Malware Analysis Report

2025-01-18 22:01

Sample ID 240622-kl88vswekk
Target 8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe
SHA256 8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2
Tags
adware persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2

Threat Level: Shows suspicious behavior

The file 8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware persistence spyware stealer

Reads user/profile data of web browsers

Checks computer location settings

Adds Run key to start application

Installs/modifies Browser Helper Object

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 08:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 08:42

Reported

2024-06-22 08:45

Platform

win7-20240508-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe /onboot" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\ C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "173" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2244 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2244 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2244 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2244 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1944 wrote to memory of 2204 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2868 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2204 wrote to memory of 2980 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.0.1435076795\2128858217" -parentBuildID 20221007134813 -prefsHandle 1252 -prefMapHandle 1164 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {399504f9-8443-4aa6-9ff2-1cd30daeefd4} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 1364 100d8558 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.1.570778475\1790842813" -parentBuildID 20221007134813 -prefsHandle 1532 -prefMapHandle 1528 -prefsLen 21708 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f58b0dbb-4618-436c-b2f9-67b1db5f7dd7} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 1544 edeb258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.2.290836258\658979407" -childID 1 -isForBrowser -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 21746 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f17f9a3-61f4-45d0-88dd-ac7401754e29} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 2120 19fa6258 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.3.1413616095\1454173194" -childID 2 -isForBrowser -prefsHandle 2708 -prefMapHandle 2704 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c812207-45f7-4fa5-8bcf-ae7c26f16370} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 2720 d68758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.4.1684363968\981872914" -childID 3 -isForBrowser -prefsHandle 3372 -prefMapHandle 3492 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2a35965-8501-4e0e-9c36-9d4856c2dca8} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 3684 1b1f4558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.5.1138502059\2016769293" -childID 4 -isForBrowser -prefsHandle 3792 -prefMapHandle 3796 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61945062-a389-4ab9-99c3-bbccbe3ad0aa} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 3780 1e8c7e58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2204.6.1593719479\1623000945" -childID 5 -isForBrowser -prefsHandle 3860 -prefMapHandle 3804 -prefsLen 26351 -prefMapSize 233444 -jsInitHandle 596 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ad87998a-3440-43e1-80dc-7bbbda39c5ae} 2204 "\\.\pipe\gecko-crash-server-pipe.2204" 3848 1e8c9658 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
N/A 127.0.0.1:49193 tcp
N/A 127.0.0.1:49201 tcp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 support.mozilla.org udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
US 8.8.8.8:53 registeridm.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 push.services.mozilla.com udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\f5308ec6-ad93-4e7b-a1d1-b39f24d0a07d

MD5 2209b70a9efdaf7081cb29de13678bb4
SHA1 05c1b8acd67e73fb8208a42ee35005a2d0ce9ef8
SHA256 3ddc793d35cafe7992e9794f1cffbb89d7a5ff8d5623d3b5774d750a463dcb94
SHA512 8b2e3423dd3e7624957b4029ba888c3a0b5d90d35675209b1fb29e7a8d5a35bfebbffe67a85ff995e8441947b2e89ef9e474d55faa6b4f69eafffaabdc856402

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\pending_pings\8c3ebd06-8aee-438d-82b0-ac21fdee3d38

MD5 678f3acbf99bfbdcf87af4f521c94ccb
SHA1 ac3304ca558b8cd5e05aaaa0ff32ef4602c77f0e
SHA256 3982361cb5115fbbf2af9ef739c65069f66e0dbf124aa60f8debb134e936b144
SHA512 6ea965ea333e36d564775021e97d93f8abe29db436e2e488fb4df9c1e4177cafb32604c2b2615b101bac7ebec144fe2a296a086b8d990123f5c188daf63f6c2d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\datareporting\glean\db\data.safe.bin

