Malware Analysis Report

2024-11-15 07:50

Sample ID 240606-jpwlhacd87
Target NLChecker.exe
SHA256 bb0051be3e9db6d8299477ed7ff9d1d178d98513ab6d6d4f06b860bfe8cc229b
Tags
upx pyinstaller
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bb0051be3e9db6d8299477ed7ff9d1d178d98513ab6d6d4f06b860bfe8cc229b

Threat Level: Shows suspicious behavior

The file NLChecker.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx pyinstaller

Loads dropped DLL

UPX packed file

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-06 07:52

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win10v2004-20240508-en

Max time kernel

30s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
PID 3916 wrote to memory of 3652 N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
BE 88.221.83.224:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 224.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI39162\NLChecker.exe.manifest

MD5 6e405b4261e0578fbdfaf93615ecf43e
SHA1 f3d5993b5599fc85fc83dd1def58ac2d83672d4f
SHA256 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4
SHA512 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe

C:\Users\Admin\AppData\Local\Temp\_MEI39162\python27.dll

MD5 d2b1ae6331f7b5573892f8458ef903ba
SHA1 e9f55a79e7fe086e93937302801e676e3ea3869a
SHA256 f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2
SHA512 dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242

memory/3652-91-0x000000006DF40000-0x000000006E2B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_ctypes.pyd

MD5 47a51db6fd9a671761cd5e0b6e0b83d7
SHA1 fef0c42609aaf8043ed1a1742512f7732d3a22b3
SHA256 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc
SHA512 e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2

memory/3652-95-0x000000006DE60000-0x000000006DE85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39162\bz2.pyd

MD5 39a1f78896f228b494a9157991b8ce4b
SHA1 bb1da3b695206e82a019fc6d0e9d3e899b194b1d
SHA256 d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa
SHA512 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_hashlib.pyd

MD5 b9bec1122b0d52d2737f8fde24678b37
SHA1 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0
SHA256 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f
SHA512 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037

memory/3652-100-0x00007FFFE5930000-0x00007FFFE5ACF000-memory.dmp

memory/3652-99-0x000000006DE40000-0x000000006DE5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_socket.pyd

MD5 efaaa811eb02d947aad2fd020a7ca585
SHA1 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27
SHA256 ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af
SHA512 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_ssl.pyd

MD5 0f38005ba0792ceeb3f800b5a50b86d3
SHA1 ee4c4174e2c98ef63f2e1051c83eb39e7280a627
SHA256 a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61
SHA512 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24

memory/3652-106-0x00007FFFE54C0000-0x00007FFFE56D1000-memory.dmp

memory/3652-105-0x000000006DE20000-0x000000006DE34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_multiprocessing.pyd

MD5 4fcc93a09d15c138b21c436434189d82
SHA1 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd
SHA256 ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539
SHA512 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_cffi_backend.pyd

MD5 b886ce72a56d6a45c876266d3aad9a0c
SHA1 e3fba46feefedbd7f38c163ca867d0c5f83fa557
SHA256 ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3
SHA512 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4

memory/3652-110-0x000000006DE00000-0x000000006DE11000-memory.dmp

memory/3652-113-0x0000000180000000-0x0000000180033000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ecb.pyd

MD5 2e6ab434cee9840a4fde4d45c57b1c5e
SHA1 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e
SHA256 bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274
SHA512 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6

C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cfb.pyd

MD5 037c3157ce1f4e858e6efc44bc346e7a
SHA1 52fe78365725a24f6f892e44c8120ad11f5a9187
SHA256 a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a
SHA512 e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8

C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cbc.pyd

MD5 0b880f6e0d8461cb80d1b4146237ee82
SHA1 157347e0b5f13bb8131b2335d078ad1d86917ab1
SHA256 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0
SHA512 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ofb.pyd

MD5 bd64a9dd340d9f32deaf7f545d5256c0
SHA1 6e43ed4524ef0e6e77b233b85adac0220eb3203d
SHA256 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e
SHA512 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ctr.pyd

MD5 e99802c2b523c4c2c8fc1d89ee6db877
SHA1 af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63
SHA256 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf
SHA512 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Util\_strxor.pyd

MD5 239a69fa1fc7297debeeaa42449a055f
SHA1 9407b4ddd4ae2da49198d0b083f113fa2eceb44f
SHA256 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3
SHA512 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_BLAKE2s.pyd

MD5 36f7426b735e4b0de5a32a7a829da7e3
SHA1 966138f6ca8ad626fa698da974ce8e9eb2fcd675
SHA256 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7
SHA512 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd

C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA1.pyd

MD5 f9734d4549191c6b4048f65ff7c5cd56
SHA1 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d
SHA256 cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80
SHA512 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004

memory/3652-139-0x0000021F9E320000-0x0000021F9E32C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_SHA256.pyd

