        PID:4708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        28⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        30⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        32⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        33⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        34⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        35⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        36⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        37⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        38⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        39⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        40⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        41⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        42⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        43⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        44⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        45⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        46⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        47⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        48⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        49⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        50⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        51⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        52⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        53⤵
        
        PID:988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        54⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        55⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        56⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        57⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        58⤵
        
        PID:4716
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        59⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        60⤵
        
        PID:1628
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        61⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        62⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        63⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        64⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        65⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        66⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        67⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        68⤵
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        69⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        70⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        71⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        72⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        73⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        74⤵
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        75⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        76⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        77⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        78⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        79⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        80⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        81⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        82⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        83⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        84⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        85⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        86⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        87⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        88⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        89⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        90⤵
        
        PID:2960
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        91⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        92⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        93⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        94⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        95⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        96⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        97⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        98⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        99⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        100⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        101⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        102⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        103⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        104⤵
        
        PID:2748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        105⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        106⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        107⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        108⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        109⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        110⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        111⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        112⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        113⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        114⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        115⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        116⤵
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        117⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        118⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        119⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        120⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        121⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        122⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        123⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        124⤵
        
        PID:900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        125⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        126⤵
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        127⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        128⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        129⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        130⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        131⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        132⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        133⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        134⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        135⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        136⤵
        
        PID:3888
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        137⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        138⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        139⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        140⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        141⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        142⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        143⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        144⤵
        
        PID:3620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        145⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        146⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        147⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        148⤵
        
        PID:1220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        149⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        150⤵
        
        PID:5052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        151⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        152⤵
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        153⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        154⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        155⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        156⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        157⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        158⤵
        
        PID:1036
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        159⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        160⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        161⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        162⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        163⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        164⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        165⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        166⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        167⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        168⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        169⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        170⤵
        
        PID:1624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        171⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        172⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        173⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        174⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        175⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        176⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        177⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        178⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        179⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        180⤵
        
        PID:2144
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        181⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        181⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        182⤵
        
        PID:1644
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        183⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        184⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        185⤵
        
        PID:848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        186⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        187⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        188⤵
        
        PID:2848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        189⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        190⤵
        
        PID:4484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        191⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        192⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        193⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        194⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        195⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        196⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        197⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        198⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        199⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        200⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        201⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        202⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        203⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        204⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        205⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        206⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        207⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        208⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        209⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        210⤵
        
        PID:2472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        211⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        212⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        213⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        214⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        215⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        216⤵
        
        PID:4384
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        217⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        218⤵
        
        PID:4696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        219⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        220⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        221⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        222⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        223⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        224⤵
        
        PID:2268
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        225⤵
        
        PID:4136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        226⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        227⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        228⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        229⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        230⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        231⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        232⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        233⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        234⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        235⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        236⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        237⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        238⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        239⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        240⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        241⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        242⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        243⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        244⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        245⤵
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        246⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        247⤵
        
        PID:520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        248⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        249⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        250⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        251⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        252⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        253⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        254⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        255⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics"
        256⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        257⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics
        257⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        256⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        254⤵
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        254⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        254⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAoIAkww.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        254⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        255⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        252⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        252⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        252⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUwcYswQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        252⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        253⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        Modifies registry key
        
        PID:4924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TmksAcEQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        250⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pYgscsoM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        248⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FGkMssAQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        246⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:2012
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:2496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gewwwEQw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        244⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        
        PID:4956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:2776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\igAQYgsc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        242⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkkgIwcs.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        240⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies registry key
        
        PID:1624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AMksUIMo.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        238⤵
        
        PID:5032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        UAC bypass
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQAQQEQc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        236⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fOQgUUww.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        234⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dSAQMcYc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        232⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        Modifies registry key
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PSQAUYQA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        230⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        Modifies registry key
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oEUUEAoM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        228⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:2724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        UAC bypass
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwQkIYQk.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        226⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1948
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        Modifies registry key
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uoQEIEUE.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        224⤵
        
        PID:3440
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoQAwQcw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        222⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        Modifies registry key
        
        PID:3632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        UAC bypass
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOMsEkcA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        220⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:1148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:3876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        Modifies registry key
        
        PID:1680
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:3848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bQoMIEwo.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        218⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        UAC bypass
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vkcckwUI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        216⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XyYYAAsU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        214⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        
        PID:2820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        213⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkYAQIUE.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        212⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mUQMAwos.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        210⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        Modifies registry key
        
        PID:2656
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qykssMEI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        208⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies registry key
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        Modifies registry key
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jyEoMoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        206⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOIsMwgA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        204⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        Modifies registry key
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        
        PID:428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMMQcEQI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        202⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JOcEwYAU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        200⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:5024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LgYgocso.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        198⤵
        
        PID:4260
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3540
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CAEkgAMw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        196⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sSUUgsIA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        194⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\keoMMgwY.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        192⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pSAwwcgo.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        190⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYAoQooY.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        188⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FggAIskU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        186⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aMQYssMg.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        184⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        Modifies registry key
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        Modifies registry key
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGgcAIEw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        182⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        UAC bypass
        
        PID:2004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QCIMMUoc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        180⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        
        PID:1552
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        Modifies registry key
        
        PID:2956
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:4260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\puMwIIAc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        178⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3824
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        UAC bypass
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\REIsgsEs.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        176⤵
        
        PID:5044
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        
        PID:708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PUskIoEY.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        174⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        UAC bypass
        
        PID:4652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gKcMgAEA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        172⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        Modifies registry key
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        Modifies registry key
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gecUYgEM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        170⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        UAC bypass
        Modifies registry key
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AkAcAQkQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        168⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        
        PID:3444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zecMEYYY.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        166⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        UAC bypass
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BwEEEAUQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        164⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pyIIwEoc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        162⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:2284
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fuMYQMkQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        160⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        UAC bypass
        
        PID:4064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qUEwcUcQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        158⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        
        PID:1972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        Modifies registry key
        
        PID:1440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iCkYgEQU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        156⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        Modifies registry key
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        UAC bypass
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAgQgYEI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        154⤵
        
        PID:4460
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        UAC bypass
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zyYYMcsQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        152⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        UAC bypass
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bGgUcksM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        150⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        UAC bypass
        
        PID:2840
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FgAsgMgc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        148⤵
        
        PID:2096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        Modifies registry key
        
        PID:4500
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:1660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KasMowUY.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        146⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\miwMcgUA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        144⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mgAYowAA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        142⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1200
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1696
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUEYwkgE.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        140⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XsMQYwEw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        138⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3728
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        Modifies registry key
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NQAcwcAA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        136⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        
        PID:3544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        
        PID:5096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FcEAIkoA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        134⤵
        
        PID:2256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        UAC bypass
        
        PID:2860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VGcMggYQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        132⤵
        
        PID:4360
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wMMsswkU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        130⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        UAC bypass
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KmkwYosQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        128⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EEIYccQY.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        126⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oAogssgg.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        124⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        Modifies registry key
        
        PID:4744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dGUYYUoA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        122⤵
        
        PID:548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies registry key
        
        PID:520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:988
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        Modifies registry key
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RuAAAcso.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        120⤵
        
        PID:2972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vQUwAMgM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        118⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAoIccIU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        116⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gwkQcsoI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        114⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AAoUcgIg.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        112⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        
        PID:3736
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        UAC bypass
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CUEwEMcE.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        110⤵
        
        PID:384
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkkMwwAA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        108⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        109⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        
        PID:5092
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:3508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RGQAsEwk.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        106⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tMEgIgkM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        104⤵
        
        PID:2864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SoQYYIAY.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        102⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3128
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WIAEAMIw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        100⤵
        
        PID:4500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        101⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3172
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        Modifies registry key
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kuIIkEIM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        98⤵
        
        PID:3096
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        99⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        
        PID:1476
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IqQowQMg.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        96⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        Modifies registry key
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xUgoMMkU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        94⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        
        PID:4432
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:4904
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TYoEgQoI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        92⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3048
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:2972
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        UAC bypass
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rkcsQgMw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        90⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        Modifies registry key
        
        PID:1280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XaUwQEoQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        88⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sMsYIgcc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        86⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies registry key
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mEwUAYYU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        84⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ymYokIUw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        82⤵
        
        PID:4952
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tWMssEQA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        80⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lwAkoQQQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        78⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tOogsswo.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        76⤵
        
