ba4b6087e008000e825f8b9f1f7337cfd7ee0e49b513d918da71412fb6d536bd

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
Size

204KB
MD5

4dc57d384dfb9b282c0f14dceaadaf00
SHA1

e8b5f4c910844cbe6aac681718be339e5de45837
SHA256

ba4b6087e008000e825f8b9f1f7337cfd7ee0e49b513d918da71412fb6d536bd
SHA512

a970fee38e7117da3200c22acda173f1b1de6dfc3b313cb957ca25469002b05a0b6a24c8a54fa3666daae75956c6176c0affe9343940182ab95fc17cd08ca1ab
SSDEEP

3072:+45yU08b7VR+jgHL3F6rEQuxir0X2q1jY4b8upWJbuOWY3sdoma5DbUolDjr:d5yc2sWO1jiWYxDbUQ

Score

10^/10

evasion persistence ransomware spyware stealer trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

UAC bypass 3 TTPs 64 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Blocklisted process makes network request 1 IoCs

Processes:

cmd.exe

flow pid process

46 664 cmd.exe

flow	pid	process
46	664	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

qYIUEIMI.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	qYIUEIMI.exe

Executes dropped EXE 2 IoCs

Processes:

qYIUEIMI.exeXCgwcwgc.exe

pid process

1684 qYIUEIMI.exe
1512 XCgwcwgc.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

qYIUEIMI.exeXCgwcwgc.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qYIUEIMI.exe = "C:\\Users\\Admin\\ZSIcYcgQ\\qYIUEIMI.exe"	qYIUEIMI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XCgwcwgc.exe = "C:\\ProgramData\\uEMAkYkY\\XCgwcwgc.exe"	XCgwcwgc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IiEgkQIM.exe = "C:\\Users\\Admin\\JkAAAEwU\\IiEgkQIM.exe"	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SUEAAIsM.exe = "C:\\ProgramData\\lAoMQcsw\\SUEAAIsM.exe"	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qYIUEIMI.exe = "C:\\Users\\Admin\\ZSIcYcgQ\\qYIUEIMI.exe"	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XCgwcwgc.exe = "C:\\ProgramData\\uEMAkYkY\\XCgwcwgc.exe"	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe

Drops file in System32 directory 2 IoCs

Processes:

qYIUEIMI.exe

description	ioc	process
File created	C:\Windows\SysWOW64\shell32.dll.exe	qYIUEIMI.exe
File opened for modification	C:\Windows\SysWOW64\shell32.dll.exe	qYIUEIMI.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3512 2164 WerFault.exe IiEgkQIM.exe
3016 4896 WerFault.exe SUEAAIsM.exe

pid	pid_target	process	target process
3512	2164	WerFault.exe	IiEgkQIM.exe
3016	4896	WerFault.exe	SUEAAIsM.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

pid	process
1332	reg.exe
1584	reg.exe
2308	reg.exe
2652	reg.exe
4280
1252
2556
3784	reg.exe
2680	reg.exe
780	reg.exe
1444	reg.exe
3764	reg.exe
2804	reg.exe
4892	reg.exe
4996	reg.exe
2432
2308	reg.exe
1524	reg.exe
4028	reg.exe
388	reg.exe
3472	reg.exe
1496	reg.exe
1664	reg.exe
2304	reg.exe
2224	reg.exe
1632	reg.exe
868
4380	reg.exe
2676	reg.exe
5040	reg.exe
3240	reg.exe
4936	reg.exe
2704	reg.exe
4508
3712
2552	reg.exe
2568	reg.exe
3936	reg.exe
3752	reg.exe
4900	reg.exe
2988	reg.exe
2056	reg.exe
4944	reg.exe
3008	reg.exe
3752	reg.exe
4672
528	reg.exe
872	reg.exe
600	reg.exe
3716	reg.exe
2432	reg.exe
3268	reg.exe
2492
2572	reg.exe
3660	reg.exe
3932	reg.exe
1980	reg.exe
756	reg.exe
2896	reg.exe
3816	reg.exe
1632	reg.exe
1608	reg.exe
4944	reg.exe
1236	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe

pid	process
388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4332	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4332	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4332	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4332	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4536	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4536	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4536	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4536	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
316	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
316	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
316	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
316	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3832	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3832	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3832	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
3832	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
376	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
376	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
376	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
376	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
216	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
216	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
216	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
216	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
2364	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
2364	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
2364	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
2364	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
5100	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
5100	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
5100	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
5100	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4424	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4424	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4424	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4424	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4928	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4928	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4928	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4928	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1492	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1492	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1492	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
1492	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4608	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4608	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4608	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
4608	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

qYIUEIMI.exe

pid process

1684 qYIUEIMI.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

qYIUEIMI.exe

pid	process
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe
1684	qYIUEIMI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.execmd.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.execmd.execmd.execmd.exe4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.execmd.exe

description	pid	process	target process
PID 388 wrote to memory of 1684	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	qYIUEIMI.exe
PID 388 wrote to memory of 1684	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	qYIUEIMI.exe
PID 388 wrote to memory of 1684	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	qYIUEIMI.exe
PID 388 wrote to memory of 1512	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	XCgwcwgc.exe
PID 388 wrote to memory of 1512	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	XCgwcwgc.exe
PID 388 wrote to memory of 1512	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	XCgwcwgc.exe
PID 388 wrote to memory of 864	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 388 wrote to memory of 864	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 388 wrote to memory of 864	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 864 wrote to memory of 3592	864	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 864 wrote to memory of 3592	864	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 864 wrote to memory of 3592	864	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 388 wrote to memory of 4216	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 4216	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 4216	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 1524	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 1524	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 1524	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 2572	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 2572	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 2572	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 388 wrote to memory of 1336	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 388 wrote to memory of 1336	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 388 wrote to memory of 1336	388	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 3592 wrote to memory of 5000	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 3592 wrote to memory of 5000	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 3592 wrote to memory of 5000	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 3592 wrote to memory of 4388	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 4388	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 4388	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 3268	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 3268	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 3268	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 5024	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 5024	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 5024	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 3592 wrote to memory of 2068	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 3592 wrote to memory of 2068	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 3592 wrote to memory of 2068	3592	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 5000 wrote to memory of 1472	5000	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 5000 wrote to memory of 1472	5000	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 5000 wrote to memory of 1472	5000	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 2068 wrote to memory of 3832	2068	cmd.exe	cscript.exe
PID 2068 wrote to memory of 3832	2068	cmd.exe	cscript.exe
PID 2068 wrote to memory of 3832	2068	cmd.exe	cscript.exe
PID 1336 wrote to memory of 1016	1336	cmd.exe	cscript.exe
PID 1336 wrote to memory of 1016	1336	cmd.exe	cscript.exe
PID 1336 wrote to memory of 1016	1336	cmd.exe	cscript.exe
PID 1472 wrote to memory of 4424	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 1472 wrote to memory of 4424	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 1472 wrote to memory of 4424	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe
PID 4424 wrote to memory of 4332	4424	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 4424 wrote to memory of 4332	4424	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 4424 wrote to memory of 4332	4424	cmd.exe	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
PID 1472 wrote to memory of 3292	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 3292	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 3292	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 3744	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 3744	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 3744	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 4248	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 4248	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 4248	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	reg.exe
PID 1472 wrote to memory of 3464	1472	4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\ZSIcYcgQ\qYIUEIMI.exe
  "C:\Users\Admin\ZSIcYcgQ\qYIUEIMI.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:1684
- C:\ProgramData\uEMAkYkY\XCgwcwgc.exe
  "C:\ProgramData\uEMAkYkY\XCgwcwgc.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1512
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
    C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3592
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        8⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        9⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        10⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        12⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        14⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        16⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        17⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        18⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        20⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        21⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        22⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        23⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        24⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        25⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        26⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        27⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        28⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        29⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        30⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        31⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        32⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        33⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        34⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        35⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        36⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        37⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        38⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        39⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        40⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        41⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        42⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        43⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        44⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        45⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        46⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        47⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        48⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        49⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        50⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        51⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        52⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        53⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        54⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        55⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        56⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        57⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        58⤵
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        59⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        60⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        61⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        62⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        63⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        64⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        65⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        66⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        67⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        68⤵
        
        PID:3860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        69⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        70⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        71⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        72⤵
        
        PID:316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        73⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        74⤵
        
        PID:1060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        75⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        75⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        76⤵
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        77⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        78⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        79⤵
        Adds Run key to start application
        
        PID:2312
        
        C:\Users\Admin\JkAAAEwU\IiEgkQIM.exe
        
        "C:\Users\Admin\JkAAAEwU\IiEgkQIM.exe"
        80⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 224
        81⤵
        Program crash
        
        PID:3512
        
        C:\ProgramData\lAoMQcsw\SUEAAIsM.exe
        
        "C:\ProgramData\lAoMQcsw\SUEAAIsM.exe"
        80⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 224
        81⤵
        Program crash
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        80⤵
        
        PID:4876
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        81⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        82⤵
        
        PID:412
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        83⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        84⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        85⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        86⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        87⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        88⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        89⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        90⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        91⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        92⤵
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        93⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        93⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        94⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        95⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        96⤵
        
        PID:2056
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        97⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        98⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        99⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        100⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        101⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        102⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        103⤵
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        104⤵
        
        PID:3016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        105⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        106⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        107⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        108⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        109⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        110⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        111⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        112⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        113⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        114⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        115⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        116⤵
        
        PID:2704
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        117⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        118⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        119⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        120⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        121⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        122⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        123⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        124⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        125⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        126⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        127⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        128⤵
        
        PID:568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        129⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        130⤵
        
        PID:3688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        131⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        132⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        133⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        134⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        135⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        136⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        137⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        138⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        139⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        140⤵
        
        PID:4624
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        141⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        142⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        143⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        144⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        145⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        146⤵
        
        PID:1020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        147⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        148⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        149⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        150⤵
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        151⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        152⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        153⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        154⤵
        
        PID:2332
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        155⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        156⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        157⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        158⤵
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        159⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        159⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        160⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        161⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        162⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        163⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        164⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        165⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        166⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        167⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        168⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        169⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        170⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        171⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        172⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        173⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        174⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        175⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        176⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        177⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        178⤵
        
        PID:4776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        179⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        179⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        180⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        181⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        182⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        183⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        184⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        185⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        186⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        187⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        188⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        189⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        190⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        191⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        192⤵
        
        PID:4088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        193⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        193⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        194⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        195⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        196⤵
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        197⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        198⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        199⤵
        
        PID:396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        200⤵
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        201⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        201⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        202⤵
        
        PID:1472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        203⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        204⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        205⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        206⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        207⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        207⤵
        
        PID:780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        208⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        209⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        210⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        211⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        212⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        213⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        214⤵
        
        PID:3512
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        215⤵
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        216⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        217⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        218⤵
        
        PID:976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        219⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        220⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        221⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        222⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        223⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        224⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        225⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        226⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        227⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        228⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        229⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        230⤵
        
        PID:2560
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        231⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        232⤵
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        233⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        233⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        234⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        235⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        236⤵
        
        PID:212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        237⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        237⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        238⤵
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        239⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        240⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        241⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        242⤵
        
        PID:1900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        243⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        244⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        245⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        245⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        246⤵
        
        PID:2720
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        247⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        248⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        249⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        250⤵
        
        PID:2924
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe
        
        C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics
        251⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics"
        252⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        250⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        250⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        250⤵
        Modifies registry key
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bgIcwkgg.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        250⤵
        
        PID:2532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        251⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        251⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        248⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        248⤵
        
        PID:1072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        248⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jooQkoAI.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        248⤵
        
        PID:1424
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        249⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        249⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        246⤵
        