MD5 bceccc3e056fd09730759c5ab4eead86
SHA1 7d18d2b0fd5f444c3816fdfe4ff1ac38eb5719ac
SHA256 1a210654bebedab9e53c01ca5d86fe04869610a84156c5041e43fefa3d2a1418
SHA512 1c5f75a62d98a3f7ccc9dd253bd30a01d4ea8fb9cb17a33403de84c6b6950135cb1e253c8744f0ac84d9f871368553331c8762100af2c88cdb102a8b8cf19ae7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d8dbba80e84191bda880424dd7f32fc5
SHA1 2bd602ba4fc52c3ff67eaa1c4b3a8e454e7ef28a
SHA256 88df0c45171381041fdd131de13ff6ad333c2443b9e92a94da0783c7355944eb
SHA512 44d2a3a68f161d8be3636791e13ebeadb732a8da2908449c4d05bb7761b0394b4a8e8fce08760b4fde244fd039c4ffacb0d8ffab348a297f5534e00443dc036a

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js

MD5 f965a8e054840c04a976c2ca30fc5ae9
SHA1 54b751fa09b938d7f4dde805465d7dfdde941a23
SHA256 96605b3dd0ae619a87a853db860aab6687851e301995bbdba31fcc52a622f5c1
SHA512 a79e3b62029107d9127047296ac447427c041c4224a3920462e9cb7634345654ac8faadc61238dbf04c75310bf74d3852becdf90f9ebc713999fcd430540f562

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\sessionstore-backups\recovery.jsonlz4

MD5 cffdea75b5baf4a86cc43ed519014a4f
SHA1 283913e90726067412cdf7fada355c919260a933
SHA256 7f20c7ced03f0aa9cb3ebbcf2dd23e1f56734400f4153fabdfb2f0baab3d3e42
SHA512 a811877287f588c17cba8083acbb2c606953de9c39c669e3d4be8d9997c3cb376b942d5c032980dd951244754e4d92a8c20679ed4b3be9a8dd8751887047bd73

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 8243a8e8d06106cdbd6dd086a61a2b1d
SHA1 5eec803ba6158f0477c567c367b3d1024eb3aff5
SHA256 cb3c92ae9c179f12c8c4dbb6efea9d1043abbc15b6b6e43a2e53239b75bfeac1
SHA512 685014fe7039a7b12e4e882988c1c21de5667fa392cda2464b45d2a3cb49e74d23ab073c58c30b589cc7d6282882f13eabdd30ddc730ff267bd13e8bbf35ebc9

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\uu0g08su.default-release\prefs-1.js

MD5 499150f677d59f26a3b89db00b2ac3b4
SHA1 f79f9a1eccdf59845e28a1c017827df7ccd88d1b
SHA256 45a5faaac926446a0163d8547b14ff9dad394a50a87e04aa43015374fe63c73b
SHA512 417552cfa694425b70b443ac3f5df813bb7291cb47e7586a28469e4dd6b4f80491e6a959031de259ba5a16ed9223960c079a7118ef05331de1aa457ece5c5c88

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\uu0g08su.default-release\activity-stream.discovery_stream.json.tmp

MD5 d3ce997df524ea51b70e9013ce533771
SHA1 680240b49f04a0570876c6441c484bd8f5d09db2
SHA256 ecaad5ef17e7101092a7bd9a413946693ee5343b1743929ce15b0d38650b5de3
SHA512 6db7402ad92427f504a4c4f218f2516dc629e5271e4625fb8f8353a7cba857e0843ad65569aafa7b00fad9cc2fcc4771e47e1426f4ffcf4e0686fb06012c8e9e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 08:42

Reported

2024-06-22 08:45

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe /onboot" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\DownloadUI = "{7D11E719-FF90-479C-B0D7-96EB43EE55D7}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Download with IDM C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A}\AppName = "IEMonitor.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\AppID = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ROTFlags = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{E6871B76-C3C8-44DD-B947-ABFFE144860D} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Therad = "1" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4} C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\RunAs = "Interactive User" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\WOW6432Node\CLSID\{79873CC5-3951-43ED-BDF9-D8759474B6FD}\Model = "173" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter" C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1584 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1584 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2832 wrote to memory of 3032 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 1848 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 3032 wrote to memory of 716 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\8be0ee37ae3f269642316e35e17797ef8526acb1a5896dcc242db7f1c35dd4e2_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.internetdownloadmanager.com/support/installffextfrommozillasite.html