MD5 de77ed5a1f2a9f6ecbb75cdfb9fa1a23
SHA1 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd
SHA256 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0
SHA512 dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee

C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD5.pyd

MD5 f691f657d9f34de60611e633304cd76b
SHA1 afeaf5693f43d26011ca123b1ed51be4ebc4120c
SHA256 ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c
SHA512 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_Salsa20.pyd

MD5 ef5dbc1a371e487adaff7cb7f5ed9446
SHA1 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc
SHA256 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1
SHA512 c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f

memory/3652-137-0x0000021F9E310000-0x0000021F9E31B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Protocol\_scrypt.pyd

MD5 7d5d2e773317ba63b5166c88318790a9
SHA1 d65b858ea27b58b6d396ea909082927740664ea1
SHA256 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e
SHA512 a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Util\_cpuid_c.pyd

MD5 11645c64306545732e48609025cb15af
SHA1 688a8e71789b9419eb672bed62944391ac7c9cad
SHA256 aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6
SHA512 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3

memory/3652-156-0x0000021F9E350000-0x0000021F9E35A000-memory.dmp

memory/3652-155-0x0000021F9E330000-0x0000021F9E33C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_ghash_portable.pyd

MD5 cf6a2d528f6f0c8e3a80094fd6127792
SHA1 70b758f75bef965c1514fd6f36021e351cfc76be
SHA256 dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056
SHA512 d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_ghash_clmul.pyd

MD5 2a173603e4770b75c1d60b3e8248c028
SHA1 1b955d2800fbc79b975ced1f90ddcde3e713efa1
SHA256 f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f
SHA512 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600

memory/3652-165-0x0000021FA1EB0000-0x0000021FA1EBB000-memory.dmp

memory/3652-166-0x000000006DF40000-0x000000006E2B8000-memory.dmp

memory/3652-164-0x0000021F9E390000-0x0000021F9E39A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ocb.pyd

MD5 d6074b3341f2998e5781db601a2386ed
SHA1 d513e9134cb919776d5286067487695d61b81458
SHA256 697e1d66c4444b601ad75a887d53db420bcbdcc521066174ee595fc4762363cb
SHA512 18aac19e29c9f15bce6795cdaf1bcf19472c86786f6589cf6d5b516f92690b8b0ff2ccd440664f62f26f23d05311296389a3ae1f3a8c8eabe563031f04d8a5b9

memory/3652-167-0x0000021FA1F30000-0x0000021FA1F3B000-memory.dmp

memory/3652-173-0x000000006DE20000-0x000000006DE34000-memory.dmp

memory/3652-172-0x0000021FA1F60000-0x0000021FA1F6A000-memory.dmp

memory/3652-171-0x0000021FA1F50000-0x0000021FA1F5C000-memory.dmp

memory/3652-170-0x0000021FA1F40000-0x0000021FA1F4C000-memory.dmp

memory/3652-169-0x00007FFFE54C0000-0x00007FFFE56D1000-memory.dmp

memory/3652-168-0x00007FFFE5930000-0x00007FFFE5ACF000-memory.dmp

memory/3652-175-0x0000021FA1FC0000-0x0000021FA1FCB000-memory.dmp

memory/3652-177-0x0000021FA1FE0000-0x0000021FA1FF4000-memory.dmp

memory/3652-176-0x0000000180000000-0x0000000180033000-memory.dmp

memory/3652-174-0x0000021FA1FA0000-0x0000021FA1FAA000-memory.dmp

memory/3652-178-0x0000021FA2000000-0x0000021FA200B000-memory.dmp

memory/3652-179-0x000000006DF40000-0x000000006E2B8000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win7-20240221-en

Max time kernel

18s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 656db2ca74769c26378fcfbca59c09c5
SHA1 0bd3142ac6182a416d20ffb183f28778755dbd29
SHA256 83417067f96e202f5161d4cd94484ad32d242c0ff614357c150b48e20b21b5d4
SHA512 0735aaaf1db6fdb145218cf1003a9607e704918aa4d5ef8ecdb2a9913d2edd8c3fa6470610a0a05f1a923bcea0d5f6ad223d8ddcf5ced932be18b367234f9de4

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win7-20240221-en

Max time kernel

22s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\_MEI19042\msvcr90.dll

MD5 e82eeaa1e4591cedf8afa159217b6bb1
SHA1 8ac3c6f0a62991c92df62ab8e239183081076b7f
SHA256 3359cf3a05a0070a273cb14b9d10992cf3ba1d95323df8ecdec199423cb6c9bd
SHA512 6d56e4c0323bfab21ae89be66e79b71736240ca85a4418f36c8009cf47ec9c7891b5b5592f95559840a84c705e9849fcb28d6c421b74f2811aab774bbf606840

memory/2000-94-0x0000000074C00000-0x0000000074CAF000-memory.dmp

memory/2000-93-0x0000000074CB0000-0x0000000075028000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\_ctypes.pyd