        PID:756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        246⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        246⤵
        UAC bypass
        
        PID:4068
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        247⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wKsYQcsw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        246⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        247⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        244⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        244⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        244⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmwAgUsA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        244⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        245⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        242⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        242⤵
        Modifies registry key
        
        PID:780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        243⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        242⤵
        UAC bypass
        
        PID:1064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iiIgMYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        242⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        243⤵
        
        PID:864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        240⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        240⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        240⤵
        
        PID:3364
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        241⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xiQAQEcE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        240⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        241⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        238⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3884
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        238⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        238⤵
        UAC bypass
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZmUMsUoA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        238⤵
        
        PID:1520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        239⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        239⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        236⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        236⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        236⤵
        Modifies registry key
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NGYAwgsM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        236⤵
        Blocklisted process makes network request
        
        PID:664
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        237⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        234⤵
        Modifies registry key
        
        PID:5040
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        234⤵
        Modifies registry key
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        234⤵
        UAC bypass
        Modifies registry key
        
        PID:4996
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CMoYscUg.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        234⤵
        
        PID:3492
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        235⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        232⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        232⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        232⤵
        Modifies registry key
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AWQYIIkw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        232⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        233⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        230⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        230⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        230⤵
        UAC bypass
        
        PID:1372
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SuwQQUMM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        230⤵
        
        PID:5104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        231⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        228⤵
        
        PID:2576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        228⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        228⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LqQEYwMU.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        228⤵
        
        PID:868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        229⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        226⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        226⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        226⤵
        
        PID:3548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rmskwUoA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        226⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        227⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        224⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        224⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        224⤵
        UAC bypass
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        225⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iEYEYMgo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        224⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        225⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        222⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        222⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        222⤵
        Modifies registry key
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CmIQMUws.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        222⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        223⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        220⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        220⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        220⤵
        
        PID:3336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WOMYwwkM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        220⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        221⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        218⤵
        
        PID:396
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        218⤵
        
        PID:4896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        218⤵
        UAC bypass
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TOwYQsYc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        218⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        219⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        216⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        216⤵
        
        PID:1652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        216⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZYMYIccE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        216⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        217⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        214⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        215⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        214⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        214⤵
        UAC bypass
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KoYQcAMs.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        214⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        215⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        212⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        212⤵
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        212⤵
        UAC bypass
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WucoYQoU.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        212⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        213⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        210⤵
        Modifies registry key
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        210⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        210⤵
        UAC bypass
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iKIYowYY.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        210⤵
        
        PID:4004
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        211⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        211⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        208⤵
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        208⤵
        Modifies registry key
        
        PID:2224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        209⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        208⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OscwccMY.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        208⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        209⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        206⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        206⤵
        
        PID:860
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        206⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LYEYIcIs.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        206⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        207⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        204⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        204⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        204⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lcYMIYsc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        204⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        205⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        202⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        202⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        202⤵
        UAC bypass
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        203⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\heYogAgE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        202⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        203⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        200⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        200⤵
        Modifies registry key
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        200⤵
        UAC bypass
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mkkEEMwU.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        200⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        201⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        198⤵
        
        PID:4496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        198⤵
        
        PID:3968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        198⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GAwIgIEs.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        198⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        199⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        196⤵
        
        PID:4164
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        197⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        196⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        196⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mSgEUIks.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        196⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        197⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        194⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        194⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        194⤵
        UAC bypass
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vWIgQIgM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        194⤵
        
        PID:3832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        195⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        192⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        192⤵
        Modifies registry key
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        192⤵
        UAC bypass
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nuscQIAY.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        192⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        193⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        190⤵
        
        PID:2296
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        190⤵
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        191⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        190⤵
        UAC bypass
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nWYooAYo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        190⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        191⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        188⤵
        
        PID:452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        188⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        188⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hmsMIQwE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        188⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        189⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        186⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        186⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        186⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\amAUAoAQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        186⤵
        
        PID:3272
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        187⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        184⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        184⤵
        Modifies registry key
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        184⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GiwkIwcI.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        184⤵
        
        PID:4032
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        185⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        182⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        183⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        182⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        182⤵
        UAC bypass
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OugMgkck.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        182⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        183⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        180⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        180⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        180⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DqcEgMkg.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        180⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        181⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        178⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        178⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        178⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nsokAYgo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        178⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        179⤵
        
        PID:412
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        176⤵
        
        PID:2672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        176⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        176⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xeIQwwQI.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        176⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        177⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        174⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        174⤵
        Modifies registry key
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        174⤵
        UAC bypass
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JewIIcEo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        174⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        175⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        175⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        172⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        172⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        172⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UegIIMco.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        172⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        173⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        170⤵
        
        PID:4352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        170⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        170⤵
        UAC bypass
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mMcYwcgw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        170⤵
        
        PID:3272
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        171⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        171⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        168⤵
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        169⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        168⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        168⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\goAQUAIk.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        168⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        169⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        166⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1664
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        166⤵
        Modifies registry key
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        166⤵
        UAC bypass
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\psMwAoYk.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        166⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        167⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        167⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        164⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2340
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        164⤵
        
        PID:4912
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        164⤵
        
        PID:4088
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pcUoYwkw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        164⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        165⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        162⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        162⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        162⤵
        
        PID:4020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VOIgYoAE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        162⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        163⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        160⤵
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        160⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        160⤵
        UAC bypass
        
        PID:3752
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OOcUcYYA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        160⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        161⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        158⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        158⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        158⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ygkAgcII.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        158⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        159⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        156⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        156⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        156⤵
        UAC bypass
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IeMEEwQI.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        156⤵
        
        PID:4448
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        157⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        154⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        154⤵
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        154⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwsQYgYE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        154⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        155⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        152⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        152⤵
        Modifies registry key
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        152⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nAcUwgIo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        152⤵
        
        PID:860
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        153⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        153⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        150⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        150⤵
        
        PID:2652
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        151⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        150⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nyEoMswo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        150⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        151⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        148⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        148⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        148⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DyAcYYkg.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        148⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        149⤵
        
        PID:552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        146⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        146⤵
        
        PID:2308
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        146⤵
        UAC bypass
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mGAQQwYo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        146⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        147⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        144⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        144⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        144⤵
        UAC bypass
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mOwUcEEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        144⤵
        
        PID:768
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        145⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        145⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        142⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        142⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        142⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YmIIQUIM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        142⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        143⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        140⤵
        
        PID:836
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        140⤵
        
        PID:1180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        140⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JQwMIggg.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        140⤵
        
        PID:1232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        141⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        141⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        138⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        138⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        138⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bYkoskcw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        138⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        139⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        136⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        136⤵
        Modifies registry key
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        136⤵
        UAC bypass
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HWEokUEA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        136⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        137⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        134⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        134⤵
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        135⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        134⤵
        UAC bypass
        
        PID:5080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMMQskYE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        134⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        135⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        132⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        132⤵
        
        PID:1536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        132⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EKcUIUQw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        132⤵
        
        PID:5024
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        133⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        130⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        130⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        130⤵
        UAC bypass
        
        PID:2248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        131⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ywEkwEEM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        130⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        131⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        128⤵
        Modifies registry key
        
        PID:4900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        129⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        128⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        128⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QykcwcEc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        128⤵
        
        PID:3716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        129⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        126⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        126⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        126⤵
        UAC bypass
        
        PID:4108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        127⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dooMYYYU.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        126⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        127⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        124⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        124⤵
        
        PID:1980
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        124⤵
        Modifies registry key
        
        PID:600
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JKggYYAo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        124⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        125⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        122⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        122⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        122⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TKQUQEoM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        122⤵
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        123⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        120⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        120⤵
        
        PID:3180
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        120⤵
        UAC bypass
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUwQEMEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        120⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        121⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        118⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        118⤵
        
        PID:3064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        118⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kEQowgEQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        118⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        119⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        116⤵
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        116⤵
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        116⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EIYAwsss.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        116⤵
        
        PID:4164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        117⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        114⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        114⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        114⤵
        
        PID:2536
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        115⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GUYoYAso.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        114⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        115⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        112⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        112⤵
        
        PID:316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        112⤵
        
        PID:5000
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        113⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\awooYogQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        112⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        113⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        110⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        110⤵
        
        PID:4032
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        110⤵
        Modifies registry key
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NMQYgoEA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        110⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        111⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        108⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        108⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        108⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZiowEYcQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        108⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        109⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        106⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        106⤵
        
        PID:1844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        107⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        106⤵
        UAC bypass
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jKEUUAgQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        106⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        107⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        104⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        104⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        104⤵
        
        PID:4220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        105⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fescYQEA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        104⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        105⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        102⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        102⤵
        Modifies registry key
        
        PID:2568
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        102⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wegQEEYA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        102⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        103⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        100⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        100⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        100⤵
        UAC bypass
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYMYwAYs.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        100⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        101⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        98⤵
        Modifies registry key
        
        PID:2896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        98⤵
        Modifies registry key
        
        PID:3932
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        98⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KococggI.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        98⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        99⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        96⤵
        Modifies registry key
        
        PID:4028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        96⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        96⤵
        UAC bypass
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\baEswQgQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        96⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        97⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        94⤵
        
        PID:4176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        95⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        94⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        94⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zoYAUQsc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        94⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        95⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        92⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2308
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        92⤵
        Modifies registry key
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        92⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FkUAYEAU.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        92⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        93⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        90⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        90⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        90⤵
        Modifies registry key
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        91⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BucUQAkM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        90⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        91⤵
        
        PID:220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        88⤵
        
        PID:2436
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        88⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        88⤵
        UAC bypass
        
        PID:3832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\oUsAkwcE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        88⤵
        
        PID:5016
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        89⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        86⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4520
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        86⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        86⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yMcMYQEY.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        86⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        87⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        84⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        84⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        84⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\egcMIcAQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        84⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        85⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        82⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3548
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        82⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        82⤵
        
        PID:324
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DEccYIQE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        82⤵
        
        PID:4792
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        83⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        83⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        80⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        80⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        80⤵
        UAC bypass
        Modifies registry key
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\laMMkYww.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        80⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        81⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        78⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3012
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        78⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        78⤵
        UAC bypass
        
        PID:3908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jOgYcYsI.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        78⤵
        
        PID:4584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        79⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        79⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        76⤵
        
        PID:4764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        76⤵
        
        PID:2680
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        76⤵
        UAC bypass
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vIsoEIYQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        76⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        77⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        74⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        74⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        74⤵
        UAC bypass
        Modifies registry key
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YQQcwMws.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        74⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        75⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        72⤵
        Modifies visibility of file extensions in Explorer
        
        PID:388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        72⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        72⤵
        
        PID:4400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        73⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mYAskwkw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        72⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        73⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        70⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        70⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        70⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\OqwMkMko.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        70⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        71⤵
        
        PID:632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        68⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        68⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        68⤵
        UAC bypass
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iGMsYocM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        68⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        69⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        66⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        66⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        66⤵
        Modifies registry key
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XUkswAEE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        66⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        67⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        64⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4936
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        64⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        64⤵
        UAC bypass
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xKoMMUcs.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        64⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        65⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        62⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        62⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        62⤵
        
        PID:4444
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LyMksQMQ.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        62⤵
        
        PID:3304
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        63⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        60⤵
        
        PID:1084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        60⤵
        Modifies registry key
        
        PID:3660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        61⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        60⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\luIUAUIg.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        60⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        61⤵
        
        PID:404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        58⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        58⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        59⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        58⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kGIYYwME.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        58⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        59⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        56⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        56⤵
        Modifies registry key
        
        PID:4892
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        57⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        56⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eugMwsAo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        56⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        57⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        54⤵
        