        PID:2408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:4704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FeMosIwg.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        74⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        Modifies registry key
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oKYcoggA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        72⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:4720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4648
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        71⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GCMIUMUs.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        70⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nOwYYoMw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        68⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JYMEIgMQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        66⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fQAIYUMQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        64⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        
        PID:5004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PYQoUwos.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        62⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        UAC bypass
        
        PID:4460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywQUMkQc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        60⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        Modifies registry key
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        UAC bypass
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ayMQkkIU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        58⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        UAC bypass
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yocoAAQI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        56⤵
        
        PID:2872
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        Modifies registry key
        
        PID:900
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BIMokgss.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        54⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        
        PID:3192
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XasMkUsc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        52⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4028
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DiEEkgUU.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        50⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:448
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        UAC bypass
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEsAcYwA.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        48⤵
        
        PID:1932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WycAEEsE.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        46⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ECskQcIc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        44⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        
        PID:4564
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OGgcQoEk.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        42⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        41⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        UAC bypass
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tecEcEIw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        40⤵
        
        PID:704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fAccccIM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        38⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:3796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        
        PID:440
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:956
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQEsEQoQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        36⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MAMwIQYg.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        34⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        Modifies registry key
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SqYcMIgk.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        32⤵
        
        PID:4148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies registry key
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        Modifies registry key
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IuUIQoIM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        30⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4396
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MoQIUgYI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        28⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        
        PID:4748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FmAAcoIo.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        26⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        Modifies registry key
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psEwoYYo.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        24⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies registry key
        
        PID:3344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tGgEgUsk.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        22⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies registry key
        
        PID:1856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        UAC bypass
        Modifies registry key
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nqIQwooM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        20⤵
        
        PID:956
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2820
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        UAC bypass
        Modifies registry key
        
        PID:604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SwgMIAss.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        18⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yggAcAsM.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        16⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MmwsMwkw.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        14⤵
        
        PID:896
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:824
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        Modifies registry key
        
        PID:1612
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oWgkwMIc.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        12⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        
        PID:216
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        Modifies registry key
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FikUQEEE.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        10⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:468
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        UAC bypass
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fkIUkUIQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        8⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2712
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4028
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3988
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        UAC bypass
        
        PID:4552
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyMEEIkI.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
        6⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:5000
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      PID:3440
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:2724
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:2532
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MwUAsYko.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:1440
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies registry key
  PID:4388
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  PID:2284
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - UAC bypass
  PID:2252
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ikwccIwQ.bat" "C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:5008

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1444

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv SqZkyFck5Uaq5FyWO2RvGA.0.2
1⤵
PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.exe

Filesize
220KB

MD5
2aa236222241b7ec5e51c140f3182b45

SHA1
8a3dd087b81520c04dbb945667cc20f5f9a1eab7

SHA256
226bf7ce88c7ff65b02954d917be70a3b0dec31e5513c66205a2f4dbf41e476e

SHA512
ced6d05b60b0d0265d11d60306103cba0fc319a94951b051d221162b17421cbb08cdc4e3e7b13a67881ef180f42bd9537f1066d654b41858d8eabcd1ecac9862

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
778KB

MD5
63d361bc3b1c962af36dbfa8e9b98023

SHA1
613d1b87503751aaa346ef70083b2a2aa86e49bd

SHA256
6c9bcfbcd91def3c7c7f7efdf9df083dcc8dffc908084d7f25fb0b85f2aa116d

SHA512
adde5d11e077c89c94276f02dfc71a08f08bc0e890fda516c822f9b2ba782bd8f6ce2104fabcff2e2fbfa619f52b321a36bfdff1d1c53251307862b07aeb786b

Download Submit
C:\ProgramData\VQIIcgkw\yyUEYUIM.exe

Filesize
199KB

MD5
79404d9b3eeee9e171420669709ac5af

SHA1
622fbfd2b9e8a31f49c6e45468bbcddff59efe02

SHA256
d40916c3b5c657b627ac126fd53f25d9343fdefd73321c1191d5d285049a144d

SHA512
3588a6ff03edd69302ed0fe17f3aba136f985c15c6f88233a7b033309da5b8089f5ccc4e83940bec89dcbf2b99a81326401c9e3fbe7db174b45c21a0999fe587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
195KB

MD5
5a88ae30b0b244a48769ae031c8ff647

SHA1
cc8c82d0fbf3abbfdbbdacb751fbb94f5f712cc7

SHA256
e1c75b469fce4218636d6e4fd94cdceb2f4da912a7f5c1a688c30c607c9c7a3b

SHA512
016d404221d544a6c6124030ef6690746235dfc1f8b5b56aac2f19a75e119e22815238cf23e76d41d4fa18a05055a668549a667086d002cfd0ef2ef80f9d16e4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png.exe

Filesize
205KB

MD5
53a0661be6147c96c075a86828fe74de

SHA1
19f17343bc5aaac8ac959b1abc627b9b41adffa6

SHA256
67db68db8235b0739c0149a033cae0a91b7bcb607e88b8c7563d162cc06dd5d0

SHA512
ba6c851a6d5bb553553531b43e5e13f04131e4d01c756c49dcc90dacd1db4c5c00f28a527cfac22e7e3477260e2f4d2d1747389471fc9ae6cad3adc1fa260fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMcO.exe

Filesize
824KB

MD5
f26d2a66ecfdab9928fd0f6ab0e93fa4

SHA1
37d54a8b103bc0b38cd3d23c1ea8af32c293fc54

SHA256
1e3fa83d1fb0e32ebd1ee60d335c909969caac3fadcfa73e8928156792f327e8

SHA512
7b99d7201a478f31beefe5639011e82f5f25c4a555228a0bc1c079e2761d37ddf8c44e90ade7864e2f6b26ec115f544730f350fa81455756a70853b9ecd959b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgMc.exe

Filesize
204KB

MD5
7f5ff7541a8857593e2825e60ade0f8f

SHA1
e0636b56aee3ecca83cbe897cc351385c68adf6a

SHA256
de3b8cde62c37eaaf5d3cb6de46cf74793ecd0253a17f637d0f3e15ada61d0a0

SHA512
d6ad7ddead5a939744f23ef55a0c7f4fe7deffa8bab5b9f8685011056a24c553f2a04ac3a20ab87e7737784b10f4d0340ae6251506b58424dfba06c51807b532

Download Submit
C:\Users\Admin\AppData\Local\Temp\AgwQ.exe

Filesize
192KB

MD5
6f5b948171d54cb1783f237069c234db

SHA1
41d3c233e2b92b5a1693951181bcf590f69df0ec

SHA256
ca5f1cd4637586fa5cebf9a41096e8f9b3225e3d69e7fe1f5148def0a8e2aa5c

SHA512
13e2954d85f199a674611a4a3455248407dd553a1b02d71ae06a637df1bb1511833ee5cd9183f265da84ba5538b78716622df9fb93834485ee3908052df82fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAgq.exe

Filesize
523KB

MD5
37b3758c3a1177e40953da8aff3c6f45

SHA1
cf30327d484daa209276ae9cd1086ce17f4c7ba2

SHA256
044db73cd66c0ce2fb41e0eb05143a547003d0fd53f52339b6d8b85780b3a790

SHA512
4e1ef3897bea6a76608f9cd9558a382da1e79a4995bd904912a645f5cc175808d212f200cb14ec8d30f62107d6c5b7b2c01837ccc8526be86873f34a63ca15e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CUgE.exe

Filesize
1.8MB

MD5
e369cfd36bd73883e271ec3f2e1e0221

SHA1
b83061d467729d460671d7ab8aefe36b4c3e916c

SHA256
d0ef99de238737981854e45940161c8da052f880ae9e43ac14aff34197f9a5c6

SHA512
c34d4627b6a0a67927de1c89ef9a2d8e9cd4762bf4d7c983db5fa2d1b4b95c6955135ef920d5387726316053c9d7cdb876206d05ce332550d9854978aab8ffe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMgw.exe

Filesize
224KB

MD5
7157db1f951319d84ef36311f9318aa2

SHA1
8196b29e01c735b3ef8624e00b08c55ba3a52912

SHA256
8d6ad0ef8ad1a7e03a87654cd3c3e43b60e6e5def5f85561472dbc37b31a3f7c

SHA512
21b03bc0a4a39a453250b6ce87998d5fb4d7aefc0925bbc1ca1cf21dcfbf928b439b65ee053cbd68cda908a9ac533fc134f1101fab8607e4783210b866b05ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQgK.exe

