77c6967bca94a3206e83145c7f791aab5530c633fa31006191a5689c80f22933

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
04/06/2024, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Size

170KB
MD5

3c9661e2a76ec5bb2683493766f060d0
SHA1

2c410ae440de85967f7f6736de95d709b94e2ff7
SHA256

77c6967bca94a3206e83145c7f791aab5530c633fa31006191a5689c80f22933
SHA512

66f2f4175263d57db57edcacf84141cfbbd71b0e3f49c414794b6640223e11ca21ad3795e3a989cf1bffc8d43f45686dc498731ad35dc5f3d89683397f96e9b1
SSDEEP

3072:3JpOm5axh63laEo+pXX1pQD2UCohD8mxLCj+5cmeDye42L712xrpdJ8xLeb7UJ:5Am5oh63laEo+pXX1pkF8mxeq5+4m71l

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2916	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
2792	nlcmt.exe
2924	nlcmt.exe
1184	nlcmt.exe

Loads dropped DLL 9 IoCs

pid	Process
1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
2916	nlcmt.exe
2916	nlcmt.exe
2844	nlcmt.exe
2924	nlcmt.exe
2924	nlcmt.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\y:	nlcmt.exe
File opened (read-only)	\??\T:	nlcmt.exe
File opened (read-only)	\??\z:	nlcmt.exe
File opened (read-only)	\??\Y:	nlcmt.exe
File opened (read-only)	\??\Z:	nlcmt.exe
File opened (read-only)	\??\L:	nlcmt.exe
File opened (read-only)	\??\Y:	nlcmt.exe
File opened (read-only)	\??\y:	nlcmt.exe
File opened (read-only)	\??\V:	nlcmt.exe
File opened (read-only)	\??\P:	nlcmt.exe
File opened (read-only)	\??\X:	nlcmt.exe
File opened (read-only)	\??\T:	nlcmt.exe
File opened (read-only)	\??\V:	nlcmt.exe
File opened (read-only)	\??\M:	nlcmt.exe
File opened (read-only)	\??\i:	nlcmt.exe
File opened (read-only)	\??\B:	nlcmt.exe
File opened (read-only)	\??\R:	nlcmt.exe
File opened (read-only)	\??\M:	nlcmt.exe
File opened (read-only)	\??\Q:	nlcmt.exe
File opened (read-only)	\??\J:	nlcmt.exe
File opened (read-only)	\??\W:	nlcmt.exe
File opened (read-only)	\??\Y:	nlcmt.exe
File opened (read-only)	\??\I:	nlcmt.exe
File opened (read-only)	\??\a:	nlcmt.exe
File opened (read-only)	\??\p:	nlcmt.exe
File opened (read-only)	\??\u:	nlcmt.exe
File opened (read-only)	\??\G:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\L:	nlcmt.exe
File opened (read-only)	\??\l:	nlcmt.exe
File opened (read-only)	\??\I:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\I:	nlcmt.exe
File opened (read-only)	\??\B:	nlcmt.exe
File opened (read-only)	\??\W:	nlcmt.exe
File opened (read-only)	\??\X:	nlcmt.exe
File opened (read-only)	\??\o:	nlcmt.exe
File opened (read-only)	\??\Y:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\G:	nlcmt.exe
File opened (read-only)	\??\x:	nlcmt.exe
File opened (read-only)	\??\u:	nlcmt.exe
File opened (read-only)	\??\H:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\E:	nlcmt.exe
File opened (read-only)	\??\T:	nlcmt.exe
File opened (read-only)	\??\T:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\S:	nlcmt.exe
File opened (read-only)	\??\V:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\W:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\K:	nlcmt.exe
File opened (read-only)	\??\n:	nlcmt.exe
File opened (read-only)	\??\s:	nlcmt.exe
File opened (read-only)	\??\J:	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
File opened (read-only)	\??\X:	nlcmt.exe
File opened (read-only)	\??\X:	nlcmt.exe
File opened (read-only)	\??\S:	nlcmt.exe
File opened (read-only)	\??\U:	nlcmt.exe
File opened (read-only)	\??\B:	nlcmt.exe
File opened (read-only)	\??\H:	nlcmt.exe
File opened (read-only)	\??\w:	nlcmt.exe
File opened (read-only)	\??\T:	nlcmt.exe
File opened (read-only)	\??\G:	nlcmt.exe
File opened (read-only)	\??\M:	nlcmt.exe
File opened (read-only)	\??\G:	nlcmt.exe
File opened (read-only)	\??\P:	nlcmt.exe
File opened (read-only)	\??\v:	nlcmt.exe
File opened (read-only)	\??\A:	nlcmt.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	icanhazip.com