        PID:3292
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        54⤵
        Modifies registry key
        
        PID:1584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        54⤵
        UAC bypass
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\iyUYgIQc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        54⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        55⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        52⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        52⤵
        Modifies registry key
        
        PID:528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        52⤵
        UAC bypass
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SOgAgsMs.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        52⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        53⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        50⤵
        
        PID:4760
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        50⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        50⤵
        
        PID:4588
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        51⤵
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BgYQQAYk.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        50⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        51⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        48⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        48⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        48⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VCIgYYQk.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        48⤵
        
        PID:4576
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        49⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        49⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        46⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        46⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        46⤵
        UAC bypass
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pIIAoIgw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        46⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        47⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        44⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3784
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        44⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        44⤵
        UAC bypass
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dCckwkAc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        44⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        45⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        42⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        42⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        42⤵
        UAC bypass
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\csIMwogY.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        42⤵
        
        PID:4964
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:220
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        43⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        40⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        40⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        40⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qKMcQwcM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        40⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        41⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        38⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        38⤵
        Modifies registry key
        
        PID:4380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        38⤵
        UAC bypass
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uIoUkgAk.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        38⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        39⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        36⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1332
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        36⤵
        
        PID:4932
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        37⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        36⤵
        UAC bypass
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qAYcEAcA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        36⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        37⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        34⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        34⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        34⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zKMsEYIc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        34⤵
        
        PID:220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        35⤵
        
        PID:400
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        32⤵
        
        PID:4672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        33⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        32⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        32⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FQAsQkwI.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        32⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        33⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        30⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3816
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        30⤵
        
        PID:3240
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        31⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        30⤵
        UAC bypass
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zOoAoMIM.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        30⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        31⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        28⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        28⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        28⤵
        
        PID:1928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        29⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fMoEgQMg.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        28⤵
        
        PID:1156
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        29⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        26⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        26⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        26⤵
        UAC bypass
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UisgkcoE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        26⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        27⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        24⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        24⤵
        
        PID:3764
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        24⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IikMAIEw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        24⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        25⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        22⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4592
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        22⤵
        Modifies registry key
        
        PID:3268
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        22⤵
        UAC bypass
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQYwMEsE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        22⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        23⤵
        
        PID:940
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        20⤵
        Modifies visibility of file extensions in Explorer
        
        PID:2252
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        20⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        20⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nYcQwUkA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        20⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        21⤵
        
        PID:780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        18⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3296
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        18⤵
        
        PID:916
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        18⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RKkoAQMA.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        18⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        19⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        16⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        16⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        16⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LAckQsEc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        16⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        17⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        14⤵
        Modifies registry key
        
        PID:3008
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        14⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        14⤵
        UAC bypass
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NAgQUEEw.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        14⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        15⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        12⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        12⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        12⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwsYIAgk.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        12⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        13⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        10⤵
        Modifies visibility of file extensions in Explorer
        
        PID:1204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        10⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        10⤵
        UAC bypass
        
        PID:1536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\smQEEMAo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        10⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        11⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        8⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:2552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        8⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        8⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gcgAssIo.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        8⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        9⤵
        
        PID:2340
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        6⤵
        
        PID:3292
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        6⤵
        
        PID:3744
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        6⤵
        
        PID:4248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WKssUwwE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
        6⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        7⤵
        
        PID:4596
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
      4⤵
      Modifies visibility of file extensions in Explorer
      PID:4388
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
      4⤵
      PID:3268
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
      4⤵
      PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZMwAwEUE.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        5⤵
        
        PID:3832
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
  2⤵
  - Modifies visibility of file extensions in Explorer
  PID:4216
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
  2⤵
  - Modifies registry key
  PID:1524
- C:\Windows\SysWOW64\reg.exe
  reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
  2⤵
  - Modifies registry key
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BSEUQsEc.bat" "C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Windows\SysWOW64\cscript.exe
    cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
    3⤵
    PID:1016

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3296

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:1928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2164 -ip 2164
1⤵
PID:4888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4896 -ip 4896
1⤵
PID:3160

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:4892

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv ggxA2BqaV0WNmcc73xWo4A.0.2
1⤵
PID:3932

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.exe

Filesize
315KB

MD5
76c4d601ad385bf11fc97e446cc27209

SHA1
d1ed404a17d76be58db02a6a395f66fc25ced0e0

SHA256
8d1a5f4a5ec6953f79508d0d77c6a706ddc07a868bdb5c6be95a05fcef66bc68

SHA512
53c6a8381fc09adb1c185563a2d642543e3f366cae34a99829a493248e986268970537037280dafdf84a38abe418cf14944e4ef77309fff1c5e15e6017a11b59

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.exe

Filesize
242KB

MD5
a7062e6139ca9abfc223d0f99823341e

SHA1
ac23314851b585f2d1cae563df09647f8ae462f2

SHA256
670de5d45a5d7f70db480d38dee4066cd8aaa575695a442915f89fb89c59c5fb

SHA512
84fe6f174c83003f2554d4d1510d4fefbaa778ae3c950e78584665fc5fbf48255601b6e524e55c2a38b47b08eefe1833bf909e4be217ef8ee726a9b1c354db12

Download Submit
C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.exe

Filesize
235KB

MD5
b37df4748e64fe7032d15a2fa25a3b27

SHA1
2a0f3a8238020261f4c2f0c91f0b047aa8d7345b

SHA256
a8c495f41ebd70e1aff9fa2b7f83918433f87f840c61d35a8bbfb0114fff8a9d

SHA512
d4c6cdff03a18c19aca09d9212d0f21a8dffec40038f27a678f768f4a2ea8a915414b2e861e2e04293c497eb45e5d2f67c1f5cebcdc5d655e185bd851da67260

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp.exe

Filesize
775KB

MD5
5e1b557108875f7355401794cb08dff5

SHA1
c61432a6b08836304c1ecb986287f1d89d139831

SHA256
850e954048c935a0ac39a8c688f42b20e221defcd35042c0129f810795d7d050

SHA512
0ab3257629b9bfa2f43c92cb8c8edc03ec626a4a9b829dbdc7baf208b8dfef69f454ed44eb6bf0061c88665e4b6a2721df07f4578cb0d01b6528bbbe834d0ad0

Download Submit
C:\ProgramData\uEMAkYkY\XCgwcwgc.exe

Filesize
191KB

MD5
a19351718e0a14e78de822663943ed6b

SHA1
6108a32cf910a49511ab59ff92b45875915d1269

SHA256
2ba8097b638a6ff6710063a734c05c7deba54241597f988f940d8de71dc8bca7

SHA512
57083b1ab083dfdff20e6ce962829aa793b6d19aa8afbbca87baefda3d8603dc2e59f6f513579f957cabd78b5e72ae8dca7d08ee3ad62d9fa05cb033a98aa3ba

Download Submit
C:\ProgramData\uEMAkYkY\XCgwcwgc.inf

Filesize
4B

MD5
7150302c0805332a3c7852e32302d3b2

SHA1
38ba301b99bb9d8eee69fd86c3ef0b80a4b7bad9

SHA256
3adc46c876579afaac7b40fe5b5df46809af6334ed108398dc1b57620d910885

SHA512
a9e92b77e1ca0c42762db956d3f4a54ae7c071d6fee49f85149d86857dda99ee1745c49a346e110512b1193d5bcb1959b9599d6968a302d9ecd70fa612808d3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png.exe

Filesize
196KB

MD5
7f687575456ec6277f88c0f7afdc5a40

SHA1
67ca2f1ba6a219ee3d613c3e7d8fb19d8bdfa4a8

SHA256
72559d403a69ad146a050a335634c5e25a54eed5845528b39e308a8f76e7dcb5

SHA512
ca7774654dfdb4423458fb6735f5cc7ea237b272e3b2ba8aefc8b852e9f99512acdd961ead24d98a8207f1858e7d885bb08f3ffde444aeb2822700ab567d0415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png.exe

Filesize
198KB

MD5
9bd62530f454258555ed182e01466d80

SHA1
583b73bf617cd3eacc5b9b5f1461592196ec3339

SHA256
e5fac8845b506c44a8748d3de392f16e5fef1a64474aaba35185725ca4f328c1

SHA512
c5374e6414153be23a2830acf91abccc3ba7b87ceb2ecb1eaeb52d9162602326c13e557d397fd32d042eb2272483a9445e1a0fca8fcb18aea9da5f88d3b6a058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.exe

Filesize
198KB

MD5
6375af57d76fe36ec18509da2bb08b89

SHA1
86764253c7d9b8459c2ef9f72bf5ebb8340d9ec2

SHA256
7c634f575ba3f560e98fb5f402e5fbbc0b5b3a1ab5a1fde27e5f3794c35d4a8d

SHA512
794ea51e60603bb30b5e9783ec1c450317a2b20ee77e4ffb041155f61a59e15f0bae31d5531cf164a2c3fdaee2a77605588cc9458c64e8b00d51dc931e01da0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.exe

Filesize
202KB

MD5
e1b170024a24ee2c2e14ecad058f586a

SHA1
578ddf47bfc1f5ef8e23eabad901488bc4fdd024

SHA256
7dbeea5a2c29338d188524fde45708548fdcde8fd529debd3662f1fcfde38d6e

SHA512
84d4ab80017e83b027a2669871aa5369bf8990ee8992926c6c713f42e717024a9296d89cbe0a22127c9d71028155fd2204c4aaf37d2fc6ed52c73f85105219b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png.exe

Filesize
191KB

MD5
a102fbc9cd145501f9feb595fbd02c47

SHA1
d88faa1ba8d93443de437667b817d99255c1b6a4

SHA256
e25e5b1c23622e0ff1618011f21774c46bf8db8249928274dea6dfa57f5361b1

SHA512
b10acb36f20aebe6ca16f44c0d5c2c8b21ada30aeccaa777f9f55dbd29a5f81ebbdb84d8ff5ea44ac69ce0f1490bc432dc3e46a924e1d2dda8e183fbb0ad634a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.exe

Filesize
186KB

MD5
b78a18b0117f600fdcceac000934c5a5

SHA1
0c186a3ad2aa0877c0160ebb935f37daa78d6b7c

SHA256
23b4105d3e413006bf1ace61f9f27d6dba39bd951a5cb101ad099218e9e0f92d

SHA512
d17893cd985c75e67e1f343b361ca0d1ba5531d67809d8e1ed10dd68f8b572bdd5fa6928eabcd58dc2538d60ef6cfc09b0b1493d85f690932ec3b37f1a274650

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dc57d384dfb9b282c0f14dceaadaf00_NeikiAnalytics

Filesize
6KB

MD5
2cfa6796fc3ef55c4c52c89ffee69a01

SHA1
27f7ec659a880adc68377806cfed8a19a83d7a19

SHA256
01d3f4fcf587946f892683a96fe4417b877cf8e6ff40ec63c769d5133364d5cd

SHA512
68b90ed4f4bcccb864a60e89489b6a11812c229e3b04b4ee526f4f0a0ed434883b1ed0d241e7098143b172795761fc6e0af1ae07155abb7c9ca24c3d979cd610

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIEa.exe

Filesize
201KB

MD5
eb632cdc58eb96bdaebf1b8c72b02df7

SHA1
fa8224166f1e7948446008ed381e8fc469e5c7f5

SHA256
bcdf8b4492d78e2278a76549d2e48d0c544f486a54e7282d35f83ae1a6ab8b1c

SHA512
1bd0bc0587cefb9cddd030d6926cc817aa9ced34c4528d48d7d1d605242919085497920c4bb48b0843f9dc653a7d258c9db0adeca05592015bd6ac0ee131ad1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMAA.exe