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.0.251217628\1373346751" -parentBuildID 20230214051806 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab300225-f0a6-4978-a62b-a257f00b61f3} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 1900 2de9bd2bb58 gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.1.1517997935\949795396" -parentBuildID 20230214051806 -prefsHandle 2480 -prefMapHandle 2476 -prefsLen 23095 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a977caf9-5661-4659-93c3-0a416900a539} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 2492 2de87a8a258 socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.2.53015621\1310736192" -childID 1 -isForBrowser -prefsHandle 2788 -prefMapHandle 2796 -prefsLen 23133 -prefMapSize 235121 -jsInitHandle 1056 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecba2402-a176-4db8-859d-609e79f17bf9} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 3040 2de9ec2ee58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.3.293882061\1785547559" -childID 2 -isForBrowser -prefsHandle 3536 -prefMapHandle 2636 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1056 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {292b67e5-e731-4929-a703-61ef67eb1728} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 880 2dea0a83558 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.4.314554365\588174741" -childID 3 -isForBrowser -prefsHandle 4948 -prefMapHandle 4944 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1056 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a6df84a-3672-444c-b097-974bd83b49ce} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 4868 2dea2665458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.5.540733844\1539478949" -childID 4 -isForBrowser -prefsHandle 2828 -prefMapHandle 5100 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1056 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07f5ebdd-4a65-46b2-8fd8-c6b014df022a} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 3080 2dea2d95858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.6.802228483\1684772966" -childID 5 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1056 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {510093dd-a789-40a9-aa21-79287f749be9} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 5312 2dea1fbc858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3032.7.1961231859\1398474964" -childID 6 -isForBrowser -prefsHandle 5528 -prefMapHandle 5408 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1056 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a1c79c0-cbf1-47d3-a667-4d7275bed613} 3032 "\\.\pipe\gecko-crash-server-pipe.3032" 5516 2dea1fb9258 tab

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMIECC64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMGetAll64.dll"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\downlWithIDM64.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 getpocket.cdn.mozilla.net udp
US 34.120.5.221:443 getpocket.cdn.mozilla.net tcp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 34.117.188.166:443 spocs.getpocket.com tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 169.61.27.133:443 www.internetdownloadmanager.com tcp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 www.internetdownloadmanager.com udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
N/A 127.0.0.1:49820 tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.services.mozilla.com udp
US 52.33.96.36:443 shavar.services.mozilla.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 34.117.188.166:443 contile.services.mozilla.com udp
US 8.8.8.8:53 133.27.61.169.in-addr.arpa udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 addons.mozilla.org udp
GB 13.224.132.52:443 addons.mozilla.org tcp
US 8.8.8.8:53 addons.mozilla.org udp
US 8.8.8.8:53 addons.mozilla.org udp
US 34.107.243.93:443 autopush.prod.mozaws.net udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 36.96.33.52.in-addr.arpa udp
US 8.8.8.8:53 52.132.224.13.in-addr.arpa udp
US 8.8.8.8:53 104.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com udp
N/A 127.0.0.1:49826 tcp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 test.internetdownloadmanager.com udp
US 8.8.8.8:53 secure.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror3.internetdownloadmanager.com udp
US 8.8.8.8:53 mirror5.internetdownloadmanager.com udp
US 8.8.8.8:53 registeridm.com udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 aus5.mozilla.org udp
US 35.244.181.201:443 aus5.mozilla.org tcp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
DE 23.53.40.162:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 redirector.gvt1.com udp
GB 142.250.187.206:443 redirector.gvt1.com udp
US 8.8.8.8:53 r1---sn-aigl6ney.gvt1.com udp
GB 173.194.183.166:443 r1---sn-aigl6ney.gvt1.com tcp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 162.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 166.183.194.173.in-addr.arpa udp
GB 173.194.183.166:443 r1.sn-aigl6ney.gvt1.com udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 attachments.prod.remote-settings.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 53.121.117.34.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 169.61.27.133:443 registeridm.com tcp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 a8a32bd66f44fb0656c2cd001f3fe614
SHA1 c66d606b728d2da31aaf781e85334e7ddc084e30
SHA256 6d1213fc9f26cce370958ed6d0a8aa9862cd87f6376aa0031030a320bef9b1a3
SHA512 13dd6048ee5343716b3d7fd19efd85d3154faca4488d1cecb1fce26993ff2f076fb165e171e542ce295b7afb0dd83a769618a00e789e2fd852dd4ad2e6aa43d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\activity-stream.discovery_stream.json.tmp