Maps connected drives based on registry 3 TTPs 14 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum	nlcmt.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	nlcmt.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ZC2IXRC7.txt	nlcmt.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\ZC2IXRC7.txt	nlcmt.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6UU6UO48.txt	nlcmt.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = 108bb1174fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = f0ccaa294fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000058000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = 9087835f4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000cc000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = f071bd174fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000082000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000d6000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = 10a78c4d4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000009f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000c1000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000040000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = b0458a4d4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000011000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000003d000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000063000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000090000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = 30cb934d4fb6da01	nlcmt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000a5000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000c4000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000010000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000069000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = b0ea9c3b4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000a9000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = 9087835f4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = b08faf294fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000008b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000cf000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000066000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000006e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = 70ada13b4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000089000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000009a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000b0000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000001c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000036000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000074000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000c3000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000ce000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000db000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000019000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000004a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000065000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000083000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = 902c964d4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = f08d984d4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = f03714194fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000075000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3F83ABE6-C52E-484D-9215-0F8583251404}\WpadDecisionTime = d00ea43b4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000006c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000bd000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000cd000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = d0a8a3294fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000056000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 46000000d2000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-42-83-c4-9d-5b\WpadDecisionTime = f0e8855f4fb6da01	nlcmt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000021000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00da000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	nlcmt.exe

Modifies registry class 62 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\runas	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\stat32	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\ = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\DefaultIcon\ = "%1"	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\Content-Type = "application/x-msdownload"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\open	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\DefaultIcon	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\open\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\DefaultIcon\ = "%1"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\runas\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\runas\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\ = "stat32"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinNT\\nlcmt.exe\" /START \"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\stat32\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\runas\command\ = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\Content-Type = "application/x-msdownload"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command	nlcmt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\stat32\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command\ = "\"C:\\ProgramData\\WinNT\\nlcmt.exe\" /START \"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\runas\command\ = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\DefaultIcon\ = "%1"	nlcmt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\stat32\DefaultIcon	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\open\command	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\open\command\IsolatedCommand = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\ = "Application"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell	nlcmt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\runas	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\Content-Type = "application/x-msdownload"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\DefaultIcon\ = "%1"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\DefaultIcon	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	nlcmt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\Content-Type = "application/x-msdownload"	nlcmt.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\DefaultIcon	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\ = "Application"	nlcmt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\open	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\stat32\shell\open\command\ = "\"C:\\ProgramData\\WinNT\\nlcmt.exe\" /START \"%1\" %*"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\WinNT\\nlcmt.exe\" /START \"%1\" %*"	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\open\command	nlcmt.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\.exe\shell\runas	nlcmt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "stat32"	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\shell\open	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.exe\shell\runas\command	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\stat32\shell\runas\command	nlcmt.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
2916	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
2792	nlcmt.exe
2924	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe
1184	nlcmt.exe
2844	nlcmt.exe
2652	nlcmt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	2916	nlcmt.exe
Token: SeIncBasePriorityPrivilege	2844	nlcmt.exe
Token: SeIncBasePriorityPrivilege	2924	nlcmt.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2652	nlcmt.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2916	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2916	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2916	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2916	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	28
PID 1720 wrote to memory of 2844	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2844	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2844	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	29
PID 1720 wrote to memory of 2844	1720	3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe	29
PID 2916 wrote to memory of 2652	2916	nlcmt.exe	30
PID 2916 wrote to memory of 2652	2916	nlcmt.exe	30
PID 2916 wrote to memory of 2652	2916	nlcmt.exe	30
PID 2916 wrote to memory of 2652	2916	nlcmt.exe	30
PID 2844 wrote to memory of 2792	2844	nlcmt.exe	31
PID 2844 wrote to memory of 2792	2844	nlcmt.exe	31
PID 2844 wrote to memory of 2792	2844	nlcmt.exe	31
PID 2844 wrote to memory of 2792	2844	nlcmt.exe	31
PID 2924 wrote to memory of 1184	2924	nlcmt.exe	33
PID 2924 wrote to memory of 1184	2924	nlcmt.exe	33
PID 2924 wrote to memory of 1184	2924	nlcmt.exe	33
PID 2924 wrote to memory of 1184	2924	nlcmt.exe	33

C:\Users\Admin\AppData\Local\Temp\3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3c9661e2a76ec5bb2683493766f060d0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\ProgramData\WinNT\nlcmt.exe
  "C:\ProgramData\WinNT\nlcmt.exe" 1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\WinNT\nlcmt.exe
    "C:\Users\Admin\AppData\Roaming\WinNT\nlcmt.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2652
- C:\ProgramData\WinNT\nlcmt.exe
  "C:\ProgramData\WinNT\nlcmt.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\ProgramData\WinNT\nlcmt.exe
    "C:\ProgramData\WinNT\nlcmt.exe" 1
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Maps connected drives based on registry
    - Suspicious behavior: EnumeratesProcesses
    PID:2792