Filesize
800KB

MD5
ed687b1aef0f3c4f2f32dbdbe45f85d3

SHA1
57479eb81839d3143ef11552717ce8e44bc7bf70

SHA256
81bc27c7f1126fa7cdd6f70bd923fd98e7d53f04428a7140122323cbceb4df95

SHA512
43466e4c08b30d03d6d34c8d1004922e9af1f618151de07289f677259da031c17a1199b63a75530f60d8bcedbc8f8be07766ebb905f4947a78009662a07d2456

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMYu.exe

Filesize
203KB

MD5
f1998178baa912cbf41a1837aa3dfe1c

SHA1
9470b9fb7a15f17189801b177fa4610a404f8798

SHA256
0f5a2c0c2e195793d386083d13f3f7898928cba3dce427a13b48f723593e7e35

SHA512
2fe07e7f377f473aa79d0a99582494e7aa643a95a4af5cc9e7849ee7004944889435ac96bac20d6dcc873a44e9836d34ff7e1bebda4ea6e6c8278a360fcb8ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSEUQsEc.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAYY.exe

Filesize
203KB

MD5
6dd12319703190572d908aea0b6b04ee

SHA1
8b0e8f54b809da2f29ac76ac022c1f93b64d22cb

SHA256
8b61bd268e33554589e337b69f33acadfe68e3cceb4a7d3307176b8f214a6ae2

SHA512
d3978921bafc81473764937eb221e3b18db4203fff30b51b0747b55fce0a0bfbb3e5793b507d22270cc8268572b2c469c807774d59ba55a0bdac518a78bee10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAoW.exe

Filesize
204KB

MD5
40004c1836a48f7e6a1cc96e0c771dce

SHA1
590393a3a4c4178e7fe316ad3245b36674b39838

SHA256
bfc96063f57439cbcb5337b2b2c76a81ed1c399d64f5f4623de6f7408b64d8d8

SHA512
c3981b2da40ea039154edf8fe4074fc0787f05a3fdc40608432256d3c7ec832d92f538267cad80693d1701bb884806aafcc47cc21ec4f8b535ccb7b93b92f006

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMEY.exe

Filesize
517KB

MD5
6a79a004e09a8c864e7c746f420c5f58

SHA1
35c585cf1cf11fe44ede4d1fb57cc0ef740f135c

SHA256
d9ec460485c08a51ea89d0cf333da23309c1a7c7259bc227991dd30565fce662

SHA512
954babb557a01506e7c32eff9b4fa27aca8167c3052a094a74e686e26b16ebc04364a73737fef1f32490745ac2fd6e48dea18b0f0157a30652c9cea44f9b4089

Download Submit
C:\Users\Admin\AppData\Local\Temp\CMcq.exe

Filesize
205KB

MD5
1ac99ec7a645a8313bdb2e363182e501

SHA1
a6eee01753f9546be2888261ff290a6f24ddc35a

SHA256
48e5b6fabba6d8c1eac50dfbd4abf4d623367db984ddc2ad0174015398b84ff8

SHA512
246b66305c692feca05479536f9a408a7c8d2d98f2c113534ade127aedc72a48b175585fe640274fd47be29ac234b986efbd9968933c258b9725b58f87eabe9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CcUm.exe

Filesize
194KB

MD5
4d2b3412831bf772bf0d07ecc5d2f4a0

SHA1
9c025eef391dbb358d3507e7ebc83655efd2640d

SHA256
104b2d36734d893bddf6f427162d81ef90f90d16750f1e610a2c24dc7ffafda6

SHA512
8f41a2746cf7fbba7726ca376b8fcbff292c53343b58b001100deb4cfc7ad9783c82369e59136214cdbb1cf0da3d7dfefc153bcfb13568d0781e3f99de0add10

Download Submit
C:\Users\Admin\AppData\Local\Temp\EMMa.exe

Filesize
628KB

MD5
76fe2b60bf82f778b3bf369f3dc488fe

SHA1
6a6f87af2e78f9776a07516b6f98cdc695a10104

SHA256
9dc21f07b5df6cf8e2a660bf6e08640087ff353635f6c08589d33d415c120e18

SHA512
8c27ec717c804999f041163ad4c3dc7a3a8fac917d83c9f2b72668588e31019760800e566d3b1feb4b8ea74898ca0c07ba8020b9ae7dbd68e56fdafd2fb62804

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQwE.exe

Filesize
191KB

MD5
31ba3b7a685e00150953af98afe388a1

SHA1
23d15267e97a8cd3b229720072852e6b92ca8ac0

SHA256
de8ddb55c5b6f24d14c6e4967edbd0f84dd6773632d0ab5922510a056204e72d

SHA512
427fad9100ffb3162ec5120c0cc06e190401eb5df81e304f8f28f96719833d4604c4ef7968d252f2df0a5687bb145f8b0490c6b24b9c874694d040799ba85a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Egwu.exe

Filesize
191KB

MD5
8bd1e624799447f54ca701bda97e2e8d

SHA1
42eb8a0d2fad01e8bc19aba3b35ef122f22e05de

SHA256
4661bbd3e688646c88473f90c042d3eba94ffd28f5019dbf42c83974d0e373ac

SHA512
9b73dd7e986cafed86d2ac03087bb31ba15e7727409a109c0560befdd0a065516099bd945baf76799573608339261477f33171996661b4dc57107ff514f2fbc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMEw.exe

Filesize
193KB

MD5
c016994f9d91e6c15ba4dcc69666165e

SHA1
107c701138363a4bbcb927015c95226147932032

SHA256
cd783d9c2e5cfb2d7f6f4d9058ead19e496cd94acceb648b7517bdddd01b0560

SHA512
48daf5b1842da156769cfeaab695d86fd065b59a4f215645c67a4a9152945f4b92509a7d5d5d02987b1c00f244d549d01623a8fc83c730b9f529fb4d86e601cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\GMoK.exe

Filesize
257KB

MD5
3821d5bbc740d62b5b3fef8a176453b8

SHA1
99d755a0721891f5c2415f63ef67eeda0138d821

SHA256
24e3ead4bfa8b5499d6d50831f730408dec35230bd6d99ee83abd492728d368a

SHA512
ad2985d2bd7c92ecb2faee925956e8f50eead430c9e80a551c3c542c31344b9f6c68b80b0bd951b4977aaa8fe3dc8c2a0f962d89def0eaf6cacd63156818af8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMs.exe

Filesize
456KB

MD5
9f929c5dec4c82759843498bed391696

SHA1
008dce09e17cc316e05f377b42b7ae26ff570b53

SHA256
47dcc4dc5c293657a380592a839672b6616dc4795c40b40d42ba4d2e5f18963b

SHA512
6430f689b934b0d96bc75d4b147be35ab17dd0bc7a91dec1309ffbc91db036fcc7cceb43f5dc039c91813709c48aeadfa9618c036b93b23e67505aaff7b5dda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IAAG.exe

Filesize
187KB

MD5
b7af88ba5d15f4f0d33330f53b70a59a

SHA1
36f26371afedd55dfa50dd30f41c19995e2ff58c

SHA256
7c72c33972f3843b79bddb86bd2baf682b9067ef0dc4ca208e4e123d8a4f8e2f

SHA512
9bf4e5dde1a9d527be643a2bbfadaf38c678f744b5fad2948bffbb5e859691375f9d8ad50c422e256cd85e8907c12f5c0b2fcdb5bbf9fb1b87c4852c01f0fdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IIQs.exe

Filesize
198KB

MD5
28ce61a4c341759e1d67ed5c78a3e9a8

SHA1
06abc75821a9f788e4910ad2f22d7a1b5c6b1386

SHA256
ca1bf1556aa0f806d30bd946089c5f46f7a0e4795d9506c4a2740bdd91fbd630

SHA512
731bfb7c2232124bca1eddf2065add26f1265029a7249a0f37a86dc4228d919f0ec54596e58a4271e154e4827322868ab8bba80499dab9eb4cfad7e5ed501b90

Download Submit
C:\Users\Admin\AppData\Local\Temp\IUMi.exe

Filesize
361KB

MD5
cfdcb63e711d37f7416bdc37fad7db03

SHA1
2a530b04f2a264098a03e8ca0a60aeae6f8d3da7

SHA256
6d2b469d23b35f293cb6dca5c6e05c5d03b88bb1b50c291cd89577ff149097f4

SHA512
df2790b382a0e1f7df00a30fe20ebcda3bdd2971c9de86dc126afc600ddb296228a21454d086d9ffd70d38a74c2b55ac96268218991643b6979a93674db85a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IcEU.exe

Filesize
197KB

MD5
d1a788d33b1d7b17f2ca5addc433d04a

SHA1
727d2cd40eea8f013ae1ca3277d62642481daaad

SHA256
50e3a815a95e041ce882ea5a8b23bde8b7414bad10b3b9db91c576a24c870c31

SHA512
d4d35fe50fb15e2a173096f9e1d298fa6e3c6095de2141c4602f42654c555d2cca74a7098108cbb5a8a16a52b80b4bc0cffcf7aff15c51d0d807b29104044fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwUI.ico

Filesize
4KB

MD5
7ebb1c3b3f5ee39434e36aeb4c07ee8b

SHA1
7b4e7562e3a12b37862e0d5ecf94581ec130658f

SHA256
be3e79875f3e84bab8ed51f6028b198f5e8472c60dcedf757af2e1bdf2aa5742

SHA512
2f69ae3d746a4ae770c5dd1722fba7c3f88a799cc005dd86990fd1b2238896ac2f5c06e02bd23304c31e54309183c2a7cb5cbab4b51890ab1cefee5d13556af6

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoEu.exe

Filesize
191KB

MD5
23c279cb761025ace19a3ca2826eb1b0

SHA1
9437b96898596ab094ab527b3b42e69acac4c263

SHA256
759b51092365341652695ebadf4d7c10a7429755eab43bcd6018be784a278460

SHA512
3a2bbb7f9dfb70c59c6e0e0ae013f6a569f1fa3722a7567b83fc2f79e6fab74cfcc29410783c01ea4a7fef61568f5e8fc4c01a90f98f1d596c1c9eebbd9d1f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KoYq.exe

Filesize
184KB

MD5
b19e94235f9febf787795c620d65397c

SHA1
6ee63c0d04502c13529c295659e19b3f81fc3d10

SHA256
de833fafecc16c81701a240f5fa2577fd17a195505c29ee85e42f9e0383b108b

SHA512
39247fab9a0b6f736b55fcda2b501cbf54ad4afa476f65486b92ca4dbdc4853e7f1486c1525f6399a0ccd5101d61f6ab955f3bb47a934e138830fbfd854b6623

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQQS.exe

Filesize
904KB

MD5
ead6860fa7bf7a0e71c541581cd3df69

SHA1
e2a127abff35c690443e9d0e1eac9020d6eabcc5

SHA256
4a3a8049aa0d0a3715de744c72ec51ebd12e0b89fe5f82bf7be484f20097a494

SHA512
5c4a4cd6d4fd8c3968613990d7ce826f970c905761b16f540eb3e20d0ab39576031a282b33863c9196949ffed907b1071eaccbb98249ec1e767cc62484aa3ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUce.exe

Filesize
208KB

MD5
62abf28c14071c6f0ddd98b86518b817

SHA1
5cabf996c7e2dab6bd9eac44b5a8c3e1ada1adc7

SHA256
a3ba630f034ae9f1d644e6d47915a77ce5594e58c90194a8a27f849ff453f9b3

SHA512
1fbe79ef49210b5187eb87d8348b6dbd1bcdbe19d8a5a46ee8814f4902689d19752c9caabebc6a48bde00d361b1dede26127603273e90124560a520af7db3aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\McIc.exe

