Malware Analysis Report

2025-01-06 09:01

Sample ID 240601-fhwfdabb66
Target 8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
SHA256 9605838165e59d817758e2b1cddb447b2101b56e9263c64f0094da0dd7c5a658
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9605838165e59d817758e2b1cddb447b2101b56e9263c64f0094da0dd7c5a658

Threat Level: Known bad

The file 8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies visiblity of hidden/system files in Explorer

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:52

Reported

2024-06-01 04:55

Platform

win7-20240419-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\couexof.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\couexof.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\couexof = "C:\\Users\\Admin\\couexof.exe" C:\Users\Admin\couexof.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\couexof.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe C:\Users\Admin\couexof.exe
PID 2320 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe C:\Users\Admin\couexof.exe
PID 2320 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe C:\Users\Admin\couexof.exe
PID 2320 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe C:\Users\Admin\couexof.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 2944 wrote to memory of 2320 N/A C:\Users\Admin\couexof.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe"

C:\Users\Admin\couexof.exe

"C:\Users\Admin\couexof.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ns1.thepicturehut.net udp

Files

memory/2320-0-0x0000000000400000-0x0000000000412000-memory.dmp

\Users\Admin\couexof.exe

MD5 a1427e8a674e1e401babeb2158064860
SHA1 236482ae7781f6c9e89a98c26b3b4d5c2af19ab4
SHA256 263db79b07b47c64a2005dec7e83d7959a24f63a864e258abd1c257b9f8d85f3
SHA512 f8535e7ad3b47150084ae94ede37ee5d9c1eb7ded768f93f80163f7cfc985971e0771688b8c3d8874594c4476a04da35bdf67dddf181d51474e5bd8c0982f0bd

memory/2320-8-0x0000000003830000-0x0000000003842000-memory.dmp

memory/2944-16-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2320-15-0x0000000003830000-0x0000000003842000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:52

Reported

2024-06-01 04:55

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\rhmul.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\rhmul.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhmul = "C:\\Users\\Admin\\rhmul.exe" C:\Users\Admin\rhmul.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\rhmul.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe C:\Users\Admin\rhmul.exe
PID 4036 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe C:\Users\Admin\rhmul.exe
PID 4036 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe C:\Users\Admin\rhmul.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe
PID 1768 wrote to memory of 4036 N/A C:\Users\Admin\rhmul.exe C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8e331bdf5043ca462a986a2c7409b9b0_NeikiAnalytics.exe"

C:\Users\Admin\rhmul.exe

"C:\Users\Admin\rhmul.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 ns2.thepicturehut.net udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4036-0-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\rhmul.exe

MD5 5c5c0bb7d89cdc63f3b9e3e477b1b523
SHA1 6c207763601b592cc556a30de13530b83cd4a8cf
SHA256 a55846f5aed07e207b9e8f2a3432e70911a35935e722df08d2c558fabab28b63
SHA512 62df82187f2d73efcfbdf855413549c7eccc16416328ec4ca6a79f76dfeec35d9ddf0c94724d446898f7ec346a5cd28c764f073c1cf9d4b49d7e7ce4a04a3de6

memory/1768-34-0x0000000000400000-0x0000000000412000-memory.dmp