MD5 47a51db6fd9a671761cd5e0b6e0b83d7
SHA1 fef0c42609aaf8043ed1a1742512f7732d3a22b3
SHA256 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc
SHA512 e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2

memory/2000-100-0x0000000075060000-0x000000007507E000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\_hashlib.pyd

MD5 b9bec1122b0d52d2737f8fde24678b37
SHA1 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0
SHA256 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f
SHA512 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037

memory/2000-103-0x000007FEF7390000-0x000007FEF752F000-memory.dmp

memory/2000-107-0x0000000074BB0000-0x0000000074BC4000-memory.dmp

memory/2000-109-0x000007FEF62D0000-0x000007FEF64E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\_ssl.pyd

MD5 0f38005ba0792ceeb3f800b5a50b86d3
SHA1 ee4c4174e2c98ef63f2e1051c83eb39e7280a627
SHA256 a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61
SHA512 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24

\Users\Admin\AppData\Local\Temp\_MEI19~1\_socket.pyd

MD5 efaaa811eb02d947aad2fd020a7ca585
SHA1 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27
SHA256 ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af
SHA512 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a

\Users\Admin\AppData\Local\Temp\_MEI19~1\_cffi_backend.pyd

MD5 b886ce72a56d6a45c876266d3aad9a0c
SHA1 e3fba46feefedbd7f38c163ca867d0c5f83fa557
SHA256 ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3
SHA512 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4

memory/2000-115-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2000-113-0x0000000074B90000-0x0000000074BA1000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\_multiprocessing.pyd

MD5 4fcc93a09d15c138b21c436434189d82
SHA1 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd
SHA256 ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539
SHA512 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_cfb.pyd

MD5 037c3157ce1f4e858e6efc44bc346e7a
SHA1 52fe78365725a24f6f892e44c8120ad11f5a9187
SHA256 a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a
SHA512 e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_cbc.pyd

MD5 0b880f6e0d8461cb80d1b4146237ee82
SHA1 157347e0b5f13bb8131b2335d078ad1d86917ab1
SHA256 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0
SHA512 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_BLAKE2s.pyd

MD5 36f7426b735e4b0de5a32a7a829da7e3
SHA1 966138f6ca8ad626fa698da974ce8e9eb2fcd675
SHA256 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7
SHA512 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd

memory/2000-133-0x0000000074CB0000-0x0000000075028000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_MD5.pyd

MD5 f691f657d9f34de60611e633304cd76b
SHA1 afeaf5693f43d26011ca123b1ed51be4ebc4120c
SHA256 ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c
SHA512 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc

memory/2000-154-0x0000000004230000-0x000000000423A000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_cfb.pyd

MD5 42a856b5149573c30e5a1854f236232d
SHA1 3249efc68c8212c1c5a32482c5f02f08a3264da7
SHA256 f9f57bca51aad45051ef2694f46fd6376d0b8134b629181fbd6aa84e2c3543bc
SHA512 26f69b2334e95a16a9dd4aba7ec64fe8a6e23b60e435f1cf1d586b9539d0cc9eaf79b719c692b8d84e7ceb6557de2f399f7474a465218d45160d2c4be472ceff

memory/2000-173-0x00000000042E0000-0x00000000042EC000-memory.dmp

memory/2000-177-0x0000000004340000-0x000000000434A000-memory.dmp

memory/2000-181-0x00000000043A0000-0x00000000043AB000-memory.dmp

memory/2000-180-0x0000000004380000-0x0000000004394000-memory.dmp

memory/2000-179-0x0000000004360000-0x000000000436B000-memory.dmp

memory/2000-178-0x0000000180000000-0x0000000180033000-memory.dmp

memory/2000-176-0x0000000004300000-0x000000000430A000-memory.dmp

memory/2000-175-0x00000000042F0000-0x00000000042FC000-memory.dmp

memory/2000-174-0x000007FEF62D0000-0x000007FEF64E1000-memory.dmp

memory/2000-172-0x00000000042D0000-0x00000000042DB000-memory.dmp

memory/2000-171-0x0000000074BB0000-0x0000000074BC4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Util\_strxor.pyd

MD5 8d949b8d57800e9fa987a3d2065d5367
SHA1 26a45267cbb36e1210dded23ff216f54ee70749a
SHA256 c2a9aed762416a6fb6cce4eef7fc563b90443fc2e4faf8ff68fb9492c191276c
SHA512 eafcaa5105eacecfc5acca8cbdc18d6697e989f07a1d9414ec9f88a151da41451e177ec2a530f1029e2917682380c9c98cdf094926877ecc94218400afa9005c