Filesize
190KB

MD5
9dbf47fac0c89094880d3cbf533a23f3

SHA1
33b475a8a06e6a1299fe4facf9374bb346b72b87

SHA256
41ae81cbd91a2e77dad6c49458a55d55e672941c1cad4e8e9ed2c057e323177f

SHA512
64c1561515f87220a9f9ffe0fa81a04ebc677ef6c51e85d6fd8e7770a1efb851c0e40b97df9ebea2f939f1e6e296dcc753e988f86d483f54e3854824c306a492

Download Submit
C:\Users\Admin\AppData\Local\Temp\MscU.exe

Filesize
647KB

MD5
c0300c490379adb39aeb1499f67e2425

SHA1
49787fe29b40991ee608e69dc09463e844145f39

SHA256
ede19c9b8d71d6714f9cbad6ca29aeb8a70d80cd640d0e53443925a52873b649

SHA512
5d3fc9a3852db646372f5408e4f5346f67c1ea2a0c327f436762babbed7d511c73980ae19c71d927b3fec45c9d97d853f8d763921062dd278c65cdb6de83fb10

Download Submit
C:\Users\Admin\AppData\Local\Temp\MwEa.exe

Filesize
210KB

MD5
7d2fbe83bc6a3839729c1d9325cab84f

SHA1
6e355a619cdf4bc806853211bf49dad7ae31d0e9

SHA256
1892097a83862a89bbac35d6a8a45a320a5c1f7592e13a0fae85ecf1bca57da5

SHA512
3ebdc322732ba79d944ccdc1f73c7d68e3f0b34c0b86f74770bee0a784774caafc53c2fe55c8b6eccaa19743ef5180f74e39c304d52eece73d4d7836842be9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\OAMg.exe

Filesize
187KB

MD5
069a1a34434b9c63af6993bf735483d0

SHA1
10ccab9866e419ff5b9de13092460ca249489dd2

SHA256
07ac544cd925c76df93ee8d65e40107a291fcaf044528e29d8bd617612a5bac7

SHA512
451ae434fd1732cd03d76924adc2f8bf716a7231394173a5eed22fa630ded6a9048320cc94d172627b3eeaa1d80d6044bf035a9d18b067e2d00ce5a3316a5d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcgI.exe

Filesize
199KB

MD5
50a2e4c25819dc9a65f9c153075149a7

SHA1
6ced3ee55db74cf4254ffb752f893652d58edfb4

SHA256
7adf6a7d5b61504e7ffd60f1b4faa05fe2d903fa009666b0f60cc8a2651256da

SHA512
4e8b762b71a68c3e4a25d532c1e0b71626cb165dbfc5ffa98ac656630a57ace527b392b8a3b0e49d3e44fdfbd526cf75b268a37f47d51acd1f581eecce1f52fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OcgI.exe

Filesize
492KB

MD5
748149e4f0b1093bf7cac1c350d35892

SHA1
b7cd65b75ede1aab8314419ebd61fb6053e6e014

SHA256
0c51952df0ad34ae3ef5a7fd5931d938d8880df261abaeeccdfe5d9a8261ba91

SHA512
50e8573afe8fde850d99b204e6a4fbe09e05c5912f50cf80632c0380d8e83279c777528b3c87d71b94c9a089e9c102276defbd0238e21fcea6d15ccef9643e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ocke.exe

Filesize
204KB

MD5
93d9e336a2cd4c6ccd3a432b8ad8c7d6

SHA1
a0a2acc6e390a17bcd1347290ff66fe5f4206daa

SHA256
7f35e6469ff872a761149158f46546299a1b5eb22ae8a4c6a5c6258c643adb59

SHA512
6228f6245947a2e5a5a4b2c5bf90fd9fd2c7e509e170282caf243a5c8fa0aff70a920367bcf743ab2bc760ba287487f049260e156ed562463b8fe5456fd3edcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\QAki.exe

Filesize
687KB

MD5
fc63ef3fc1481e6169f1293a2754af8f

SHA1
f754bddcc594abee3e90ec2706259b43a32cec77

SHA256
d6205181884dd69453e72c558869713990a6645cd7711f6134cf3f935025c053

SHA512
7c18fe08903f36aeb3d1f4dd633b746deea2f3a8839e5765b90375a531b5fc45ea902d3b5dc75650218bc1fcb273d00fade664d04727ad5074036a5c91493450

Download Submit
C:\Users\Admin\AppData\Local\Temp\QEwq.exe

Filesize
5.9MB

MD5
2b7816ce3bb7b858c2f75ca5de38c94e

SHA1
631b5f02bf26d4fa6fba27f72073262f2b53d819

SHA256
662fff8f46cf2923de19cb1837981fe4616e239da6eb747cc7a680db9956f836

SHA512
e680449f147f19ed0540d0bf325b9b419494190852b6340602f9e53a7d5c811bb03f6cb33af05523d91630e337e778640dfa25929142a5a34ab10220fd924bed

Download Submit
C:\Users\Admin\AppData\Local\Temp\QQsc.exe

Filesize
497KB

MD5
cd7da22799caebbf11d1d8df2e566393

SHA1
d22cd3c74411f59df5629a63892aada804a2453a

SHA256
bccd93cc6edc3fdabc57f8c2a06f1069cb020cf6b6a0f3472520ba049ba45085

SHA512
04d9762aa684eb7266b767c7f7429a0051fa90c4f3444f30863e707c4d052f71bb7543ff89093873d353c4c296f3e4dfdeee126954a0fb4b4ebd4266c023cf9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUYW.exe

Filesize
181KB

MD5
4e6a62dad16b5ec875b68a7c5ab35f84

SHA1
34fc8fc9f9e6f16a7d5004cffadb08ee1152e0c6

SHA256
cbb5c1318f05e725ee209515a44cb4afff63d6e8bc3f8d4efdbce3056215e06c

SHA512
238b027b3be4ec44286b4c8c8c17666ed3f8d56dd8151e79c4e486d0d2586cf14e1ef3d87c8fd67ad3630b8110d235585b87b26c6a5f42fec07f85f5ee6c7935

Download Submit
C:\Users\Admin\AppData\Local\Temp\QoAC.exe

Filesize
765KB

MD5
ed9dd76ef8c073437aec1f5875d665e4

SHA1
68b6f422cb0ef4026138a19350c375c4e75b5df9

SHA256
507b263536d22283b631d85694cd9f632dc4294c60698aab6f126f147f672805

SHA512
5d1cc92c35df36320425f98a0785486f2bfa830017911c5798cd28ca9c89dc7a6cb0edc421fd0b7fff5e5f25fe4a973397d0a654d48685f6cb47f14abd013a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qske.exe

Filesize
814KB

MD5
a57e157cb4bf276ebb978995ccd2f4a5

SHA1
a4339491bfc59810c288818fbdd266305fef8623

SHA256
6d351089d2450d3552d2f271ae4c40042ffe188689869beac5a5dc7d22033e98

SHA512
17acbb1a3acd1f0705607e4acd18db23167c1a2cb0aebad0dcf7cc5b4ca592c6b5aa8cea7ade8b8fea6779edd957e35d0e653e39c2e4ef747c7e1a23dce244c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ScUy.exe

Filesize
191KB

MD5
2ebde4b9fede62b4b1b248aad24456a0

SHA1
fd1b0fb22406fa4afcfbd4273f7d918432df7286

SHA256
d64653f6c6149d6a98e9c8fcfc99a2bbbd6a7b41f4a2dfc7bb57551e335cd5a9

SHA512
71361c2a4b530fb9ed3f7c02fea2b2ed391ab678feafce2030f9cd9c4bbac0d2f05ef001355fcf738d89c8889deb03556111266e5bba14fc308e5f952c759bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\SwAw.exe

Filesize
631KB

MD5
71df723ceab90aaae635d02756ac6bea

SHA1
7652d7c1455d54e2b494009a52b34de5786ca287

SHA256
5b5986c5f872f8099299290ce52d0749c653b1103404676d330ded972c64d2f5

SHA512
92f5886d60bb8e3ed1f6463978a9e637581d9ab1d4b81bb5da8bfa4ee343772d50c9f1ebe44431be8210765eff66a6e5161fe64f7127951a35801f982ef3c237

Download Submit
C:\Users\Admin\AppData\Local\Temp\UAgm.exe

Filesize
323KB

MD5
6f0261f8d7b46e1e8c98532c8bedddd3

SHA1
ae67e8429132617554c1e250b4a5cfc0d764b04d

SHA256
64d263cdd81783376962cc6325d29a43d274ccec21728c6aadeb9749f2772afa

SHA512
888bd6f39f92ecb43a476020c4dc8347ca69ebe55c039e2f5296ef3a6de557bb7239c84355f1dbfa1465605f10b98a2472870d7b07d882fdf105fe0782978de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQsA.exe

Filesize
634KB

MD5
d0dd9ef5606392e0ff1a6714c309ed7d

SHA1
afdd01cf3371b8551b04fb501e9c0e9d3fefa273

SHA256
d0b0317c8c009ae919f0c33c33e3cbb03db50faa126a91ecfaa5085cf05a329e

SHA512
4b926896125ea6bd9a617cd5c63a5dcea59885db2f114510cbc2a3115a637d6f64c4224b4d489e7a5d76fa352f4b7047fc7fb92c9641a42ea3b2c54eafaee952

Download Submit
C:\Users\Admin\AppData\Local\Temp\WcUO.exe

Filesize
214KB

MD5
2e264055d9459f5a79f81a25818c4f12

SHA1
bdde94bc87c283d308da2fe4ada558c4fef5e79e

SHA256
db20b6b0379cde882dc5f39a7bd3badedd26c486ca9bce2680e4e34a5ed987b5

SHA512
2afc5523853443460da2530036cc59d43c0c793396ee7d2a4f43b99e4a011928f278273f6bf89ee13449dc3dcf0fc16bd0b17119538de57dada21aa153361d22

Download Submit
C:\Users\Admin\AppData\Local\Temp\YIIw.exe

Filesize
183KB

MD5
3222123e73d259f452687c5db8d7fc8c

SHA1
dfefbb466ee8b685a97eff43ebc02f711b99c9b1

SHA256
2a7eb74f7916334b19db9ffe08b03cac5d71ce6b85e6609bfcb0d04b462eed0c

SHA512
f90fe23f5fef04b154060d2c94466d8dd9af8cc2268d84a9183092fa0900a4a6807d9e6621cfb4f53d854b879ae8912810be26cf990ef69ee91c3d94d25357fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQIG.exe

Filesize
5.9MB

MD5
47965a1280e229b9ba55b487a5115b6d

SHA1
87aef3015764057fcfbfb94989fe3ff0d2b20823

SHA256
d7fe2d57acb3d689fae03e7595f63e8a3a02cee1eed3e5c981957a255bfdccb7

SHA512
cc8924b0465010c7ae59ff0cce7e034c1d7fa718d2fac29b467b36870cac42d9f5fe4c14f9846df3df2e32e9c6ea6cac6f48c2e11458ca045da1b4593e98b06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUMq.exe

Filesize
213KB

MD5
8747b495e2e8fbbd2dafd453042f4124

SHA1
f0d7c6b6c3c8267942e6574581f03b581b2e8e69

SHA256
c6ebf24dec01bd32907f64a81695941ae7e1090246a1dea806a094c8b2059856

SHA512
a0cbd2466e6a8f9184ba668f2a18ec2096b150e76f09797f6ad0b137fa71227ae38abc54514e4de7f9dec6adba0fdc7b4e0d872cbaef378399762855132317d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\YYkO.exe

