Analysis Overview
SHA256
bb0051be3e9db6d8299477ed7ff9d1d178d98513ab6d6d4f06b860bfe8cc229b
Threat Level: Shows suspicious behavior
The file NLChecker.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
UPX packed file
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-06 07:52
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win10v2004-20240508-en
Max time kernel
30s
Max time network
30s
Command Line
Signatures
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3916 wrote to memory of 3652 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
| PID 3916 wrote to memory of 3652 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1748,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| BE | 88.221.83.224:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI39162\NLChecker.exe.manifest
| MD5 | 6e405b4261e0578fbdfaf93615ecf43e |
| SHA1 | f3d5993b5599fc85fc83dd1def58ac2d83672d4f |
| SHA256 | 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4 |
| SHA512 | 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe |
C:\Users\Admin\AppData\Local\Temp\_MEI39162\python27.dll
| MD5 | d2b1ae6331f7b5573892f8458ef903ba |
| SHA1 | e9f55a79e7fe086e93937302801e676e3ea3869a |
| SHA256 | f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2 |
| SHA512 | dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242 |
memory/3652-91-0x000000006DF40000-0x000000006E2B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_ctypes.pyd
| MD5 | 47a51db6fd9a671761cd5e0b6e0b83d7 |
| SHA1 | fef0c42609aaf8043ed1a1742512f7732d3a22b3 |
| SHA256 | 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc |
| SHA512 | e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2 |
memory/3652-95-0x000000006DE60000-0x000000006DE85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39162\bz2.pyd
| MD5 | 39a1f78896f228b494a9157991b8ce4b |
| SHA1 | bb1da3b695206e82a019fc6d0e9d3e899b194b1d |
| SHA256 | d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa |
| SHA512 | 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751 |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_hashlib.pyd
| MD5 | b9bec1122b0d52d2737f8fde24678b37 |
| SHA1 | 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0 |
| SHA256 | 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f |
| SHA512 | 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037 |
memory/3652-100-0x00007FFFE5930000-0x00007FFFE5ACF000-memory.dmp
memory/3652-99-0x000000006DE40000-0x000000006DE5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_socket.pyd
| MD5 | efaaa811eb02d947aad2fd020a7ca585 |
| SHA1 | 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27 |
| SHA256 | ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af |
| SHA512 | 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_ssl.pyd
| MD5 | 0f38005ba0792ceeb3f800b5a50b86d3 |
| SHA1 | ee4c4174e2c98ef63f2e1051c83eb39e7280a627 |
| SHA256 | a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61 |
| SHA512 | 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24 |
memory/3652-106-0x00007FFFE54C0000-0x00007FFFE56D1000-memory.dmp
memory/3652-105-0x000000006DE20000-0x000000006DE34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_multiprocessing.pyd
| MD5 | 4fcc93a09d15c138b21c436434189d82 |
| SHA1 | 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd |
| SHA256 | ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539 |
| SHA512 | 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_cffi_backend.pyd
| MD5 | b886ce72a56d6a45c876266d3aad9a0c |
| SHA1 | e3fba46feefedbd7f38c163ca867d0c5f83fa557 |
| SHA256 | ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3 |
| SHA512 | 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4 |
memory/3652-110-0x000000006DE00000-0x000000006DE11000-memory.dmp
memory/3652-113-0x0000000180000000-0x0000000180033000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 2e6ab434cee9840a4fde4d45c57b1c5e |
| SHA1 | 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e |
| SHA256 | bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274 |
| SHA512 | 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6 |
C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 037c3157ce1f4e858e6efc44bc346e7a |
| SHA1 | 52fe78365725a24f6f892e44c8120ad11f5a9187 |
| SHA256 | a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a |
| SHA512 | e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8 |
C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0b880f6e0d8461cb80d1b4146237ee82 |
| SHA1 | 157347e0b5f13bb8131b2335d078ad1d86917ab1 |
| SHA256 | 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0 |
| SHA512 | 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ofb.pyd
| MD5 | bd64a9dd340d9f32deaf7f545d5256c0 |
| SHA1 | 6e43ed4524ef0e6e77b233b85adac0220eb3203d |
| SHA256 | 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e |
| SHA512 | 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502 |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ctr.pyd
| MD5 | e99802c2b523c4c2c8fc1d89ee6db877 |
| SHA1 | af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63 |
| SHA256 | 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf |
| SHA512 | 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Util\_strxor.pyd
| MD5 | 239a69fa1fc7297debeeaa42449a055f |
| SHA1 | 9407b4ddd4ae2da49198d0b083f113fa2eceb44f |