\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_ctr.pyd

MD5 14e408131308a7d6a3152929f85ecee3
SHA1 fe5522b9a581ba5ef21c79e3d1455b4bfbfcb7f9
SHA256 4278868447219fc08764b019a525e808ff7b2a1a93ba69f89aacb055d873d045
SHA512 f0c1cbe9af08d7f0ad0fea8eb249f3853cc829b4159b43fc80d2d974c33d2c91221598631020a1a7e729687f73b54681aa1e1f6239fe0d675cd864f00990ab84

\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_ofb.pyd

MD5 5851cca8ded21a61cc20b540cbec87be
SHA1 d5522d375c2e5e2d539bdf59293be9cb630f11bc
SHA256 5e98091bc225d94707fe7faf0ed1761e09e1e554afd5e9ab69a8cf218446fcc0
SHA512 27428b93f9b04a729221f21b02fbd7c0f30bf40c284912f4669bbd06f7837713fb60336e49ee4e894cc837c7d2be01b2d0fb13c7a7855e0752780a949f644b5a

\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_cbc.pyd

MD5 d74a913440a64400134b1c0486eb192d
SHA1 ef2fdb0ce21ec7543cc795d12ddabdf8e2a7fc93
SHA256 29ac9789e7f5d4c51032166cace333f43db6f4df8c9d813b90fe28bf3addac72
SHA512 8a168ff35ef8aa2485a13064b261a15b7e17f220e80f2f7cb9f478a74b5fdac44f702203d0dc63cacb3326cc6391f2508e44836a121032694ac5385f3b7057e0

\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_ecb.pyd

MD5 144be71653797bdb74bc85f67ea42fc1
SHA1 f1235f2e6f40c4521f6dbb008adb7d09cb21e26d
SHA256 29673d1ae2d5c695d6936c6f7d6eb2a246cf06f5541da469b249eef9ff33d8f8
SHA512 d9e172de87033abf071a00ddb2f7122c0929aedf6993caf0d009836d6ac33deef27f4bbe0aceb0a309707df49175d3ce7906661487268911521131c5bd93941b

memory/2000-160-0x0000000004250000-0x000000000425B000-memory.dmp

memory/2000-159-0x000007FEF7390000-0x000007FEF752F000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_ARC4.pyd

MD5 2b29c56a942884590348d658c8b089b5
SHA1 08712bfd10c8c0eff61c41573d29604d27293780
SHA256 fedbc8d4bb85d878d9cfed2d5b9af4e04c18e4ed4e470b3ea4e3f960fc72faf9
SHA512 e218ce7cc9e0bf5585a86f2819dc4accc814fbbe9a59c6d25edd89e64eb8e254d0b87d439f7fa3a302709be282c54b9074280e0cfa871bddc6f2fec2f6ed98be

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ocb.pyd

MD5 d6074b3341f2998e5781db601a2386ed
SHA1 d513e9134cb919776d5286067487695d61b81458
SHA256 697e1d66c4444b601ad75a887d53db420bcbdcc521066174ee595fc4762363cb
SHA512 18aac19e29c9f15bce6795cdaf1bcf19472c86786f6589cf6d5b516f92690b8b0ff2ccd440664f62f26f23d05311296389a3ae1f3a8c8eabe563031f04d8a5b9

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_ghash_clmul.pyd

MD5 2a173603e4770b75c1d60b3e8248c028
SHA1 1b955d2800fbc79b975ced1f90ddcde3e713efa1
SHA256 f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f
SHA512 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_ghash_portable.pyd

MD5 cf6a2d528f6f0c8e3a80094fd6127792
SHA1 70b758f75bef965c1514fd6f36021e351cfc76be
SHA256 dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056
SHA512 d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Util\_cpuid_c.pyd

MD5 11645c64306545732e48609025cb15af
SHA1 688a8e71789b9419eb672bed62944391ac7c9cad
SHA256 aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6
SHA512 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3

memory/2000-146-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/2000-145-0x0000000074BD0000-0x0000000074BF5000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Protocol\_scrypt.pyd

MD5 7d5d2e773317ba63b5166c88318790a9
SHA1 d65b858ea27b58b6d396ea909082927740664ea1
SHA256 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e
SHA512 a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_Salsa20.pyd

MD5 ef5dbc1a371e487adaff7cb7f5ed9446
SHA1 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc
SHA256 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1
SHA512 c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f

memory/2000-139-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/2000-138-0x0000000074C00000-0x0000000074CAF000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_SHA256.pyd