MD5 c24175ed3a32618bb7ba15adfc18120d
SHA1 f639fc2a15a14eec042593d4709201e22a79e17d
SHA256 958327935012181328011bd5fc9a8cc472dbdcebe782b240ff5a626e6173f1df
SHA512 089fbf5f29f17d078b7b1da3d259f8faf48886a6882dd21b9b3ae7f5234dbd53e77bb323f3ffe5eaad89cbf9e3c370c37d1cf60e0dad6c5a17cce2e6d2737d83

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\sessionstore-backups\recovery.jsonlz4

MD5 06ac99d70f254941e476b08466e34d54
SHA1 9e133b5493e93f2c54d8685ccc29bd55041213d1
SHA256 ecd53445c2e1a196bbcc37306b4282384781709f35346f458460c445e0e77112
SHA512 3f53b8890b46cfbafc70bf51cf30974105205f69c800ebbd342165177c1f2dafe1c753227ac27f227ef39757ab47be050b1e59f8f8ae80de2e6c9649a4a90c07

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 31338e8bda2092cf7789ee6d992824bb
SHA1 a0daf2874c1d7292f84bbc50be5e6e024fe96405
SHA256 d2522aa9e2b4a0dc28f2f0132d3a4212e821b8576bc51ce6d38ef44d65f1005c
SHA512 b97e65f70b490254ee1ee49c3f024877ba441559978a3fc7beac3fc0f09cd0a3a20ce5433984dbe8bf403c823afe5aa615fce4a03763ec6929540baefea420b6

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\n9vxbo99.default-release\cache2\entries\5CD1EBDF6B57F13C7E783CE5E6D8E9C44014FE1A

MD5 fafcf282244fca94e16e42e93239dd87
SHA1 006436e9126a7c4667f9f7787d47e17cce3e9ff6
SHA256 3f9b7e985b2b90a5f1907245556cc73a6a9017b808360ea17fc5fc53117640e7
SHA512 c3b85fb88fb9fb61f33da64c7f710e8298053ec64d10fe1d99da721d537487e18e7fe76f402334451d1b552f782594f3e4b5861585f6b23faaa9448fddd15669

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\prefs-1.js

MD5 62fc6f190b8f240b19031cee7f077908
SHA1 565a33b49de29dec78968b50a336ef34cee823e1
SHA256 0aa624c6165c7e12e498052c693f0ff851b7e7a360d9a4706c7ccc811e75ad7c
SHA512 5b9af0f7729526bd47075a827ab4217142fd9ef46576c5715f72dde3b57821b75d60843ef376749cf9afe79a68f43b55412e742722c3e6f5dabeea5269335c2c

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 85430baed3398695717b0263807cf97c
SHA1 fffbee923cea216f50fce5d54219a188a5100f41
SHA256 a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e
SHA512 06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

MD5 3d33cdc0b3d281e67dd52e14435dd04f
SHA1 4db88689282fd4f9e9e6ab95fcbb23df6e6485db
SHA256 f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b
SHA512 a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

MD5 fe3355639648c417e8307c6d051e3e37
SHA1 f54602d4b4778da21bc97c7238fc66aa68c8ee34
SHA256 1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e
SHA512 8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 a01c5ecd6108350ae23d2cddf0e77c17
SHA1 c6ac28a2cd979f1f9a75d56271821d5ff665e2b6
SHA256 345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42
SHA512 b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

MD5 8be33af717bb1b67fbd61c3f4b807e9e
SHA1 7cf17656d174d951957ff36810e874a134dd49e0
SHA256 e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd
SHA512 6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

MD5 49ddb419d96dceb9069018535fb2e2fc
SHA1 62aa6fea895a8b68d468a015f6e6ab400d7a7ca6
SHA256 2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539
SHA512 48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

MD5 33bf7b0439480effb9fb212efce87b13
SHA1 cee50f2745edc6dc291887b6075ca64d716f495a
SHA256 8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e
SHA512 d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

MD5 937326fead5fd401f6cca9118bd9ade9
SHA1 4526a57d4ae14ed29b37632c72aef3c408189d91
SHA256 68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81
SHA512 b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\n9vxbo99.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

MD5 688bed3676d2104e7f17ae1cd2c59404
SHA1 952b2cdf783ac72fcb98338723e9afd38d47ad8e
SHA256 33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237
SHA512 7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776