C:\ProgramData\WinNT\nlcmt.exe
C:\ProgramData\WinNT\nlcmt.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924
- C:\ProgramData\WinNT0\nlcmt.exe
  "C:\ProgramData\WinNT0\nlcmt.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Maps connected drives based on registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\WinNT0\ekmiowluin.mui

Filesize
5KB

MD5
3794bcb87a4b9bf2bf261cac37843f5b

SHA1
9c188647b41e0c1ff19fac80d667457c76b5f5a9

SHA256
4da154019cb156b4c8ba879879023a772f63bb9c8038b33ba3f56b2e5b7c0029

SHA512
680306e0032dfa3bd65da2dbb8a9c977b17b4bd51d7ff0965cca3a8fbac3e6da04058924fcc82292e74fb5f7bfa2438f1139c268d22150742789f6d2baea2933

Download Submit
C:\ProgramData\WinNT0\feteewvuu.sys

Filesize
5KB

MD5
535947d3890f2a094623aaa8645bb9d4

SHA1
f4f44a52a4fb38189530e996361edaf60534b65d

SHA256
8e92700257964caf69b5b05513623fa76b9fd519a469d1e009e13e91672ae1f7

SHA512
53349c79083b39c358d1b7e5333e51a8d40a516bc178a15106e34904696082a6cab656258aa3df7fdba3b3d7559837e2cd5721a37b45fc12dd7360f7e42f1d9e

Download Submit
C:\ProgramData\WinNT0\pivaaxwiuv\awh.bin

Filesize
4KB

MD5
38d950ef534e91f0d9dad0e8fbaa67a5

SHA1
4409ca932e0e82180f2940dbf664115bd3a8d7f6

SHA256
1e03db5c2b69647ed1230cb394a2f0bd511d86ae353d0da4ede792172924294b

SHA512
466612dfd556c71dd78552b63cee3dc50f552a9975ca2248b4d94ce83c004f61fe6c7321bb4b472835782c2ec811fc8c7cc0e3588219ba36e69f1517a75a32af

Download Submit
C:\ProgramData\WinNT0\pivaaxwiuv\equqmi.mui

Filesize
6KB

MD5
5f587d76bb26837f266739ed76ae6d61

SHA1
3135ad3688a52372b304cf8c253da73fb8beea49

SHA256
313a1b02d5719c4ed33b61f1c08d2e1c68f8ae7e4ec8bf790bcb70cf6b7c3121

SHA512
3427a548028f4b81c3cf5fa9fa9eac25e127c2358970a7b96b4484cbeb9566afeb16ebe39afad49d99095f14af334f21e6aa4a26ca94f734b7e51ace7559dd44

Download Submit
C:\ProgramData\WinNT0\qosowiloo.sys

Filesize
1KB

MD5
f116e6d68054f4e4a5ca80538b9f6fba

SHA1
b5b972370a69b1aef2f4634f9c23e7888c8d6998

SHA256
9a75785dd1b2b67f7b6816837e1cb188080a56b2d50025126ffa46222f64e103

SHA512
33e67cd76c278480ad546d89af4475c0228524e4b2270e0873a49fa3e4c48d72713838023b6af3df7fc15785d83e884f7ea76025567dc30803d87fd19c2a42fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\GF2EFEEL.txt

Filesize
219B

MD5
99a1b0216dfc467af5729dae7458b02a

SHA1
0dd992d764c0fb48c642db3711b0445d3b531638

SHA256
19bbfc1e7fc51cd6079424fb61194bb487768af3c3fb6a0695cccc11cd8ba748

SHA512
5c9a2de43148fcb6b05a0cebae03e7129a570328a60d17092104be046f766d02c73feba31b5625881042dab6133ddef02269b30a95e43471facc49a3f5047c77

Download Submit
C:\Users\Admin\AppData\Roaming\WinNT\nlcmt.exe

Filesize
170KB

MD5
46f5ae603ebdaa7195037c3ced63766f

SHA1
474dc6636a6a47576cddfc4b4004c5d95c6fa60e

SHA256
ec5030ef4da05957291a821570adcc751a93347d71bafdb831aa8646ff0c765e

SHA512
6e3767f6a4c62ab84c2b29b928d1073aee76ed09444a2ddb213e5990db5177c1841b3720c0467be9de1dc1e7713f22778fca561cced72d6742403b4112529e56

Download Submit
\ProgramData\WinNT\nlcmt.exe

Filesize
170KB

MD5
f1015b542137cfb99f39b7a5b5a0b8f1

SHA1
d510454d238697402ccf0868970aca053668ab2e

SHA256
cefb6ce1293df6d7dde56f43692fe0fe04b7e7d209075432bace4159972980f5

SHA512
79438085550032e3c54bc7fe0029e8de41cbd9aed8e7649aeb459ddbb482e9e5ba891d7f2d55381c9714c05b8b0c6cc31769334cb2226d99ac52995a70be2317

Download Submit