Filesize
188KB

MD5
887c17e699e4d0b459960ace69ffda0c

SHA1
420835b6ac453e2e6001e9c3b2783b721161c766

SHA256
9d8325431da546efdbb41baf042dca4cf8f57074c7ecf39d001e6b4beefa4f64

SHA512
43873a3aba23da2c9b04e550604c8b261ad922225a8bf69a102c034f8c82c94e1d86f742c75a8bef31624de50f6307bff268a88cec465cd11ae569b7faebeef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\EckQ.exe

Filesize
200KB

MD5
85a7591edfc6c43408ee29f18568c0bf

SHA1
d4d46fa5058630906767928ba7a15c254612c6b3

SHA256
1a2141b2e35293f83bafb987db4b8ce6cd1d3ce8245718029329a7fec258cb71

SHA512
e6311d2be80931c5104034831a5d706287f88924cb088ec60ddc5784bf31db3c8f222beb60280a5a92680e8d7828b838c3dd1dd4577671989d322490f4780066

Download Submit
C:\Users\Admin\AppData\Local\Temp\EgQg.exe

Filesize
840KB

MD5
d1de32f88dd316f46cfebf63eddaa402

SHA1
ef27ea4e2dd7b7988c9932f539578cc9a1b45afb

SHA256
70c8bf7d65c0d25e4f1383bcd27ce8e1831a5bbb16288b4304e64effe7282d67

SHA512
842db7057f37c40b927131aa4c61d19891a208da871bcfe1cd78ac81ea101e16876b600762a629e066c58a86eb57a44aa0da8080446c76f4576d3bd083043c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egke.exe

Filesize
233KB

MD5
766f8dc04ce1b0f691df1288c890af4f

SHA1
fccebf794657097d0335caafa96a594f3d5a64a2

SHA256
81ba5a801e50c1fd49141cd5b2424e66f54c9843e53bbe92e3368aac83979a2a

SHA512
858a9c32a11b96f799e24c845f1c4bf4bd18f1849effcebd6f8dd7b6677fd1dd8fc5c130897fb11fff2d28dedfa8b092ee547d2384936fabbcdc6689957de4b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\EooQ.exe

Filesize
190KB

MD5
e2aeb6037259a8e04e7d6682b2475187

SHA1
a9da88b13d4b7d5001fd3adfca0a8b555664568a

SHA256
8c387b5283106df954a035a6a493965f6dcb9eabd812edf3f2e57e90bad4bc45

SHA512
0aa61a33c2d67bdd2db231a9a14c0a88d9d57cc255b274d0d6a7e89b4dfee795d3846735ff40e97f842da934d185c492029f952151131538ef560a3b73c32894

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ewko.exe

Filesize
642KB

MD5
b46c8886cc2002a55d6bb04f41252329

SHA1
ebe705220e020203c55c35567fb40b6e4a1f81f2

SHA256
2b4bf57384134710468f626b0a8267239121c495fd82c5a77df42f6951b06565

SHA512
716916a97142f42efcd04170a9e5ff82ee1836dcf26ce2c4c127219a55a886f3aacab3b8c016b7c22d3df50c4eb5ec83d6e62376127fdd350946b35303869c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQUi.exe

Filesize
651KB

MD5
5ed1d6bd7089927c501c36aa7b1dd6c7

SHA1
bd39e4a72705c1903688ad28d535f8001684ec75

SHA256
539995dd80c13430ca4aa336266826f28e83810ebf6eaeedb465f6a501de7615

SHA512
5bc564a2aa9718c464649bee68f644dd82cbcb61d80457cc4195c138d89c096df261ae94fc1ad8b78e9cdb08eac2c715cc4cd926a1c3b9489203f2c1ca29b04e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GYES.exe

Filesize
208KB

MD5
1a60e856c542cf324cf186fd5f549f0b

SHA1
b6965b1390e1e5730cb1f8c7599c061d4ed97e0d

SHA256
f59925451e1e9c96e058100b5a1be0384b6ce5ae207390dd771f10231ae4a79a

SHA512
5a9601996b31053e36934fffaee82ebda51adff9a1f4bc700d172368b08e1b4ab4e0d1f18cb6ce6568cf2246e4ee651775057beaba66bb0024406777c89cce7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GgQS.exe

Filesize
185KB

MD5
44c3e698aadfacb5f476cbe0548ef109

SHA1
0a641edd9c9f62eadff19c7abb44c7424d791d5e

SHA256
bf30c9784491dba7c2ec8a7d098be601112be61fdd5d69b2323d626dbfae5068

SHA512
d56575d6348d361a5cb5b73802b3c8660aaba0677af64f362ae3bc79325f2c894a96f3758b6e7e7767e1e8698086fd7c7402fb16c476889f7810e2adec9cd0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAEQ.exe

Filesize
184KB

MD5
0317567950640c9a53f43217966d4f62

SHA1
e8555555d1b9167097df15f0a572faa8bd3bcdd9

SHA256
45637819b23a832c3358c43a27b04d1b28eca578aca53a93617f125d7e720122

SHA512
542a52f52fef282d8bf891ec28bb419ba9f18f4e80ebdb9f2e1b68365b99342cbd98ab27f7ead80b95682c3f1e4daa131c51520090b52d0468e983b31955f71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEgy.exe

Filesize
184KB

MD5
48afd8264b46a6c298de5e94c33e96b3

SHA1
1d33495393167161dd917d5e662ed4e642ad2ea4

SHA256
b0b446861077cc59a55e2692b5622269f1acb9e83a5edb0df2f704ab5a241dab

SHA512
f482f1495ea3dd1b1b8d6011ca5d8e6a2ca54ca4e710ac67d7fa777543ab1b686c80d9c5251657193fcaa39600ba8e88217ed51a5a2ee13a1ba0e4d3f4c14147

Download Submit
C:\Users\Admin\AppData\Local\Temp\IYgQ.exe

Filesize
820KB

MD5
932a0406052ce382f2c6288e5b34308b

SHA1
6d74de23875a834bc72cf6b13f7814e83f9e2c54

SHA256
afa5d1884a52f005dc992d7af50945f2cac805f5e490ca34a5a30afaf68bfac2

SHA512
0fb58fb6ca967d798037a4523dde137eed0dcf83a12f3958aec5b791415fa726ae25d809a1325293fa049db2ff6680a856e9acd0d6bbbcd48faccd8af3b5a396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IgUY.exe

Filesize
259KB

MD5
39d82edf306dae3e09514d0192df0229

SHA1
0b21d96e09ce1d73fae7900f41365f30d496d0dc

SHA256
f36889064921b97acfc305afaae5e983d2597eb7d749b99eb6692d5091c0966f

SHA512
7687e136308fd92584b822b0bcf619a32dbe80945e2b77508f7db5c2a5e5120e5858893601e06ad73468a32e9e8cb53cd9b9d9af51bbc66938f4c6443431b027

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iksi.exe

Filesize
587KB

MD5
2af02ebbab550840cd4c7c90efb95c31

SHA1
e633999258cf1afdf0b9379dd3dbb07e92e8f759

SHA256
6a43671f3807f1900aedc5da6251326ea6770a26804046957e550c8b46a6062a

SHA512
2ed504a3d50c606df65b73397a95e10606d5c3cc0f6c4b77886e48793b9054fe797ec0d2c79d50fc9dbce00b0fdc2cc5883a4ac01a16d7ebc272974a4dec4474

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iswg.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KAss.exe

Filesize
215KB

MD5
bd4d968c0d411b3aec2a7b1c65068833

SHA1
89a9a2d7c5c9cab9d00092eb87670e65c717ded9

SHA256
87a200ef2a042c1f1ee2ebc334f3d2d31b88df7acd4998670c403f1b7a04e03a

SHA512
66395a76aaf9244ba1661b823c7cd44b4d5eac2de6dbf7a802bb7048f69c92f09212fdcf16e84abd591b5c884c27dde69420a2e1b4a13606079c7a2927959612

Download Submit
C:\Users\Admin\AppData\Local\Temp\KQAe.exe

Filesize
554KB

MD5
e754237a09039f54a29812bc40f2e8de

SHA1
c89a450ab90d07ef3e058c60ca5cf4b647b2f05a

SHA256
a9f840596fa1917f566ad1f3bcd0422c9b685697f313eab08b5931039b60794c

SHA512
ce1576cba2db0286a650a50a95c022f5369fb5e02f099e83b6816a145f07c909386a3fc8ec6875d1bddebe453c714da610c313438b103c365251cb034e9e9585