MD5 de77ed5a1f2a9f6ecbb75cdfb9fa1a23
SHA1 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd
SHA256 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0
SHA512 dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee

memory/2000-135-0x00000000004C0000-0x00000000004CC000-memory.dmp

memory/2000-134-0x00000000004B0000-0x00000000004BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_SHA1.pyd

MD5 f9734d4549191c6b4048f65ff7c5cd56
SHA1 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d
SHA256 cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80
SHA512 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Util\_strxor.pyd

MD5 239a69fa1fc7297debeeaa42449a055f
SHA1 9407b4ddd4ae2da49198d0b083f113fa2eceb44f
SHA256 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3
SHA512 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ctr.pyd

MD5 e99802c2b523c4c2c8fc1d89ee6db877
SHA1 af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63
SHA256 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf
SHA512 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ofb.pyd

MD5 bd64a9dd340d9f32deaf7f545d5256c0
SHA1 6e43ed4524ef0e6e77b233b85adac0220eb3203d
SHA256 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e
SHA512 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502

\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ecb.pyd

MD5 2e6ab434cee9840a4fde4d45c57b1c5e
SHA1 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e
SHA256 bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274
SHA512 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6

\Users\Admin\AppData\Local\Temp\_MEI19~1\bz2.pyd

MD5 39a1f78896f228b494a9157991b8ce4b
SHA1 bb1da3b695206e82a019fc6d0e9d3e899b194b1d
SHA256 d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa
SHA512 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751

memory/2000-97-0x0000000074BD0000-0x0000000074BF5000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI19042\python27.dll

MD5 d2b1ae6331f7b5573892f8458ef903ba
SHA1 e9f55a79e7fe086e93937302801e676e3ea3869a
SHA256 f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2
SHA512 dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242

C:\Users\Admin\AppData\Local\Temp\_MEI19042\NLChecker.exe.manifest

MD5 6e405b4261e0578fbdfaf93615ecf43e
SHA1 f3d5993b5599fc85fc83dd1def58ac2d83672d4f
SHA256 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4
SHA512 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe

memory/2000-182-0x0000000074CB0000-0x0000000075028000-memory.dmp

memory/2000-183-0x0000000074C00000-0x0000000074CAF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win10-20240404-en

Max time kernel

22s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1608 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
PID 1608 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI16082\NLChecker.exe.manifest

MD5 6e405b4261e0578fbdfaf93615ecf43e
SHA1 f3d5993b5599fc85fc83dd1def58ac2d83672d4f
SHA256 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4
SHA512 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe

C:\Users\Admin\AppData\Local\Temp\_MEI16082\python27.dll

MD5 d2b1ae6331f7b5573892f8458ef903ba
SHA1 e9f55a79e7fe086e93937302801e676e3ea3869a
SHA256 f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2
SHA512 dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242

\Users\Admin\AppData\Local\Temp\_MEI16082\msvcr90.dll

MD5 e82eeaa1e4591cedf8afa159217b6bb1
SHA1 8ac3c6f0a62991c92df62ab8e239183081076b7f
SHA256 3359cf3a05a0070a273cb14b9d10992cf3ba1d95323df8ecdec199423cb6c9bd
SHA512 6d56e4c0323bfab21ae89be66e79b71736240ca85a4418f36c8009cf47ec9c7891b5b5592f95559840a84c705e9849fcb28d6c421b74f2811aab774bbf606840

memory/4864-94-0x000000005F4C0000-0x000000005F56F000-memory.dmp

memory/4864-93-0x000000005F570000-0x000000005F8E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\bz2.pyd

MD5 39a1f78896f228b494a9157991b8ce4b
SHA1 bb1da3b695206e82a019fc6d0e9d3e899b194b1d
SHA256 d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa
SHA512 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751

\Users\Admin\AppData\Local\Temp\_MEI16~1\_hashlib.pyd

MD5 b9bec1122b0d52d2737f8fde24678b37
SHA1 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0
SHA256 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f
SHA512 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037

memory/4864-103-0x00007FF844620000-0x00007FF8447BF000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\_ssl.pyd

MD5 0f38005ba0792ceeb3f800b5a50b86d3
SHA1 ee4c4174e2c98ef63f2e1051c83eb39e7280a627
SHA256 a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61
SHA512 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24

memory/4864-109-0x00007FF843E90000-0x00007FF8440A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\_cffi_backend.pyd

MD5 b886ce72a56d6a45c876266d3aad9a0c
SHA1 e3fba46feefedbd7f38c163ca867d0c5f83fa557
SHA256 ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3
SHA512 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_cfb.pyd