Filesize
203KB

MD5
eaf3d1d89bc78335f0a8574862ecf4a9

SHA1
ad36353bdeee01ac1b7bc7b4d6cbe09fe65c76b2

SHA256
babca703a8ebb831f8348e3f9c6d7dba0f33d700d392f0d759b801f3659715d5

SHA512
54611f1fbd3764dcd4438fe0688b0cc262ea4ff85813797059a7e942633bc8270b761503e14825587cc5334c3bd2ee943ba00736e0ad00372bef71e50c71ca58

Download Submit
C:\Users\Admin\AppData\Local\Temp\YcsA.exe

Filesize
185KB

MD5
505aed073590ba97f2ba9227454efff3

SHA1
710b8bc5a9d8cbfc7145996e4da209e249d7b172

SHA256
52e75b539fc76e9a7e10d5b20fb50d913e4301c9364d6908948b5f503ebe0bdf

SHA512
ed7afd105c080487836b5fb137c068e6bf851cba4cb8afbe308ca6ee46bb7da966b406193860249677f30132c7a593a0e16f6d9b4f6a230d8ae9a26de571815b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YsoQ.exe

Filesize
214KB

MD5
edc44a7ba6777993de4f7b0b772b030b

SHA1
2bd8651edeaee2bfe8df0cc2a11d661a66a580ec

SHA256
ac0e713f68322ecb1e292c74f234da9adb0cae34e0908cfa0b2c09019de75580

SHA512
3a817cc69c2facdb5907e4ea1d4a6cd56354a366296ded8bef4591f5ca4ef0074f46401ee6b2cb2078444032bd8e6a58f168b30a2212e313968edba42b4f5456

Download Submit
C:\Users\Admin\AppData\Local\Temp\aIUC.exe

Filesize
188KB

MD5
a12ee1b1f7772f10e703692a3cd2173c

SHA1
f870926a108483d3cc90c896835f58151d06ea9f

SHA256
aa9a5c7fb412081dc6d30b8f110f539cb150caee29da520b0da7ada5ddab24e2

SHA512
39fd2fad9056f300b870e50f68d7e9540adb78c73f972c14b453837f81d4711259dea403f2c862e3cc714c293a3bdb99c8e48845e1ca5432feffee73ef3093a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aUIa.exe

Filesize
798KB

MD5
a7078c10904104f67eabfe03e9161f97

SHA1
9d7c0a344ec3a40af31834fa40c04435a181665b

SHA256
0e09cbe8b4fe96b5e963c7b5c4e2a569878952cfa030a0c28649298325333287

SHA512
9e8a332189edcaf296486d0cf3a63f2b66d9564b3b39690a9fb9f2164c911949a5291b2934b08d6292e754f0facf695232243ee2e535d722439785a077a1eefd

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYgY.exe

Filesize
312KB

MD5
cba8574625223b4969c2f060ebc2bfdf

SHA1
e1321a0ea9c4804bc2faea0885d6da6dcf05a37e

SHA256
18666162074262f0e5a428a775ea60e1bc0c3c104ea6038055facaca5a096ab4

SHA512
e485f6683eacd8da3f88efc2e8f350af915738cf28e85467f8ec572019030aedc94c2f67ef24d2e0251e8a230df91d017f9452c1911048753a6eed9aac182bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoUE.exe

Filesize
193KB

MD5
067f61bca64a9264f1b04b2cdebbd1f4

SHA1
603190dcc64aa9b1d10e59759cb2403fbb2acd2f

SHA256
172588599c009107ae1bd59a5ff6b9d38e6efa6d37893a4a1e088e79ac544879

SHA512
84fdd11790f4d5dea5b90f51ef6be324132cf2a983634b96d8d6cfe50905ca355a8513e8b364375e00da22eb2809b30bedbb77cd8047095779df34eadeb280f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ascI.exe

Filesize
314KB

MD5
e18b60c40387207ae8fb8d0d99e9d781

SHA1
e318eaffe7a1fd6ee0937d4555289579e19b92ca

SHA256
9925970f436bb0ba04a02754abc19cd68b383a2e95ce06538b783e3c51a284c0

SHA512
989d5ffd167aa09d44a17c6fc64b6ab1b8a278c531fcce2a361fc5348528d589964b980d24016f07d9ff886dd6a410317e6f182e0cec5a594f7e52f5a5bbb4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\awwo.exe

Filesize
201KB

MD5
e72dfd7612a30057d1f9f2f920b5ac9e

SHA1
ae5fb38903b2772b4480248b7ff5fdf30368868a

SHA256
c2f0b277689c1ae8ee531d2c6c19ec30f3fb1d73a8d9e8ddecbb9eb7ebb2b277

SHA512
bbcd47fad7f1eebae234db805a024245ca821dbf8c8fa1279ccdbce8b89f08a4f4b4c2389aaabf14710a0f9a6e0d732d3af822b5af222c3362aea71b0a4682ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cEoE.exe

Filesize
438KB

MD5
356b539a36c1fcaf2464ee0bbb4e3dbb

SHA1
13fefc7d5c3cf58d431b7c3143d76f2cd6636b14

SHA256
946e186749f921034158d815a234fd13a0904ca28f0f2500e4c55ad3f21e2037

SHA512
601e780b4255040d35301ec8e3762224d8a37fffeab90c02d0688e29f5704f4db16890ac8388b2318b429a443c3dd3d594f196998d0318af5393df7b83ef54be

Download Submit
C:\Users\Admin\AppData\Local\Temp\cMoQ.exe

Filesize
771KB

MD5
5f6c033707d32b384238f64b44db7e48

SHA1
5919266dfabfd903e1677dcb0f6b4c93c9fe546c

SHA256
75cdbcda81260d14b78424502977cad24a710010f11d22a1a20543c2eae385be

SHA512
10a246db137c58d00cb86f0293d5fd36aba3d3070a1992dda5597c76adec2936b41fa7b9ffc407e855ed6e0616f80cb41540677b7dacba7c0b110dd99f9dc30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ckog.exe

Filesize
205KB

MD5
bded4dcb4c473fdef6e76abb21d4dcd9

SHA1
ce61d2ac9c9f4a9d344ef4ed2ab3f3b09b9a4e19

SHA256
184da546c79eef0b36a0ddb083a43fd3a34f03ad8c4c1925ccd98b7fc298967e

SHA512
892031b81731c564bd3dcd53128a63a0557ffff0172ab3531b8068e37b71d08c436473d9e7c0946a24546f48c1b8367f87639e9d53c2b3f184a171b109508519

Download Submit
C:\Users\Admin\AppData\Local\Temp\csIG.exe

Filesize
195KB

MD5
d4f0bf56632f371f07c554709911c49b

SHA1
10504b136ade5663815ed1236340fbe0a8766374

SHA256
6ce9f87af9dc8c2d132d143fedd0263d11449489842a1de55199e16c3ad36fe5

SHA512
6b37caa1eba782c77ff7bdcecdb5625ef4656a33a58c13b135efb8e38b590d7d15a79170b4b0460912f78f0b383d4afff07cff66330f4e2aa2a09eccb7fa230c

Download Submit
C:\Users\Admin\AppData\Local\Temp\csoU.exe

Filesize
322KB

MD5
15aa8c9c732ce77bf97bca07bed28b3f

SHA1
c7150445a6b8255362e5cb1eba0adb8539ca990b

SHA256
a3a925635e481ea2fec9b430e997f029f0ee013fed7edfcc2d8e18b4aa906aa7

SHA512
a7db4e728ad2e5071180d35e30ac33edf8daf250982a0dddaa6f9de4b57866385a5bf423de0105e889fd6c357e55829ecbb857e8ebbdb939ea941db590cc562c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eIoS.exe

Filesize
732KB

MD5
c8f27abae44698ac032fc77cc008525e

SHA1
35326814dcf00b5e6b4ea7e667ac7cfa0d8ef6ae

SHA256
b8c25aa981c5c23ee1e15db3a0ec8b3fb50c26cbb3a5eb4ab9a8b0e9485b981e

SHA512
5fd3b6437d184ce5852ed4840a8946fde81b7f9c206c0eedf1e29b5a07dbce618e886ab4a9a4ac5b29d552effe59dd897a64f6e2b31cc606582b0811ad2e48b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ecMs.ico

Filesize
4KB

MD5
ee421bd295eb1a0d8c54f8586ccb18fa

SHA1
bc06850f3112289fce374241f7e9aff0a70ecb2f

SHA256
57e72b9591e318a17feb74efa1262e9222814ad872437094734295700f669563

SHA512
dfd36dff3742f39858e4a3e781e756f6d8480caa33b715ad1a8293f6ef436cdc84c3d26428230cdac8651c1ee7947b0e5bb3ac1e32c0b7bbb2bfed81375b5897

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gIIS.ico

Filesize
4KB

MD5
ace522945d3d0ff3b6d96abef56e1427

SHA1
d71140c9657fd1b0d6e4ab8484b6cfe544616201

SHA256
daa05353be57bb7c4de23a63af8aac3f0c45fba8c1b40acac53e33240fbc25cd

SHA512
8e9c55fa909ff0222024218ff334fd6f3115eccc05c7224f8c63aa9e6f765ff4e90c43f26a7d8855a8a3c9b4183bd9919cb854b448c4055e9b98acef1186d83e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gUQg.exe

Filesize
206KB

MD5
07e144a6bb372287a5fe20a57373998d

SHA1
b1ff81c09641533c16f68922cdee5e58afbe328a

SHA256
610f6f0539009f36bd0dca014fdfce0b479db95335b6d1d452c80eb9cf17656e

SHA512
e5bee6907377f837ef86c6536f921209eb917954df0f8ac53638fa9e4c709b880b5a886c0f7244c2bd4987dfffa7853eeaa907fb636829f06a9f4e4eda1e7a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\gsAW.exe

Filesize
224KB

MD5
abbc465828716295d774bf62ff5f5f3f

SHA1
88c0377a3517d696b54df741f17d750b61c9e8ab

SHA256
9ccae606ca333c9c45c4a667eeb7e7b8d237d61c33ee87d474c7eaa0a155bdff

SHA512
375e8482960ca376fe6883d96fed6f693c763eb363a040de0f97794999d9c942b36404ab9737b3e772378cb6b4ec186632bb74fb4e2b776b9968c017a24185ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\iAIE.exe

Filesize
776KB

MD5
f153d8466ba2768d704cd79755380793

SHA1
35d4105e1ffab26333c1c81439c174914e2c0d0c

SHA256
43d0561d231c24def2dbd1e106fd7ad964dea16488c346064ed9dd710ccf7402

SHA512
8448bd4e9f26bba36e9377f399bbabab5fc4b4d502f36d5d5cf284d32f4ddf63943bbfecd51045c0f4f503b3db94c013834fe7524a300ffe9e96e3350d199a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIse.exe

Filesize
194KB

MD5
3c4695297818964688b6ed72788816dc

SHA1
5da34c9e3442e806c31cc6b7a80e10be255b3f8a

SHA256
4bb4c60ad3114d175cf841b6e8e835a26dd9ac55a935e726c9c7df3b94227f97

SHA512
b7f3c86a9e07e8c2a03f81f28a545d54d40062b5bf2a7c2977d417109d1f8147f33bd4a0f4043051fd092088080e5f40d5edd85f12cb5eef2b32dc3071bf257b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIss.ico

Filesize
4KB

MD5
f31b7f660ecbc5e170657187cedd7942

SHA1
42f5efe966968c2b1f92fadd7c85863956014fb4

SHA256
684e75b6fdb9a7203e03c630a66a3710ace32aa78581311ba38e3f26737feae6

SHA512
62787378cea556d2f13cd567ae8407a596139943af4405e8def302d62f64e19edb258dce44429162ac78b7cfc2260915c93ff6b114b0f910d8d64bf61bdd0462