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYYW.exe

Filesize
798KB

MD5
ad8002d3199257bda550278ca162d6de

SHA1
3e50f8e4aeb2126a69a32cb86f7720e5a76b0eff

SHA256
d5206be8afb4471f8676accebb6eff529a152d1895416a0be9ed896de8c8d315

SHA512
9b34eca8c564102a12bb1899a2a2123792cb442557b38f530a650d5801c3fd0c3e0a986075eefea142102ebc059cf7b361dc096978b38f503a5807f193c272d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwUM.exe

Filesize
198KB

MD5
fbf3f72493b56b467ef8c2c5da773486

SHA1
2ac12463085f4e1766149fa04b91973833082a73

SHA256
988e2082ced27656e15cedc56da4a253d48ed11d8a389f147ac679b532c5b154

SHA512
8b5ec4c4fc3086e90d437dfdc160ed9a3da6466b5468c3e2577a4664d9d2342c7b89cc89acedff1943e7bb05729b7e4608e8d07f848fc0d18a48fc23dbb1e98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MAUE.exe

Filesize
188KB

MD5
0b78cd0ca686ff1e3761b4ef876a2a3f

SHA1
87b5c18e1d6cac8cf53bf1aa539246d6abb4da7a

SHA256
28d26066e40ef47fddab6580e1f4897caa5b8028f6cb572bc21ebc7d4445a92d

SHA512
07a73f12ab412d26c7136344a9fb19a531cac5b0f218f702d7935aa29a85e8ec731b06f1b49ef5c1d6e0f6351e5808bff44a47f3997db87cf3a7a1f5bc7bf1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEAQ.exe

Filesize
188KB

MD5
0340d4d46dd06cecbe9a1b2cbe733cf0

SHA1
7916da18b3bafd22fe52e071799f66935f0b8801

SHA256
c278e8858008c3eff54714261537be51c2dcacee762107e138ea79bfc4e23694

SHA512
bf1bb09a58681be6550a958707bd7e2b8f99d9da19f5e9f05fc94dc36b29b15c83515942f2938124d391c8321e8d4953179812c6228c3c125a56d194d9f0a5f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MMwa.exe

Filesize
203KB

MD5
df9ee9ae0daac86ebe9824eb367b5511

SHA1
0875690e31034f93458a51e9e9db408bfdcce6b7

SHA256
83d817cecc2327faca2c0644cd3e606a08ea0234475a4ce6967c196bed24535e

SHA512
fa6cd5c831a066ef760efbead9f7cc793c8b9d494aac26e84a154053d9ffe209e64328e1e2042380c03ca7f2a015286402bbee34c6d8bc2bc38b3430563a7691

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQAO.exe

Filesize
205KB

MD5
ae6fe7e5e5c5485abb93fc5c552a34c2

SHA1
44aa0a8ba5a6016b9373385dac73922fe8a1b568

SHA256
4b4784b6b101e17f6c1cf90ffae6d4dd673b7d2d75a47a2a1ce18863ad578432

SHA512
2e86786259fbb33fc342ef2b52684ab114a74de8d1a79958bb18efeb70ace5f52703738c27375d6980b93bc1c8dc88c22c8230681b3d12bfc4e45ad15d80f59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUsW.exe

Filesize
189KB

MD5
77d9cb96fc223968aab39583df3185cc

SHA1
2afcd94c66d05350b3133d65c5f3683792f9c7ee

SHA256
7b1ab0cae9f7f644290f9a177ff007cf5aa6d39c19e38be67088852879ed1f4c

SHA512
b15b6bfd497e369c65a93974a63535faee27bf7feb733cfb74da9f8c192b50eca712d34407cbad32101a3c9079ada1926f88087011f4bcd2522453fca9c63b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MkkU.exe

Filesize
628KB

MD5
8448cf2d12bf5cff00e90097536f17a9

SHA1
097b02e725ed6f628032902887b5b6ed5d42cae8

SHA256
22f3ec28947ebab9c7f45c20659595ed0391a1137160745dc9f44c7ab9ab1bbc

SHA512
5514ca511c28f0685296aece2b519b6937513f95ce39b324da07186d2cf498b7e601cb4c44e2f21d00588d0baa7d0ea622d68358bcfba99ec9ea125db5789cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OEoM.exe

Filesize
202KB

MD5
fe4d2c01162979d5a4ae89c5e5659aeb

SHA1
5722fddb4b3b24585c851a6e6011c0a761cd5d6d

SHA256
86d858df6548a31896dfe5c46b8689ff7881707979e099a58696059ee9789272

SHA512
254ba3f631da83794b39ca755cbf942d91311a6e7a288db8609433cbd4522f46a922e8031f5c04a338a8a6e4c55c6ae8ef36a9a744577d49a796f30ffaef8bcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMUO.exe

Filesize
192KB

MD5
82dde57ae817243e613a50116df0d2c9

SHA1
dd2f1132379f63413bf773dfc25838bb5a349276

SHA256
35fa24f6dba087f071b68c52f722ab4ea3317e3706faa870cb39f3215e7992c8

SHA512
05be734790ce23f9dffdc46577a6fdd0fddbe666ca24a3f6ad0e0e93e955651d647082a65e445ebdb63b1777d381c5d8fc23e53a8f94f31804e1edd0acd9fdc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OsIM.exe

Filesize
225KB

MD5
055b6aa8ba3f67638e5e4e67961d3f9f

SHA1
7cb19a50e0f99907eac451c20141fbd67d23f02a

SHA256
b2d520c4690f7545993afb22c560c69ac9fb23cdfe13a2faa5772d04a2b5eb8c

SHA512
1b2889f277a8ac0d2bc7167fb99536176da5661e8fe733c57b4eac005bd8d1817735c61c159b0aff1076a2244cda86f08189a46525e64b7a7424b10217054471

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAYW.exe

Filesize
189KB

MD5
2e3ed56fcb383a4694bdd1d6b2553ce7

SHA1
cdb2720fcac88925ffd4d213f485909716f9f832

SHA256
81f0eedcb898aef695b4819ae44a5c3740ec95a43e07b866cf646323d5e4f54b

SHA512
8cc38d723ec9746985ade1590d16d9370288bf066f68881cc5ab18852ed77c97b84e16e3f45dee6877436afc9a3261b7aac6b7c69c096abd90347bb84dafc37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMUW.exe

Filesize
189KB

MD5
cbe818cb662f9db85e7d52db8d276e75

SHA1
d6384246aaae6e813ea5111bf7a7e089c114c789

SHA256
9b6230da0561f3f69d3c618b045236498f14a30327182a696359b7c459bd79fc

SHA512
cee792f87315680f9ebf0ba8641d346ff69b8d81562dc7326e9be4b3086d724570230e8c2f26f267b462dd7e7341d52154bf1ccbe16b38ad8080ab86a7a1a94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMsm.exe

Filesize
316KB

MD5
00cc008665962103bd5494570638d3f6

SHA1
4576338e93b8b4c562dfea6257f6e2ccbe263612

SHA256
31f743675093937bd1dae99e40d2d551b604c6a64bd913be3bf3e252da7db05f

SHA512
a1b9daecec4b57315ff3cfb762359277754b1bb9548ff2c8f60c26ee8b2ecd47363cd52ca487d88dc25cc1c6b49e4d4634b5371617682f72441f3afe9d8f21ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQAE.exe

Filesize
198KB

MD5
89307f6acedfe33ea98c279ed77626e6

SHA1
641f2f09446442aa0a9ade39b81ecc90bfe8da82

SHA256
1ad6d45e41d873733979d93edc669f24b3771ef2430f0bb709da4b16c4a37d17

SHA512
b605b4fe28622a4a7b404a343330de2ed1174715afeddddb7a7bf871120372c400334dd9f2080ccec9c2ae802de7c6b89d671d7f3fe7943193e4de20ec2a2cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQIU.exe

Filesize
188KB

MD5
0a380f4c11d11029a36895a5daa5f525

SHA1
9b0f21d95a3c5510452d41f476601a31dbe15ecc

SHA256
4c41d2629f9aac6a13fe6c21158f7f29fd7c9522546706edace12cb23ff970af

SHA512
e887ee6e0917017b18653aa8cc11b4eed731927d3d312b1344559a6b5efe7d322bc0c9452a104dc31d8b83334f46b2ec72180da30f15ae84632e42960e155a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qkgs.exe