MD5 037c3157ce1f4e858e6efc44bc346e7a
SHA1 52fe78365725a24f6f892e44c8120ad11f5a9187
SHA256 a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a
SHA512 e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_ctr.pyd

MD5 e99802c2b523c4c2c8fc1d89ee6db877
SHA1 af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63
SHA256 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf
SHA512 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_MD5.pyd

MD5 f691f657d9f34de60611e633304cd76b
SHA1 afeaf5693f43d26011ca123b1ed51be4ebc4120c
SHA256 ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c
SHA512 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc

C:\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_ghash_clmul.pyd

MD5 2a173603e4770b75c1d60b3e8248c028
SHA1 1b955d2800fbc79b975ced1f90ddcde3e713efa1
SHA256 f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f
SHA512 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600

memory/4864-168-0x00000166A5350000-0x00000166A535B000-memory.dmp

memory/4864-173-0x00007FF844620000-0x00007FF8447BF000-memory.dmp

memory/4864-179-0x00000166A54A0000-0x00000166A54AB000-memory.dmp

memory/4864-178-0x00000166A5480000-0x00000166A5494000-memory.dmp

memory/4864-177-0x00000166A5460000-0x00000166A546B000-memory.dmp

memory/4864-176-0x00000166A5440000-0x00000166A544A000-memory.dmp

memory/4864-175-0x00007FF843E90000-0x00007FF8440A1000-memory.dmp

memory/4864-174-0x000000005F450000-0x000000005F464000-memory.dmp

memory/4864-172-0x00000166A5400000-0x00000166A540A000-memory.dmp

memory/4864-171-0x00000166A53F0000-0x00000166A53FC000-memory.dmp

memory/4864-170-0x00000166A53E0000-0x00000166A53EC000-memory.dmp

memory/4864-169-0x00000166A53D0000-0x00000166A53DB000-memory.dmp

memory/4864-167-0x00000166A1840000-0x00000166A184A000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_ghash_portable.pyd

MD5 cf6a2d528f6f0c8e3a80094fd6127792
SHA1 70b758f75bef965c1514fd6f36021e351cfc76be
SHA256 dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056
SHA512 d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Util\_cpuid_c.pyd

MD5 11645c64306545732e48609025cb15af
SHA1 688a8e71789b9419eb672bed62944391ac7c9cad
SHA256 aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6
SHA512 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3

memory/4864-159-0x000000005F4C0000-0x000000005F56F000-memory.dmp

memory/4864-157-0x00000166A17F0000-0x00000166A17FA000-memory.dmp

memory/4864-156-0x000000005F570000-0x000000005F8E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Protocol\_scrypt.pyd

MD5 7d5d2e773317ba63b5166c88318790a9
SHA1 d65b858ea27b58b6d396ea909082927740664ea1
SHA256 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e
SHA512 a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_Salsa20.pyd

MD5 ef5dbc1a371e487adaff7cb7f5ed9446
SHA1 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc
SHA256 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1
SHA512 c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f

memory/4864-146-0x00000166A17E0000-0x00000166A17EC000-memory.dmp

memory/4864-145-0x00000166A17D0000-0x00000166A17DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_SHA256.pyd

MD5 de77ed5a1f2a9f6ecbb75cdfb9fa1a23
SHA1 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd
SHA256 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0
SHA512 dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_SHA1.pyd

MD5 f9734d4549191c6b4048f65ff7c5cd56
SHA1 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d
SHA256 cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80
SHA512 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004

memory/4864-137-0x00000166A17C0000-0x00000166A17CB000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_BLAKE2s.pyd

MD5 36f7426b735e4b0de5a32a7a829da7e3
SHA1 966138f6ca8ad626fa698da974ce8e9eb2fcd675
SHA256 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7
SHA512 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Util\_strxor.pyd

MD5 239a69fa1fc7297debeeaa42449a055f
SHA1 9407b4ddd4ae2da49198d0b083f113fa2eceb44f
SHA256 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3
SHA512 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_ofb.pyd

MD5 bd64a9dd340d9f32deaf7f545d5256c0
SHA1 6e43ed4524ef0e6e77b233b85adac0220eb3203d
SHA256 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e
SHA512 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_cbc.pyd

MD5 0b880f6e0d8461cb80d1b4146237ee82
SHA1 157347e0b5f13bb8131b2335d078ad1d86917ab1
SHA256 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0
SHA512 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e

\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_ecb.pyd

MD5 2e6ab434cee9840a4fde4d45c57b1c5e
SHA1 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e
SHA256 bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274
SHA512 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6

memory/4864-115-0x0000000180000000-0x0000000180033000-memory.dmp

memory/4864-113-0x000000005F430000-0x000000005F441000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\_multiprocessing.pyd