Download Submit
C:\Users\Admin\AppData\Local\Temp\ikQU.exe

Filesize
196KB

MD5
12fdac2fb3842b35cb99d5ee90ef0811

SHA1
a35298b8e653e53d22bb450496627818322ef712

SHA256
dacce525936e5d5d331be64d8a1b21d82d853de2d022fba22b0a3128ec0d17dd

SHA512
e9463d497fdf573cb4e35a2465098260d7155fd96f833ffd71e995a56d52ee24a5e7c89b81fb3758a2154b41c8586f6a89bb54c424166e1c989d4432cce4818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iwYs.exe

Filesize
816KB

MD5
eec4f259286b0b1e0cd2dbe5aa01d47f

SHA1
346d2f2b210ca61115cd33cc6b38a96604ec2070

SHA256
4c1955b1d873d91809d954d0fe03fd6528ce06d13584cbb19fad6cefb5cb14df

SHA512
437db92cff0ac7aa8b3322fe440078f7c3cc5bb38d92b0a5d3ad76a74b845c3c1d196b22e05f06c68c98752727596e325c3b3c8f2b871e44df41b76438cb30cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMEU.exe

Filesize
183KB

MD5
86065f167145d4c6618fcbbf7f75cd1a

SHA1
53f083aa0aa3c07b8fd4fa9a4f2f71588e78f8de

SHA256
59912c79aa76834945cee24f692399113ccdb876b647047fa908029451e1454c

SHA512
c30dec17050e25b594be158f03ee88fcb53162f840c222a96a3c64fcf8e046489498ce5dc70a3429b07c80a354698a238920af311bd53481b7aa97f2dbe6c042

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwko.exe

Filesize
848KB

MD5
92b97075e1d4eab9cb1cc24eabc98347

SHA1
986f7eda375ac31cd13f26eecd75b2e1b0c26e3b

SHA256
135ab552c7854d278bba11b8082cbbc937867be6aad9cc722f5e185773eac02d

SHA512
b78ca01692ff70701d551363230680c45a6b68247ffc13f2327fe9bec0ce40c6bff572938677d2398d3c641a546f344a4e2e43051419375f47da5032db418c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEEg.exe

Filesize
633KB

MD5
4d2958b5addfec061bb0c65cc29643b1

SHA1
c8ad49318b6fd16b37469096115a8a3a6b466c89

SHA256
5f02c132427921377df587fe8c50565babed8ccc7e2d0b5e71accb1026b987ef

SHA512
b9f2f4362438f40dde824cf79968bcbfefb6c1c2d81e4a3161320670d3396bbf0588955cd06a76614ef5bbddbaad31c9faf078c71d6a1c80f5779fe054cc58d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mEMG.exe

Filesize
201KB

MD5
f975efe597af76699091a322a851652e

SHA1
8d03a16a13c57f95cfbb5734bd41455783abd87d

SHA256
e361277f48dfa770686bc1f4060b14c8838c17445549c73678926421744bbda8

SHA512
faee7c382056fb2673a0cff71e40678556e100d191241c8799a1572d1c0b9f8616865eb001fd75d209d9b92e001e2a9c4675130a9797f95267c6d210d572a0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMYu.exe

Filesize
1.7MB

MD5
ddbf4284ff7c88a52f2fb4cd6149319a

SHA1
efd335a45f878a9dbf1765de8f9229424ff9306f

SHA256
cc09c04f8f314ed0b5088ceb94bc9a0cc2e0ca50dc30f2414704b6ec931023ae

SHA512
2479f9bad9df13863886578f7f3f84c6cab96f74be3171d3f03d54385a2b37854b73fab9c825bfefc21fab8793535830845741e4f63ce974d7f88c83591287a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMoo.exe

Filesize
189KB

MD5
96424892253f48dc22c09e058c8621bb

SHA1
cc2097a7354c05c4b0b8ca9a33d98e80cce53f61

SHA256
df7b3bbe7518733dc0df2be6b426752450915a8037201bde50642ace720054ed

SHA512
d357399968552750a0cc189190da24a848aa35afb584dfc0a39ba44255a541584b05c921baebabab4ab08d3ae36b5e35e526378925219783355a4ac502c1c77d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mccA.exe

Filesize
203KB

MD5
27d11fe279692efaab64629ea734add1

SHA1
b6632687bb3ab1509495bfa57c07389c6eebf04c

SHA256
5f0213e8c36220ba3740fc4b4c63529088ccd6957f1bdf6409012958280130ea

SHA512
ad9e2332d6619de97d47e253a4f2bac6d16c905b78e8e4d1a2d7aa5c1c63aa0b811bdb845eb1b6f9d17eabc10bc8b7a1e38d754619ba88f749c96f76662d0214

Download Submit
C:\Users\Admin\AppData\Local\Temp\mgUa.exe

Filesize
198KB

MD5
ec52359422ee1ac38aadafc52fed92e0

SHA1
d78937e035daf5ce51f70254b3c88069eec56a14

SHA256
d9d48ac3909da85f18c233370b4139ec5356946f245f7795cd55348b2713a1f6

SHA512
e52c9fc9d70977d9bb7c6122b8c40b4f38921c5b0d291a1cf1e2b9abf08546d24df805f03cb568534f90e27181748475c8e9f2333116c807048651be144f6182

Download Submit
C:\Users\Admin\AppData\Local\Temp\oEEk.exe

Filesize
222KB

MD5
9eff4f983db42b8abfc4363441483afb

SHA1
324a880ee7756b71caf6159c7f6c9b7b2231a7fa

SHA256
eb089f535e8d35998d2f370648e094dc9591af58c492d1aff6332506eaa03aaf

SHA512
49d3e506e551100af5667993608d6eff28f29842a2327cfb8771144d38702b4dc214ad886e13a693be8cfb38c1e9eeb8afdfafbae6e17001b59c2efad1daa1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYwq.exe

Filesize
5.9MB

MD5
b784521d9ff5444297640f7607faf2d7

SHA1
d658861ebf060bfa0b36d6833d506292f513aaa0

SHA256
1d287938fe3145e3a88486a7c154b16608064854894d282de1cd9c5f55e48b09

SHA512
61f6eda394849c6e609dc618c3b60908366423d964f5ed6910e1c0dcdd0814ef12682be4ae7ca7ac4dd56741864ec9f4e140593017f686f1532b6c739dd01b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogUO.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\AppData\Local\Temp\qEUS.exe

Filesize
195KB

MD5
98d2ed9eea3a78a7122717465c24aa39

SHA1
281c16307f3b38c7c69b1888e5e3c1f520090614

SHA256
1c5ffc78113880359b6940a8131c1300dc37f2c871b820d48737676ed1e40f77

SHA512
cfc6c7314b7a5f90e8609c9940d941a57e9b3852addb29e6ccde9d53821ac5222272577aaa00134a4e8126b0c0465fb9a01a978189b6e23307404fd2c842ece7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qYoy.ico

Filesize
4KB

MD5
6edd371bd7a23ec01c6a00d53f8723d1

SHA1
7b649ce267a19686d2d07a6c3ee2ca852a549ee6

SHA256
0b945cd858463198a2319799f721202efb88f1b7273bc3726206f0bb272802f7

SHA512
65ccc2a9bdb09cac3293ea8ef68a2e63b30af122d1e4953ee5dc0db7250e56bcca0eb2b78809dbdedef0884fbac51416fc5b9420cb5d02d4d199573e25c1e1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qkoS.exe

Filesize
774KB

MD5
ffa78711fba0e06edd49faf0ea10917b

SHA1
bc2428e6a66555608a9f20a72fe74e13ea63214d

SHA256
a41e5e113baf423355dfbcde46d047fe2c068b756525f1802c8941bb1f3ef986

SHA512
40d6646c26bbed6660133eb65ca8742c933aa9dbd0ba024131826f23f6071b560233166f79522b02cbbc421f3d291880ca9ca1bc397e92d9a09a38b745be6473

Download Submit
C:\Users\Admin\AppData\Local\Temp\sAEO.exe

Filesize
200KB

MD5
1574c90bcf2fbc870488732afd6f4d94

SHA1
cc284ca8e49127008360d32b678b4e06ac0279fb

SHA256
cb4b6cc4b65de372b7465a187c3e8b6d0825c5f27a983e44ae08f7c30dd84983

SHA512
1232ea2973630aef0cf66d9d8e407917ef3fa78eb2ad565f31a8e83d3f491e9c938ad50efff38bfd30987eae6ffa55b58c56a1eae6b83702dd1977da923f200e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sMUs.exe

Filesize
204KB

MD5
31879febe7b2b719cc60274093270ff0

SHA1
9cbe3ed878d0f82e29e76a68603b6a971c215ef4

SHA256
7c308caaaac462771cab19f13af7c343ee8977ac158cfeecc20c22d52a04d448

SHA512
cbb5ebad86d8db6530a3867d7d49886767f2cc37867bdbb51b676f186dbe0458ed2e997a47d45487034c104aeea5d2344613807aa7c2a8240f4ef4cf8babd0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sUoq.exe

Filesize
197KB

MD5
f80a24b3813aa808bf1ba3758f156d33

SHA1
2cb1c7367a493c639cd24eb190ae9da45958c8c4

SHA256
631881752ff703eeaec4f42a8f9c7bfb4fefeaed8a8ebc081bdbfe576d358d64

SHA512
32b1a93933bcc19ba2a57fc598cd2feb6c5aa37694a1fd281f1b7d508b636190c70a99775376098e73cae2395bc55edf3d07ff3f3d493b72faf82f956104394e

Download Submit
C:\Users\Admin\AppData\Local\Temp\skco.exe

Filesize
785KB

MD5
69666a400b98025416743c302b146d74

SHA1
83bb65fac7d449119f1f869394a3d3f50b7df6d5

SHA256
d55d9459fca420e2e25cc7e0a8e921e3197f5b9b673d047297b91cf8d8cb682f

SHA512
8827daaaa2e379fd3052c074c7ed5beaac8b39337aba9cee45eb3b0b424dc3b01f8671e5d901964fd472984809d205cd635ed5fce132a8f8d0b6de6b89f12dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\sogy.exe

Filesize
207KB

MD5
8c92ab7f58d07d261753fa44f3c71aa4

SHA1
0d8b7f7df4bf4d52ac2a30f24f9747e624ba568d

SHA256
f9778b22179481459b4516ee85d5d89c9c479695c27a9dc700c12897592f4f01

SHA512
0ef918502ec888f9935186c27ef0f3ad984a77ebb5f2595ae44c06914053d0f78f7356fe2d1917acdd4624ef173692a7d2aac98ca02b04ee4f5744248667e552

Download Submit
C:\Users\Admin\AppData\Local\Temp\sscC.exe

Filesize
198KB

MD5
6a53f43d26d1586bbfb71fc98f23bc89

SHA1
01fdc7e49a70dedbc7af3a367009369ae73fdab1

SHA256
8d1a58bcf85c0f4367d5d50fc3fc85d0dc08daa9c9e2b6518ba0abd211af5d59

SHA512
c28a1331ee9be0e10a4dfcd632905a930e26186c0c072d5aef344f3d762e311b329c23eeaaff717c4c9c9a67444caab1ce9c2a1c484e7074ab5039ab6c863a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\uAAo.exe