Filesize
1.3MB

MD5
98155ca47147d9118814135792b18952

SHA1
1a5cfca66b6464c55b28c68a8f14ecf145fb2cb5

SHA256
4b86d91d5a4850bf8c391bd496d446e38e9278a3e451a7eb5c90b2984edf772e

SHA512
3ff4b7784f9a3e54a38d28f8ce34e0b65aacfd1b7859e705cf5f303b5a95fcaab092cf99bf93c1b5d2440908dfc65c50c690b19cbd2c1b15b81c2a6fbd524d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoMQ.exe

Filesize
202KB

MD5
03b90180fe738ad516ce1f506bfb6cbe

SHA1
30c5895a692689f956fe5898fe44a73046299bf1

SHA256
4b1f85ca5ba7bfc5eb3d268ed7310de2799fd8cbb7299edb8de9088f523da1f1

SHA512
2ead8a8df9e09369bce2228a8edf53158094962511e6aef81617e5e8036c02250fd68f3770ef6816449df0ef8ad6a942504b942d12feede4af1019193c13a6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qwgs.exe

Filesize
204KB

MD5
542d9391335df1e8dd00ed740bb08800

SHA1
70fa9e7b7e910dbc82ee1feba3ee9df4612ee615

SHA256
94039fc62b1c4c37b02294c4a8ad859c5ea028108ecdb27ae1c973976f296926

SHA512
8f71d32adef9b0bdd8f429e815522258e38e7d2798672c064bd7728dce57855e453bcec6155c9e1a46160d4e08118267683ceaa0751c8d9895205571d673715c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SAQi.exe

Filesize
199KB

MD5
956d737d6ebf89be04c2a057f2a0779c

SHA1
38f3341bb612f4968e1dd1b01059d3ebdf848e76

SHA256
efba801f1b76769fcd0fac3e3aa1a9f6d5104422141b5addf50e65d144f9fb4c

SHA512
930993908fec0af0fe006fab4011ec19f28a704bad12fc3eb76d870e25b65f4191828fbaeb0235bfd78db212ef24ef88a06b12f16ddb131489a348c41e5b01c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIcG.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\SIwg.exe

Filesize
201KB

MD5
25db9fd9b418fc5d1daad12c1cfcde53

SHA1
e83cb0aa74b016ffa1b4d77220893d3a56135e72

SHA256
769eb00783609cdfee9e19c06d374d74cc6e7250e75edf860659361ff06ada76

SHA512
4f1dc905b420ad5bd8aa3f67d8adecbfb5cc0cbd27869224075d1f32b82ef1385fc37dd77a2b196d6e99bdc2bc98bb926d4e76eafabba42901f13b2cf965e973

Download Submit
C:\Users\Admin\AppData\Local\Temp\Skgu.exe

Filesize
184KB

MD5
2087906a22f9b1b56fa54ef17fa8c0f6

SHA1
af9519a0fe6a8783d34e11bf3800f8a3433ee707

SHA256
b2242f7b346c12987ff9207ea019357f6348e27b6a7c970f2667eb3b5e40c799

SHA512
a3c401bc75f03a247eb5a841fe736959536b915bd7617c297b12ec4c6dcc088d021de886823a1c2e62d3ba7b0fb721f228685b85474d0c4ede4939193a18ac50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Soga.exe

Filesize
325KB

MD5
937c7bcc23e3edc55fe49ed4871c848e

SHA1
784ad035066d4cc266e89fab2caac29c0b1fe776

SHA256
eade24eb8fc4c5f50b98a709569d2208c4797bfac219d3eb1745c268bfc2939c

SHA512
69160255f8228ed59de6031939f260bf5c3e097dd50d6969e89a00ce6bd1c0a881f631458d5812f6dff601f7888940c18e4f7e899517d500b860d67edc1bc447

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsIU.exe

Filesize
479KB

MD5
90c1326a35c7d3d5c4809484fa4f7b59

SHA1
28a50b0e87e251123c63099cd8ebdda9620c7273

SHA256
1a9f8ea02913fea434bd8c9306950e8297228f2ac7d612a3fd2e5faddbb38b82

SHA512
ac41777e06e55f614fd45c93d4d1d0116b7c416552e733a79659dc43f4b73ae2267ee7cb41e5ad13a9d9b8493bbc6e0d7e3bbce602121a70506abbe0a88af081

Download Submit
C:\Users\Admin\AppData\Local\Temp\SsYC.exe

Filesize
631KB

MD5
ef58d4bd2dd9e302e5f642caae36a857

SHA1
0926fdd965fdef0f5bedd4f82c75c7af51622462

SHA256
72da9f5ea8d4bedfd6653aa14ee19cb2d6e68e9729c84771a0c4a1a1a036d57f

SHA512
0f8ec78d04e22df5bed2c0872681d83a208eae7df3bbed15e97316c2ed4ed9bbce025572326e3690cbc48f5d8f130748ca145534fdd721c63e00951d2dab48f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEkk.exe

Filesize
188KB

MD5
9b60f762e1621a3fee9b4efae063c4ba

SHA1
b62b24d2b34693ed80041fc0c62f60b166f4b2d4

SHA256
9ab2d9cbf398ec8ffdbe0f043e02520035bfaa74f8841c6b03b3094f806b63c9

SHA512
064015cb10c50df7e0dcfdf704be623f3abe9f73c407439146dfc725f744222711d34cb5cb71a0d21223d02eb142770a63a931cb7fc7905c059fb4f9cd9a9e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQEO.exe

Filesize
182KB

MD5
20f01daa1a8fc4938232c49492f439b9

SHA1
55289b220489427107441c7757d1bea239d4cb97

SHA256
1d73fda91e136f56290dbb53ca80aeaf692edcafb7a24f641b8fc8cc4d29a822

SHA512
1bcb7ba731fcd0074a21525b4844ba85a330142e57012029e0a80ce5c8edbe3bce155a8748c7525aaf46012876511c94c0f6b259dfd71fdc411d61d2beba5086

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQsw.exe

Filesize
224KB

MD5
854b4dcd316774a3e747abac4d3ce816

SHA1
2bf9fbfafd14a4272959b4d632c35e8cc14318b8

SHA256
b8aed14d7a5c4515de643e49478b259c6414dcb330edef765065945f2098167d

SHA512
0e13244528372c5c51c3fa37d931fcf028ba0b3c8b0a10cf89ec308f0cf81d49dfac2953e00fc571e1f5f0012add15885e369f10b405fc7fc83776b6c51c7ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UUUe.exe

Filesize
194KB

MD5
4472cb7dacdbe1525736ce00f4ee9c6c

SHA1
c91592e44f952d8fdc06cf77c8fa688b634ac54f

SHA256
802286d3db2ceaa89408af7cf37e9e352f5793bb8bedfb7225de526f1342ec0c

SHA512
e43ef9681966b3918b09732a3cb30df20cc7783d4a7edc381ad8bc03363bb4015ee489d77bdda2629dcaac22834accd3676a2542ed6bdc57a9600e2b0eace723

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgEa.exe

Filesize
799KB

MD5
9ab5b46cb2aa81d058c8fc89c1ac168b

SHA1
7e2d1dc11b57605c9577cbe5f3880f7aae7985a5

SHA256
cba3fc145ab681224c746c4710db3d2cc8ae9ad6d0d6e4bea11f45acf1eef545

SHA512
c5eedf4a8efc45728154e2b7a805147a578954adaf763ebbd5d6b16eb7f42bd321ef7220a98b9168eea2396fd900c69838c00c5d6cdd711b1a7f9a759b1c5ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WEsw.exe

Filesize
649KB

MD5
2a28243cd507a06c97f61bc43e9531e3

SHA1
93e619604e4a32ba697ff9583d39ad5074f2b5bc

SHA256
8b131c4ec2e4502deafa181d64d43b55cc64f84743524badbbee2a08784fdf24

SHA512
b6e4e6adb623e7cb70e5903cfe4f77ccbdda1b6fd38e9279ac15f91a613089552905f84415ac1e81a5309de2bbbe936a3dcb78262b2c3740176088b726878bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYEo.exe

Filesize
229KB

MD5
fc22f6442ce4811e7fda5f9e2753d9d0

SHA1
45dc8b4dd3910454994be9077618033af2e1d418

SHA256
63e679715f91e873f4920b77214ebaaff3f0ed388bc8bc4325d5c0ddcea75bc8

SHA512
9aa402cf7562b0ae0d47f2b74a78fc874c4bb89c2d57583ba72214b03ad00cfa40086c0cd507b2118362e209a685d7a56406d309a9789ba6f48a0b46c932a684