MD5 4fcc93a09d15c138b21c436434189d82
SHA1 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd
SHA256 ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539
SHA512 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e

memory/4864-108-0x000000005F450000-0x000000005F464000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\_socket.pyd

MD5 efaaa811eb02d947aad2fd020a7ca585
SHA1 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27
SHA256 ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af
SHA512 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a

memory/4864-100-0x000000005F470000-0x000000005F48E000-memory.dmp

memory/4864-97-0x000000005F490000-0x000000005F4B5000-memory.dmp

\Users\Admin\AppData\Local\Temp\_MEI16~1\_ctypes.pyd

MD5 47a51db6fd9a671761cd5e0b6e0b83d7
SHA1 fef0c42609aaf8043ed1a1742512f7732d3a22b3
SHA256 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc
SHA512 e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2

memory/4864-180-0x0000000180000000-0x0000000180033000-memory.dmp

memory/4864-182-0x000000005F4C0000-0x000000005F56F000-memory.dmp

memory/4864-181-0x000000005F570000-0x000000005F8E8000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win11-20240508-en

Max time kernel

20s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3912 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
PID 3912 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\NLChecker.exe C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

C:\Users\Admin\AppData\Local\Temp\NLChecker.exe

"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI39122\NLChecker.exe.manifest

MD5 6e405b4261e0578fbdfaf93615ecf43e
SHA1 f3d5993b5599fc85fc83dd1def58ac2d83672d4f
SHA256 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4
SHA512 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe

C:\Users\Admin\AppData\Local\Temp\_MEI39122\python27.dll

MD5 d2b1ae6331f7b5573892f8458ef903ba
SHA1 e9f55a79e7fe086e93937302801e676e3ea3869a
SHA256 f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2
SHA512 dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242

memory/3740-91-0x0000000059FF0000-0x000000005A368000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_ctypes.pyd

MD5 47a51db6fd9a671761cd5e0b6e0b83d7
SHA1 fef0c42609aaf8043ed1a1742512f7732d3a22b3
SHA256 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc
SHA512 e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\bz2.pyd

MD5 39a1f78896f228b494a9157991b8ce4b
SHA1 bb1da3b695206e82a019fc6d0e9d3e899b194b1d
SHA256 d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa
SHA512 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751

memory/3740-97-0x0000000059EF0000-0x0000000059F0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39122\_hashlib.pyd

MD5 b9bec1122b0d52d2737f8fde24678b37
SHA1 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0
SHA256 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f
SHA512 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037

memory/3740-95-0x0000000059F10000-0x0000000059F35000-memory.dmp

memory/3740-100-0x00007FF848940000-0x00007FF848ADF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_socket.pyd

MD5 efaaa811eb02d947aad2fd020a7ca585
SHA1 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27
SHA256 ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af
SHA512 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a

C:\Users\Admin\AppData\Local\Temp\_MEI39122\_ssl.pyd

MD5 0f38005ba0792ceeb3f800b5a50b86d3
SHA1 ee4c4174e2c98ef63f2e1051c83eb39e7280a627
SHA256 a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61
SHA512 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24

memory/3740-105-0x0000000059ED0000-0x0000000059EE4000-memory.dmp

memory/3740-106-0x00007FF837520000-0x00007FF837731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_multiprocessing.pyd

MD5 4fcc93a09d15c138b21c436434189d82
SHA1 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd
SHA256 ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539
SHA512 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e

memory/3740-109-0x0000000059EB0000-0x0000000059EC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_cffi_backend.pyd

MD5 b886ce72a56d6a45c876266d3aad9a0c
SHA1 e3fba46feefedbd7f38c163ca867d0c5f83fa557
SHA256 ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3
SHA512 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4

C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Cipher\_raw_ecb.pyd

MD5 2e6ab434cee9840a4fde4d45c57b1c5e
SHA1 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e
SHA256 bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274
SHA512 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6

memory/3740-113-0x0000000180000000-0x0000000180033000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_cbc.pyd

MD5 0b880f6e0d8461cb80d1b4146237ee82
SHA1 157347e0b5f13bb8131b2335d078ad1d86917ab1
SHA256 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0
SHA512 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_cfb.pyd

MD5 037c3157ce1f4e858e6efc44bc346e7a
SHA1 52fe78365725a24f6f892e44c8120ad11f5a9187
SHA256 a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a
SHA512 e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ofb.pyd

MD5 bd64a9dd340d9f32deaf7f545d5256c0
SHA1 6e43ed4524ef0e6e77b233b85adac0220eb3203d
SHA256 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e
SHA512 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ctr.pyd

MD5 e99802c2b523c4c2c8fc1d89ee6db877
SHA1 af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63
SHA256 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf
SHA512 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Util\_strxor.pyd