Filesize
217KB

MD5
89f23010bba2e4045a9c5b4ec3d392ad

SHA1
c96316b57d77af40eedea5d8733e19bbc4acc67f

SHA256
10ee14ba64d4df9e904657f8d9b6f79efa4005805ddf4b89d241b928ddc8bc42

SHA512
acc49b3db66a6057c6fa19f97515cbfcbf264c1ef7039a81c2f3b1a6e2b9ae994115d829dc37c0654922f58aedc820890d02b387bb253f6922c805c5b94cba70

Download Submit
C:\Users\Admin\AppData\Local\Temp\uEYW.exe

Filesize
206KB

MD5
98f8f08469bb7c5203123e9ce02e8079

SHA1
bda7bd2227ee9dd7716510236d491fb866c542b9

SHA256
9c55acc4fd628abb52ee6982f50b2550402e3a98dd95ca7eca074fa7c3713c84

SHA512
4e4dbd7b040b1fcd68d1ca354f0d974dc09cbc8a4d741f5e5e324c06b7e493714b7e6242150a15d00f09761622b88b5c409dc7be1f5bc8e862c3a2892a8febc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYUc.exe

Filesize
189KB

MD5
b4a25ea3417199ea979a8d4455756271

SHA1
11fe22a0b3416dfd876057442812be54f1f6b6a2

SHA256
f23d9a5a3aeefe31bb3cfbabadcc6738b69e34a9229909e2ffa7520591adaa84

SHA512
b6d1ad12cac8d73c7fd1b12a2011ce38219db8390a81410a0da08415d3c424cdaf5385641b7520e91e125266847a8bd61b8da378d3e121cde37aa7dccbeb7d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\uoAs.exe

Filesize
204KB

MD5
92c2653bbbc00f44412670ccec4378c3

SHA1
8aad4d3b482c7611fe116f460b9c0e0c032daabe

SHA256
0b311ffa21db24a314cc8eac982ccd52a1bd3e635720c10438b60d42b85ea6cc

SHA512
9dfb6029a8c4cc75acb9e16edf811c56a2a6d56f86f9a942d61bfe5d4d01127e204903f203b6e904208368749ca60eb90bddabf522f9256a7888d4896e387bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\wIwG.exe

Filesize
226KB

MD5
3f5fc5a16d4fd802a727922cc9f7ac05

SHA1
dbcbc6aaaf38b38ee134245ce3d7b00e3038d881

SHA256
8abf3fc0657a3f4cbd09ff19c9f911eadf4e08be0f6e2df0dda8df1342e5f219

SHA512
204955bc2f684e5ef31fb6dbe660a9e2b3eedc40474307228e9e2129c6b912a7b0eca2b1ebba0a9c1c877afce44f7811d7ec13226ff199dd7c426edec040552d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMQo.exe

Filesize
194KB

MD5
2f8543833475a488109c41dd671a1c7c

SHA1
e4f63116b4c04f6a0ca76a7fe487ab3d90685df9

SHA256
11165637e8a46071e1180a1c6165cc76b6e8144056a822e9c9b06f63bf394b6b

SHA512
8391b515c9fa3808ed416dc094a062c6c9b769b9bca63f159cf74503c56c8b5d3b3437ad8eb54b0987e65b3002b7fcf68a3043d6f458d5ffff8b419037ba2f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wMoW.exe

Filesize
564KB

MD5
abd384d5599716ab538dda056fe04858

SHA1
8f8cec0e019dc9e8dc9844076026015f3774626b

SHA256
539610d629689c787309ea4b102c745cbf8700d850f1f12b26ec189d955ae521

SHA512
46e1a008919710a1a35f59f90047c885eb37d2635319476f9153a1fc4ebfd824954e1c1a1aeefe4b6f3d2e2ca06faf47f25cfa58303a49dbb2ba073c4ec60688

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYgy.exe

Filesize
189KB

MD5
f3487bc299ff766732a2e9b22c8103ba

SHA1
160d135b7c16dfa6ad9f49995c6cb667a0fdddd7

SHA256
f8dae3f7d79ff533d0f4e2b39970e8a43e01abb3771d5b7f03dbe81e93256dfe

SHA512
cc71d3f85ace9d5e47dfdaf7a322427f2954b55ad6fe8462d6427fffd6f04266b9e28182884235ad72c6f6606705abd3322f41d002caf2872c104d8f3c6958b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wcUK.exe

Filesize
217KB

MD5
126de18938a2af371622010c6ba18093

SHA1
f4d5ce92a9fc5fafdac0acf4762a529abc892c05

SHA256
40685e706d27d1c0f2e27ace5f1fb1fd8da34e2b68d62d67aa0b90f936ef2bc8

SHA512
fbba711abedc38a3159efdd23812d9ed5691b9935d40d6af22e0cd15ffe60f561bf422ea9698ca370db791a8e559eeca87ac253320cb5a351ed0abfe72e8496d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsMq.ico

Filesize
4KB

MD5
d07076334c046eb9c4fdf5ec067b2f99

SHA1
5d411403fed6aec47f892c4eaa1bafcde56c4ea9

SHA256
a3bab202df49acbe84fbe663b6403ed3a44f5fc963fd99081e3f769db6cecc86

SHA512
2315de6a3b973fdf0c4b4e88217cc5df6efac0c672525ea96d64abf1e6ea22d7f27a89828863c1546eec999e04c80c4177b440ad0505b218092c40cee0e2f2bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\yAcy.exe

Filesize
682KB

MD5
47aafd57a7b6297483812849798e5ddf

SHA1
526fb46ce29a77ac88da6d4547c7f701b0718101

SHA256
35dc9c696dcfb2177d6727cb9bc6eebb6ac920fbf080f0faefcff84311872a2b

SHA512
1a4af7e05717bb378f6e3967c9f28646bde677f1db8c38e6f0fc5b3f8b9247ae59c5fe856450caf3e8d872ac544b6c254bf40d3747e6473ac214e88c0eb0c03b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yIIM.exe

Filesize
191KB

MD5
b878f54f5bb98a2da5386f53bb3bb48b

SHA1
bd2849fea8df436e02e1cb3bb4d943c48da45a9b

SHA256
20dfcc71e6db7aa18d0ed3b7cd3f11a254d6a4b789f211469ecf30d2bc6f82af

SHA512
f96aba5de1b46ee0029db7d2bb25dcb1b1d6d3891cf25ef1447631b60e7df4ff45d23986911b35e315dad9ec32981bb9846070f7da2853163b8c58e91d805364

Download Submit
C:\Users\Admin\AppData\Local\Temp\yUwY.exe

Filesize
804KB

MD5
19227c6fa75745d456250aaff64f1c38

SHA1
dd4b00236ab9baed081ee8916b892f7cf5273586

SHA256
1ff40e7840fec289b8dd210fea68fa3d2cfb89fd74fb6c4e060735bb7d7194cd

SHA512
09f0a8cb1379a39434afd73a368539904a608c0786e25d67fe075d698baaa946cad566555293cb2c18fdf4b1dd2dd971cabe1075dca8f8365205f0253406ba82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygAc.exe

Filesize
5.9MB

MD5
dec9beea77ba71bc6b72bb959086c247

SHA1
669663ea8c23174c93fad3523580b14854de5c47

SHA256
854380614a0a6f243647dc543094cfad5ae8eea5c69d18779a01f59b581f5fa2

SHA512
89b14bfaeebdef56ad804c6f5a4dda41e119567f6d48b7e95aad075e9cc916dc0a7a6ea0308e87ac3657eef046e83315cffcc37636230de3434f9bf7e6144a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\ygsi.exe

Filesize
189KB

MD5
316f641a0f3060a52b724e284f28a1f6

SHA1
de74ac067fe78a0bbb5bd809be3b160c935a0482

SHA256
868581dee849b2c8931491c6adb8767bfa72faf2133f5d8b6a91038441ee103a

SHA512
73b1dec99bdd2369a6cf2352b14f7404dd845bd31f1d01e828cb28cfc260bb2adcc56f848d2f80fe2b1be1da58a160f9c8cbe7543c3b0d253e8aa0c65f87252d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ysMc.exe

Filesize
391KB

MD5
79fd44d4a9313e2a70e2662b718378c1

SHA1
b5186227f70d51dff45d8d74e16ec546dc73ed5a

SHA256
807ea014af91bbd0f46fec5deb9a8bc18e25a640bd5d6add870f145126feea00

SHA512
e16ee51fa4dec2887f487f5e1021fb5c4b60384a702429a92483a53fd09918460e7aa0a53d39d7aa4f7d23d38ff661b2691622d2d7af969c84a717f60771403d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ywAo.exe

Filesize
203KB

MD5
81cc43a0c1f8655215c541851e3ab63e

SHA1
943097454bacd542c517f2a7950e382bd6c1a36d

SHA256
1b7b2a22c62fd7163e55a725de6a99512718c4f4e5d5202b7d4b26d6aac48085

SHA512
10fc2750bcde69e46ab8512d1bfbb90608f14440c622e646c6eccef72fb469d550fc76019cc7173027eb1212dcc4074d44dc960ff6e78ba3b61b7c24f89a5b66

Download Submit
C:\Users\Admin\Pictures\UninstallReceive.jpg.exe

Filesize
361KB

MD5
e2307aa67ed25a0c5be6e48aaa47f078

SHA1
c802f0916af32cbb80c4b2585c187b1b7475566d

SHA256
70b08de1673d17ce3c47c447bf9ffc7f401948f1d8ab144435e878152d44f290

SHA512
c4a9703352a7dbf73fe9dfad13e18805ea13689ade647230a8e0a8d128dc214cf6b955851c071d9e6a3196ece6d34c1833bb02e320f257c3a60cac16059a9849

Download Submit
C:\Users\Admin\ZSIcYcgQ\qYIUEIMI.exe

Filesize
202KB

MD5
3f45086900153979c1c32c089a8f7c6e

SHA1
995c8eddd4643108e6322efe28c1ee1a24d9c12e

SHA256
5aa7f37e3e73464ad83dae212031ce8b97cafcb3662658af1938c95e45f6b6e5

SHA512
601315cd26d859e30659451f4016adb80d47bf3db350c88ee950a8d9979f5cd9682132b7119d667cadf4ff8f6c8b54f641c99cc6f4e560c8c2cdd788bdfff22b

Download Submit
C:\Users\Admin\ZSIcYcgQ\qYIUEIMI.inf

Filesize
4B

MD5
5a558e9ae4089fa1aaf4253e995f4163

SHA1
da8dc1d538e489cfd1a58b68afb91ce65d787c97

SHA256
232abdcaa17f25343e64621af5227dbdfdc81f9ae6330938f5585b868799b6cc

SHA512
5a63404d89bd03fcd72b842f40472d15039841bb5a55fbddde93e209896183cf2c4bc97586ce08c947e3185ce476eed509c47cf6e4f86305005c613a88d2ddc8

Download Submit
memory/216-133-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-74-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/316-84-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/376-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/376-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/388-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/388-20-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-474-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/452-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/600-381-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/600-367-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-520-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-429-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1236-416-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1472-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1472-46-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-325-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-179-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-312-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1512-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1592-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1592-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-501-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1632-492-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1684-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1928-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-227-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-400-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2108-387-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2164-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2312-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-145-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-130-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-331-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2372-344-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-219-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2376-203-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2520-231-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-512-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2600-502-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2736-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2768-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-268-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-278-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-483-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3016-493-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-420-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3292-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-391-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-349-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-362-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3472-411-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-32-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3592-16-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3612-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-298-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3708-286-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-316-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-108-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3832-92-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4004-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4004-358-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-321-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4048-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4332-58-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-171-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4424-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-70-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4536-54-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4608-207-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-307-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4644-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4896-458-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4896-443-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4928-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4928-167-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-269-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-473-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-141-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-484-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5100-156-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download