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcUu.exe

Filesize
795KB

MD5
03ccfb33e351186c6c7c4adfbd2f7fcb

SHA1
33b54ead02efdea8c0cb2ba914c61c577dbbdb62

SHA256
9e2407028bcb0ce738e2ae5215acb1edde03134bdedffbbb73b066ef872b034b

SHA512
65aa7940e33a9515b56cec576d2013a60e71ed89a694aec31a74944facfa57d72991dab82c339b6a340ac5cf3d7ee3c2b4a61d5e7703a19d356b122516f4e02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WkUO.exe

Filesize
326KB

MD5
204fbf4a34072ca531f278c6b48a266d

SHA1
af65d7b5977d3dfe903b43306f35314d3dad9be2

SHA256
1a7ca566d1a6980b6d01c3be4027d2cf90b5308596ce7da872792d9ee1af647c

SHA512
d0e77e1c139e3cb2a0ef1d4058cc0bad5857a2b5dacb20d21a523418f8fc53b699dba28f7d5ae72b7d8a040ea8b1701bbc5c15316bf9a8a2490222bd13edc692

Download Submit
C:\Users\Admin\AppData\Local\Temp\YEko.exe

Filesize
419KB

MD5
f33f52a118239c37d52ccccbe0a0b858

SHA1
b6363582bb115ae25d354e407c870c0f7a81c6ea

SHA256
6482f2e3746c3b4e1feb3ff912771d581eee03624a229d6a4c255c485a0cbce5

SHA512
f79b1a5c20284eb8e4de32fad3738fc24d73738ef18c2039fad14d7f96715b20d42dc9667b323f64c88d4447d27261b41a5a7a9a3c28c6549bd2d8e476bcf8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwEA.exe

Filesize
204KB

MD5
ec2b25f348afae41025a977f9d4bdae8

SHA1
effe28318ad5606e1f4749e79b69a12d65a70161

SHA256
f863dedf92d65a29bd581864921ac45c0cd4e5830bbd8cbfc5542b404e5585df

SHA512
75b7d295a33f77ced1581b5d2b439d4bd18cec18aa82c60f91edc9678104954433325f0051d065efe658b926eacf190ec4091daeb0d1cb18c2bfe13e9f857b7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwoO.exe

Filesize
187KB

MD5
582e278bd985520cac470f6067984610

SHA1
5b7235abf7c2dc473de23c837e466703e83cbdbe

SHA256
82ea4a84ef5a01614191824f2aa73dda1d5c50769c22ded01af8e15e1143b1af

SHA512
1f66ebe84a49e70f559c4b9ffe33c8beff1e4409a86de607cb0860e932601b2fb198c7bb63dc4011acf563f4bcb25a692040d8f930b8b5928b35b8b5263c5c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIcg.exe

Filesize
205KB

MD5
4250510cfffb74d26ab8e4267c62e4e2

SHA1
de83e81d95f0a4b87029c8dd5fd2db2067c50fa3

SHA256
d258e75df8e3f5727c5a87c522c2eb74a54c7fa37bf886cfbb3e5cc4912f8dda

SHA512
97f3cbb773e805f9fbb9450c3dc97776ca803dbae4b1e9d7359807a382df4218ebfed512315af4a977fcbac8ed22d69045e2fd8f7f57d3029f2895c3e774413e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUUa.exe

Filesize
561KB

MD5
80bb50fce83ce914fdd917e9a907f474

SHA1
59685eee6fa09132f161bc7501c5c6f49667684a

SHA256
d3320abeddffd8524a8d969cb2e554b09e7a08dd8976212c41600cf0c0c74722

SHA512
dbdc4eff985655c9d556bd0e8d27cf65a76ab182890ebc713627100ba7e61860e76c31e72d87717c19d16b097779726aeead987519666a099ee157e331ef2fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aocO.exe

Filesize
182KB

MD5
685f9a9699b2cab0f8120e93edb805ee

SHA1
7bcb1c6982939eb2924c6d8664f7436c21f53498

SHA256
73340bc21d4b350acdeb0aa5e62393458dacee49e0ee826bed2277d9e08e9736

SHA512
120448e798391d733dff2fe762c34ca913103c66d8ab393d0412abc8478296ecf39c4cc3f09c48230e898a39ca665d9c8a467c55cd741d821f7c4918a1427a3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8d136dedf82a0d5a1457276390f2fd0_NeikiAnalytics

Filesize
6KB

MD5
06db768a6aa1d62200826358b4099ffe

SHA1
1f59c300939cc7211327c6020a95b8083e1b617a

SHA256
66e1cd26c61f27567c02fcce0e757acc75a0afac1bca6d646b7b5aad69a86517

SHA512
c648209b7df60c557aac45346ea649efa77123c06d5e9b1285054b7bed0791450736803f3dd6487674a8f463ff72f7ebcbf1d56ff17403b4fe197371ae6bd8e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cAAk.exe

Filesize
202KB

MD5
9ba9e866c8dfacf02c4e048f94b32869

SHA1
bab7171e27e6775233ddfeecc958511866f69cb1

SHA256
04d336ce935e8e854f161d13dc0a340de355ce01956bb816a2c6bf82265ce404

SHA512
e20ecc98b1854e0bf059a75cc5a3b36a2f240da960b7bb9498b746729db2674e9248987d0a18936ed46595285b432d72bc16422c71ff0492dcc21b3ee1ad278e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cIwi.exe

Filesize
327KB

MD5
3272c2c244dcc61ba40bab4bb0a2a372

SHA1
34c40d6034821f6a9c30ddfb0e3c94d90bb1449b

SHA256
1a213462838f6b9699fc4c0e31a04b53eadcf99c7bfb9e212a55509741836e4f

SHA512
a624cefad6be5e93e3eee8c912af37b0aaeaac1bb6ff633e8d58a39fc444fc3a042fccbb8dad6cf17336e7301d86cee4c3be71b3fb5c1231f8ae2ed3440d0aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ccce.exe

Filesize
200KB

MD5
2a65fc08ea77262945cc48fb2bec239a

SHA1
48e0f326eb9af2c2e7eae9554a86c53fe93d632f

SHA256
e502bffc9d5cf75370046d0117b1982f20de147326f2bf6cc0ea7092793cd7ba

SHA512
2f512f9c434ad40f319f27e261594cde1e84752b66a6a11148f5cda38b6ca8ee1e3c13253f50f246382f0a962c404b38159c7e7f5385fd68fa5684a51a7d7ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckYI.exe

Filesize
625KB

MD5
2a0341a310600f1d807fa3af5525317f

SHA1
2d9f8ffa41ce66bf85da5c113d34ff4b70cccbca

SHA256
ff523f33edeccb91da2a65d49182670d949026ebf6b85c0feb2aa58f6739deec

SHA512
b2f3f1ddd41c3ce5d7ce3a5f7450f36878e780689e6861df1eb4b153bbe27c565739bc150aa9117e064f8aef84403475ddeb6b2734170f645450d125dd4dd96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwME.exe

Filesize
186KB

MD5
217f8c62000121230ffb084c1faa0847

SHA1
8c981275b4b9b647f9469643075fff4888ffa137

SHA256
731ae9c14c6d69d05c546ec8f39c52130733c406b1ee633cb8d9d1adec3fb18a

SHA512
b2ff26d9f71d94c16bd1fcb78bd1771614d6ea601dacf9537838a4fb061e24c0a19b8fea04e41a3e8c08919605602ed3241c3cad598aa742912093acdebd827f

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwwG.exe

Filesize
192KB

MD5
20879edfe2795aaa0a010bb033aa5bfe

SHA1
a34847df098f123d6e60d80f54e3bdfbccc866e9

SHA256
5c62609a5c02af029afed34ffa5282be93e1fc1548bc1857268c60c552f4e42c

SHA512
2f50e0878134339e464ed109d2066551c683f2364d39b2f3448cbab5319a4998f66fc71c9497ceb3137e425aaf3a1db1c747ff70254e47eda90944040b1aa6be

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYYw.exe

Filesize
195KB

MD5
71d020e8471aaa621b9098705cabc57a

SHA1
28475044d5ee6e438489f3f54bd699928151a1de

SHA256
cde925ebfdc8f26704746435d3c781c0b3c4b8950947eae7a5a42edcf63832d7

SHA512
804ac099e1651590a317765fd5d3589ea64665098e709ef7076ead5a4155b55e9e2fcc7553a7891889c84ad73f350e8565965f04c02fc59e33b960f858cc5be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\egMs.exe