MD5 239a69fa1fc7297debeeaa42449a055f
SHA1 9407b4ddd4ae2da49198d0b083f113fa2eceb44f
SHA256 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3
SHA512 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_BLAKE2s.pyd

MD5 36f7426b735e4b0de5a32a7a829da7e3
SHA1 966138f6ca8ad626fa698da974ce8e9eb2fcd675
SHA256 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7
SHA512 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd

memory/3740-134-0x0000025D52C00000-0x0000025D52C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_SHA1.pyd

MD5 f9734d4549191c6b4048f65ff7c5cd56
SHA1 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d
SHA256 cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80
SHA512 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_SHA256.pyd

MD5 de77ed5a1f2a9f6ecbb75cdfb9fa1a23
SHA1 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd
SHA256 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0
SHA512 dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee

memory/3740-143-0x0000025D52C20000-0x0000025D52C2C000-memory.dmp

memory/3740-142-0x0000025D52C20000-0x0000025D52C2C000-memory.dmp

memory/3740-141-0x0000025D52C10000-0x0000025D52C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_MD5.pyd

MD5 f691f657d9f34de60611e633304cd76b
SHA1 afeaf5693f43d26011ca123b1ed51be4ebc4120c
SHA256 ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c
SHA512 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_Salsa20.pyd

MD5 ef5dbc1a371e487adaff7cb7f5ed9446
SHA1 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc
SHA256 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1
SHA512 c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f

C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Protocol\_scrypt.pyd

MD5 7d5d2e773317ba63b5166c88318790a9
SHA1 d65b858ea27b58b6d396ea909082927740664ea1
SHA256 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e
SHA512 a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f

C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Hash\_ghash_portable.pyd

MD5 cf6a2d528f6f0c8e3a80094fd6127792
SHA1 70b758f75bef965c1514fd6f36021e351cfc76be
SHA256 dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056
SHA512 d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e

C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Util\_cpuid_c.pyd

MD5 11645c64306545732e48609025cb15af
SHA1 688a8e71789b9419eb672bed62944391ac7c9cad
SHA256 aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6
SHA512 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3

memory/3740-161-0x0000025D56780000-0x0000025D5678A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_ghash_clmul.pyd

MD5 2a173603e4770b75c1d60b3e8248c028
SHA1 1b955d2800fbc79b975ced1f90ddcde3e713efa1
SHA256 f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f
SHA512 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600

C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Cipher\_raw_ocb.pyd

MD5 d6074b3341f2998e5781db601a2386ed
SHA1 d513e9134cb919776d5286067487695d61b81458
SHA256 697e1d66c4444b601ad75a887d53db420bcbdcc521066174ee595fc4762363cb
SHA512 18aac19e29c9f15bce6795cdaf1bcf19472c86786f6589cf6d5b516f92690b8b0ff2ccd440664f62f26f23d05311296389a3ae1f3a8c8eabe563031f04d8a5b9

memory/3740-160-0x0000025D52C30000-0x0000025D52C3A000-memory.dmp

memory/3740-159-0x0000000059FF0000-0x000000005A368000-memory.dmp

memory/3740-167-0x0000025D567A0000-0x0000025D567AB000-memory.dmp

memory/3740-174-0x0000000059ED0000-0x0000000059EE4000-memory.dmp

memory/3740-173-0x0000025D56850000-0x0000025D5685A000-memory.dmp

memory/3740-172-0x0000025D56840000-0x0000025D5684C000-memory.dmp

memory/3740-177-0x0000025D568B0000-0x0000025D568BB000-memory.dmp

memory/3740-176-0x0000025D56890000-0x0000025D5689A000-memory.dmp

memory/3740-175-0x0000000059EB0000-0x0000000059EC1000-memory.dmp

memory/3740-171-0x0000025D56830000-0x0000025D5683C000-memory.dmp

memory/3740-170-0x0000025D56820000-0x0000025D5682B000-memory.dmp

memory/3740-169-0x00007FF837520000-0x00007FF837731000-memory.dmp

memory/3740-168-0x00007FF848940000-0x00007FF848ADF000-memory.dmp

memory/3740-180-0x0000025D568F0000-0x0000025D568FB000-memory.dmp

memory/3740-179-0x0000025D568D0000-0x0000025D568E4000-memory.dmp

memory/3740-178-0x0000000180000000-0x0000000180033000-memory.dmp

memory/3740-181-0x0000000059FF0000-0x000000005A368000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win10-20240404-en

Max time kernel

16s

Max time network

17s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win10v2004-20240508-en

Max time kernel

30s

Max time network

31s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-06 07:51

Reported

2024-06-06 07:56

Platform

win11-20240508-en

Max time kernel

0s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

N/A

Files

N/A