Filesize
190KB

MD5
6551090a2913b7dd5e9a361c23673d6e

SHA1
e60809ef2564c6d75275b2cabed2e10eee7395e7

SHA256
dd4fb763950d81e9e2730ebfc76a9109f48064de3b14592c117f4673f5dac7d4

SHA512
17bb7eb3a0a97d56973bfde06c97069e230fbe316d998894438419d3c009440c37154b0c904ca9cec1ea488977853066c6db0d9f477d3f4bcf05e1a7ad62ed06

Download Submit
C:\Users\Admin\AppData\Local\Temp\esce.exe

Filesize
195KB

MD5
648b5337d7f9284e567f36a52d642f6f

SHA1
5b436304a2075fb052e223cae83f4d323503fc37

SHA256
7eff0ca73824ad05be52e096627a4e0f92c757fdcaf99f927616d2b37baa0c8b

SHA512
ac6e3aaf67d86bccb8c779d9b22ecf72c32474ca8b8867a4e77688ee1a21d2b99ddebe7165ff01b5bbe8ee9b852c0123f0c34fd1df0a1347b8315dd742738d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gAww.exe

Filesize
208KB

MD5
054c0331d82cca3e88155cda0d1d1332

SHA1
792b394e132ca6a63beaca176ce2023bb6b0d46d

SHA256
ba3fb0ce9fe0f2e2d00290cd39e2d15b68567028baaca2343c737e345f30d07f

SHA512
a754e9dfbf9958994eaf693698e249e66c1f6bd0e96f332752a89779c37ce02023c0d5f39a6b9c7b4861dc8ef22dbc033a847c2e629e0569737f2fa7151f8500

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQUI.exe

Filesize
710KB

MD5
bf3b5c1eada4082366213f43bba1028b

SHA1
149e14f972be46b4ee0ae03a3b82ed6563947ea4

SHA256
4921842f311da41d29e7339ced7f4d4b68a633779ad157fbd1d08fdeec9c56fd

SHA512
de5f9ec1f03ff0357e805f2fa5080c39bc7699af600196beb83ae80ea520b0c97d4712362459d98cb7bab1a0530934e7b9426d6e5f6c9a62fcba6f916de8468a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQog.exe

Filesize
186KB

MD5
b4d8b6ee6582dec115386e290281e363

SHA1
d06e341fb9c570e408e8eed7605ed8a1539d26c4

SHA256
78ba9604309cb6f7cad522ddb5e856d40e7c668e449706852a77842295e36c48

SHA512
f27320d1a780a889389dde6eddf76219dc514b8543202b735438f7ce51a358f8a65cce75a1bd52f8a29fd1b080e9a97c5a88a9975b961c2fe007c185a3abeb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\gYMa.exe

Filesize
200KB

MD5
8e85f323f09afa3fc389e51f74424ab7

SHA1
a927da32bcbc44c478ea8155ac075ff97e7a55eb

SHA256
4e438234568bb783d6fc743e2760bc469d212440b35839cc489f2ccae2cabdde

SHA512
ffb38ff810ec9dbd50d23df83f1754ec6e968962565a83f4d010070b90e9dfd23d2c3d16282dd4db5dc0f51caa3bada60ffe9c45770d3674c5a512d4c2a7ccd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ggQs.exe

Filesize
188KB

MD5
5b51c657a4ee73d3f447b50a369a1d29

SHA1
e062367b8fac381bf2fc6fdd6613c6b21ac90e7c

SHA256
ad2573ad4f31d78a60ca851bdd509bc0ac02837c929a2fbedcdfcae74185084c

SHA512
999af412a1471f3957632abd8c1a82674d562bd4067322e355e55cfffd0aaaa662027a5b8a79a7c4114b66936177520acecd7df9f295fa6283463e00e8aedbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\iEoy.exe

Filesize
202KB

MD5
a3fc2d9c02d95f8ff70b00cab5cd4467

SHA1
09e05b3e058a25a2a1f388397911806989ecad97

SHA256
04066cf7f2ddb0ba1eb22fb8f631cc410f1583d1bc564b816c3feffc25b0defd

SHA512
46bf3d620854d702e07fa495e991c6a34bc0cca18e59d0e46a18ff5654ab4d989a7389f32a098b1930b91e7048e14dc5c74fae297903df930da12419549675f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYoc.exe

Filesize
987KB

MD5
f298e35d01d169a405aac91b6263d4eb

SHA1
f2252d75cf4c4b8288c8e7a814d8c08af86e589a

SHA256
a63062217606d964babdfc00fe66c69b4d25679d130ea236efe4e1f74119315d

SHA512
e9bc7a51df1a8316f18a1eefd8d861f959a53ffddf8d98d70832defefff457e00bead1a922ed21ac749aeefa2bf93d796c1cc3cb32a3385e045ab7d274acb5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikwccIwQ.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwkE.exe

Filesize
246KB

MD5
c694d39d26002cec47bbd8ec7e7c08f8

SHA1
9d69a23a62cf24bfc26b88e12d63c53ec86cec19

SHA256
e2b423d360e0431a442806e97a8ee9cfaebbd69e0ae162e0dbb15618ac1ceada

SHA512
ba15ef6059245d6fa6f6697d508c1210b6dcbcf8642018f877880d15068e48a075de6622cadb09f78854ba0e767d52fa7b5d840f8967d0bce6751cdd186de791

Download Submit
C:\Users\Admin\AppData\Local\Temp\kAgA.exe

Filesize
557KB

MD5
cc0840cf2288c587e8fafbde661cf401

SHA1
8529f702633ae11dad8d29095994302dd2b06a5f

SHA256
0022822e8b31a3e181122ed5ae04502e8fc40ecd3c9414e6a4136843452122ff

SHA512
c8e3afd5a46482d1ec3362560662553859b3ab4331ece1d8585a87cf27cac85c98719d15b86c613c74833086e62d5961a9fa323449dd904c1e7925a45354f2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwAg.exe

Filesize
192KB

MD5
daedd03d36fc8f5d9532bf92a679a989

SHA1
d9f446b3363ee935041155c7fa6a27dc84d793c9

SHA256
1acb2e288d3b0a1de5d2d9d6559f2eead37d05569bc9a75d3f708a4164e6a094

SHA512
9aa8575919a5d1c8db1ad6c5a3ade924113f2ff637f9fd0363f7e560d9e05938cfd69a88d3b3cf298f625a69c4f50b64272853e8f40d4eecc04efa047dd3d57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mAsk.exe

Filesize
206KB

MD5
5c4ed0d6208beb3425c3bd4d2df15ceb

SHA1
c5ab3835630baa6f45da9e77807216ffa2dc03cf

SHA256
a7bd6210b75fa50647ab9b867c4f5f006669dbae0bce6918eaacf3319147dec9

SHA512
436b24ec0cfd784780b63e7148fcd272d4cbf58037657121c7e5418a3cddb238904c5516d28b450562a4287cba4cc43b7a32a3080d6a0a4402f85342cbd9d12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mcYc.exe

Filesize
207KB

MD5
ed2b4284eb278746b52ff44d2be3a218

SHA1
ea1c58d15ca88968d1e84e800d95e57785748c55

SHA256
475fab6e733c850c645739a3d4811552a1989e4c950f577aeca255ac3332052b

SHA512
81219ff4ac22a6a5d449debe78b34aaf5390ef3fa148a6cdb81219467c0216b6da8ccd234afb14e81cef49e1c162ea2789208130ffa907c7ecdf0affbd99a1d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mokM.exe

Filesize
201KB

MD5
a409e0cacf2d0ceb06f48249550fa10f

SHA1
72bd62c4a04b712c37f24dc23e85588f2aa9480b

SHA256
b7319f28eb9e7aa0cb63904adda8f62df7cf463f5e7f0bb759b13efbb5c22b3c

SHA512
9844ef102f842473f40922492a1f23b79b8fd46fde1e75eb57cfe6cb1e98f068a473caeb8a8609abc91ab1c79bf5af67c0c3cb9c0a784afdb2b86f64235d43d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogwW.exe

Filesize
196KB

MD5
7de820e52b7542610ccd41835fdc6cda

SHA1
c4b151f7c1424b395b35dd2283d20248acfba740

SHA256
f09e9f0939f7790b95fb257ab8d929ce92f3d1c4c97c82903a1bd07dddcdc2e8

SHA512
d562de40a7aca49218db8f829f4e5f8e1e24f8f04344f79572b3a1d70f6ebed93a75b1e393946e5ed3e0c2de6cfe09c98110fcbf8297a12ef1ad5af6b873605a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oksi.exe

Filesize
791KB

MD5
cbcdd6e6e05c33f7995fc5d6139789d9

SHA1
3688780b29c1a1973229f7d0100053b22a646538

SHA256
9a6b31aa953b926fa677907f2c7611480b8547df23fb4b27f10056052523e2a0

SHA512
d96f369e7f4373163cdf8018e13b955fe61870a2884dd5bac5ae32fff45acf46e8b192ca4484b81d2e0739136e2b99bc14181c86cc4f6651f3f45a408646e05c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUQY.exe

Filesize
618KB

MD5
82cf6220cddd0f3ea9f35d6b200cefe5

SHA1
d724111d202c1cc0824439a6815bec8312448773

SHA256
4a3138da9e02e86231d83b15eb5c689ea6fbd35c9867a4e683dcca64f21e4783

SHA512
9f3ecd7cf9163bf78b1278380aafe1612d3e62240a3c90b7873c91a30ea0d0bd4d4e5d221eec745d01d0ef3ba26dbdeb6ca8316d6d6a480d40d93f432fcc5cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scki.exe

Filesize
655KB

MD5
6b89187a2686ae2bfd133343d1841cbe

SHA1
a61e377cca620530132ea0cb3bbc0ebcaf1c3a2b

SHA256
f655a99f86fc595a0e76e0ebfcf461437f701a038dc0ac0bb4e0e3bc3787d693

SHA512
4fabe3a7b3fbad565578182672e2731165fae80480a65ce61478be6fe526148e11d67351f726d08f234a695f2359eaabf153f0eb89e192f6a70cd84b8a9ec4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sosy.exe

Filesize
199KB

MD5
e8e71afbd2a8fdd523d57f3d019c1bc5

SHA1
f6822ef69004f8db4d72a520923e5517414b1e25

SHA256
281773394a18ffd110358b39b3fbc254058f1c603e70eb4e22d90478bc447c59

SHA512
2861054614631e63cc21bccf24182e5e8257fabb7ca4739694e520a6687253cc28c2bd821b371e073512662aca8a98ea18bf871c04817bc90d88c86bfa1cee01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssQY.exe

Filesize
664KB

MD5
94df5ccb42cc2087dc4d6af4d69bff10

SHA1
7e4d54072035f53fe8244a084ba8db8e76627d3e

SHA256
66c61ce40ce01311c27d8b7a829317ff902425584f1f36b552c7c1e1aae369d2

SHA512
7debeb5fbc54af757eee70865582443a0aac65206af0f10e0e684c04426ce09e7ff9f6301d7e118cd591ad2b0413d701defea6ddf635f5e24293c6db85fe655f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ssoE.exe

Filesize
225KB

MD5
9334a54f35ac9f23d2892870b06896dd

SHA1
bc58201f59900539358699f86dfbf9a2e64079a3

SHA256
fefe0259199af50367094dedf98c12310e5bb1e3713e0bda5d178f23d0e7e9d9

SHA512
804771a101226f425c78e78779f24f4fec37763d8312a1e98ad39ffe9940cae3802bb7c402b0a66052f73ee8096f9681315493cc0739be7c2b0624d2d73be443

Download Submit
C:\Users\Admin\AppData\Local\Temp\swoo.exe

Filesize
227KB

MD5
c07ebb7b0631c2b7cb229345db2d2d49

SHA1
7275419d32420612ea19185cea3f0afcb1384f1e

SHA256
04d60858be9ca30c96656a5a7da2f68070e2c0e3ca2ddd4ecbdcb1e432c9ba41

SHA512
7434a568fb45661bee144da09948a2b9e620e7414d91bd1af17204f689a6a7ad0749515354879093ddbe439482c03e56be6218bf7a13fccc7831d426713a7f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukcu.exe

Filesize
203KB

MD5
48868cb609d64f583be0d792cace6fcc

SHA1
5a82b4d27898862b30e5da55c54ec8853976a82f

SHA256
ff241f8955cf8388e888c34683b99d36264ef0085e7c9bc97c170833179b2af6

SHA512
0e1ddc290e8e57a8cffdcfcaf44a5b105dfd95ebe13fa483d09ec3183d0e68f90b0dc11621ed68c6e94346f9486a803fed1995b642ac384be02de1b68aff3646

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYko.exe

Filesize
212KB

MD5
072b531eb9b966b2c5fe305c27e8f9ea

SHA1
02aebcada9833b667b8d60c9e90699e872f9800b

SHA256
05edb845fac1e9a201abc56b8b583db8fd717a32eaf4e6940f685efa2eb70762

SHA512
8223c5f6efd2da2782fbf3b5091aa776413f10ec11dfa49c8e92b8db9890e92d0aff47dc72128d92a1dded26384d07ae8e145c6f528abf2f0c43e8cf11ae1720

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcok.exe

Filesize
192KB

MD5
37ab62db43ee9e24effef87f90f40a2f

SHA1
e7467f43c5e384e9249ed27ea0c137071832904a

SHA256
19e0c23d39515fbd445cb1953b2ac8963ec5cb8861da55fafa99a35cf9e9f16f

SHA512
cc46d732a27affc7ea1900127c254e21d6af9becf758a0f4ee4e19e0217b54803b1fa12f3b5c56101affa046e126e40f4b3a7c3fc111e3286f175cbac1502a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\wogS.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwcW.exe

Filesize
186KB

MD5
13e271ee8386da9e2732ef6f02c74d34

SHA1
def5416085ffc455e9d130e5d831d838ccc7e5f0

SHA256
5479645b2c11dd73f62944e1b3a0edb19debdfbf44bba6e1a7de7bae305790b6

SHA512
37cfe18d053c5e9dfcf72928946786c4ee1fc9ba73fca2b54e761a53c3418a1d9d95f55b76ef0d317c4dfe053c8a81bab00eca2a7617779cec4c0b513aec4af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yEMq.exe

Filesize
411KB

MD5
81b577d2538faadd1669970d068455f8

SHA1
5f7dfe5efc3cc87e9dec359c0fca41d605a97d4d

SHA256
e678ec1a017eb1ccc0df17ce66a7e0548fca89d080e3a4d5dc4b08c839eeb6a3

SHA512
2e9160d774514b118a0342acbde16ee6c1b595ad819cb9dcfb8d32c237eab1b007dbdc978d8693e7de1eec72e67914ab6bd0359c66560a1452bffffb66158a22

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUYA.exe

Filesize
184KB

MD5
e14d60d6393282d31e4506034e2ed359

SHA1
5306a22950601e19952a9ebec57249f341ec48de

SHA256
cdbc615aaeab8c767cd85b68a368424bed4de2eba6782989565c27d9b5961089

SHA512
9eda7b430bf9f5f895f2fa5822e710289a8d28932fe5134c05da871ceec7d2e1d56cc4503ef9052a8d05290988ade5c92fe08faba2e07c59ac3589610806aa67

Download Submit
C:\Users\Admin\zyIcEkYI\zSQEUwwI.exe

Filesize
200KB

MD5
40efa9f9a7332e894a0e6e4d68c3c5a3

SHA1
cc92e76b2b120027ac6dfb821ca1956a11f2cd00

SHA256
ea5c0ff1bf01940430d8d986dd13d55b1f096dcaceeea59a00870cfb276eb9e4

SHA512
1cf59b7d8d0fa60c8a1e9bdffd1f450fcca063320c53cff304454dcd316a8e73cc99514f793e5da1135cea0b7d340dd05341f459413a3d832e24dd32649604cb

Download Submit
C:\Users\Admin\zyIcEkYI\zSQEUwwI.inf

Filesize
4B

MD5
f506331c464d781f8eb8530bbddaeccb

SHA1
bc0df5651a2b04adfb6666d23741045eb0a3da4c

SHA256
618393efe3b1eb22cd104150c076c19e599e32d0ad12d6dfe2b4b87f6bea7369

SHA512
47475276c7c8a519cb3940a84ec839dac1721c28e76cb7418c759a18b4ab86c46786f63ee781f41d8e214f8d6dd732f8a89a964736940b93044aa6e2d0f6f0fc

Download Submit
memory/216-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/384-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/708-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/708-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/896-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1052-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-15-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-122-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-434-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1220-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1280-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1288-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-532-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1460-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1548-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-58-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2744-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2864-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-531-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-523-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-31-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-278-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4196-20-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-154-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-172-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-92-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-522-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-34-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4432-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-541-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-514-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4512-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-146-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-131-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4708-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4740-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download