| SHA256 | 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3 |
| SHA512 | 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 36f7426b735e4b0de5a32a7a829da7e3 |
| SHA1 | 966138f6ca8ad626fa698da974ce8e9eb2fcd675 |
| SHA256 | 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7 |
| SHA512 | 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd |
C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Hash\_SHA1.pyd
| MD5 | f9734d4549191c6b4048f65ff7c5cd56 |
| SHA1 | 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d |
| SHA256 | cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80 |
| SHA512 | 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004 |
memory/3652-139-0x0000021F9E320000-0x0000021F9E32C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_SHA256.pyd
| MD5 | de77ed5a1f2a9f6ecbb75cdfb9fa1a23 |
| SHA1 | 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd |
| SHA256 | 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0 |
| SHA512 | dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee |
C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Hash\_MD5.pyd
| MD5 | f691f657d9f34de60611e633304cd76b |
| SHA1 | afeaf5693f43d26011ca123b1ed51be4ebc4120c |
| SHA256 | ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c |
| SHA512 | 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_Salsa20.pyd
| MD5 | ef5dbc1a371e487adaff7cb7f5ed9446 |
| SHA1 | 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc |
| SHA256 | 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1 |
| SHA512 | c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f |
memory/3652-137-0x0000021F9E310000-0x0000021F9E31B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Protocol\_scrypt.pyd
| MD5 | 7d5d2e773317ba63b5166c88318790a9 |
| SHA1 | d65b858ea27b58b6d396ea909082927740664ea1 |
| SHA256 | 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e |
| SHA512 | a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Util\_cpuid_c.pyd
| MD5 | 11645c64306545732e48609025cb15af |
| SHA1 | 688a8e71789b9419eb672bed62944391ac7c9cad |
| SHA256 | aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6 |
| SHA512 | 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3 |
memory/3652-156-0x0000021F9E350000-0x0000021F9E35A000-memory.dmp
memory/3652-155-0x0000021F9E330000-0x0000021F9E33C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_ghash_portable.pyd
| MD5 | cf6a2d528f6f0c8e3a80094fd6127792 |
| SHA1 | 70b758f75bef965c1514fd6f36021e351cfc76be |
| SHA256 | dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056 |
| SHA512 | d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_ghash_clmul.pyd
| MD5 | 2a173603e4770b75c1d60b3e8248c028 |
| SHA1 | 1b955d2800fbc79b975ced1f90ddcde3e713efa1 |
| SHA256 | f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f |
| SHA512 | 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600 |
memory/3652-165-0x0000021FA1EB0000-0x0000021FA1EBB000-memory.dmp
memory/3652-166-0x000000006DF40000-0x000000006E2B8000-memory.dmp
memory/3652-164-0x0000021F9E390000-0x0000021F9E39A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39162\Crypto\Cipher\_raw_ocb.pyd
| MD5 | d6074b3341f2998e5781db601a2386ed |
| SHA1 | d513e9134cb919776d5286067487695d61b81458 |
| SHA256 | 697e1d66c4444b601ad75a887d53db420bcbdcc521066174ee595fc4762363cb |
| SHA512 | 18aac19e29c9f15bce6795cdaf1bcf19472c86786f6589cf6d5b516f92690b8b0ff2ccd440664f62f26f23d05311296389a3ae1f3a8c8eabe563031f04d8a5b9 |
memory/3652-167-0x0000021FA1F30000-0x0000021FA1F3B000-memory.dmp
memory/3652-173-0x000000006DE20000-0x000000006DE34000-memory.dmp
memory/3652-172-0x0000021FA1F60000-0x0000021FA1F6A000-memory.dmp
memory/3652-171-0x0000021FA1F50000-0x0000021FA1F5C000-memory.dmp
memory/3652-170-0x0000021FA1F40000-0x0000021FA1F4C000-memory.dmp
memory/3652-169-0x00007FFFE54C0000-0x00007FFFE56D1000-memory.dmp
memory/3652-168-0x00007FFFE5930000-0x00007FFFE5ACF000-memory.dmp
memory/3652-175-0x0000021FA1FC0000-0x0000021FA1FCB000-memory.dmp
memory/3652-177-0x0000021FA1FE0000-0x0000021FA1FF4000-memory.dmp
memory/3652-176-0x0000000180000000-0x0000000180033000-memory.dmp
memory/3652-174-0x0000021FA1FA0000-0x0000021FA1FAA000-memory.dmp
memory/3652-178-0x0000021FA2000000-0x0000021FA200B000-memory.dmp
memory/3652-179-0x000000006DF40000-0x000000006E2B8000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win7-20240221-en
Max time kernel
18s
Max time network
17s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2868 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2868 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2868 wrote to memory of 2652 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2652 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2652 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2652 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2652 wrote to memory of 2748 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 656db2ca74769c26378fcfbca59c09c5 |
| SHA1 | 0bd3142ac6182a416d20ffb183f28778755dbd29 |
| SHA256 | 83417067f96e202f5161d4cd94484ad32d242c0ff614357c150b48e20b21b5d4 |
| SHA512 | 0735aaaf1db6fdb145218cf1003a9607e704918aa4d5ef8ecdb2a9913d2edd8c3fa6470610a0a05f1a923bcea0d5f6ad223d8ddcf5ced932be18b367234f9de4 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win7-20240221-en
Max time kernel
22s
Max time network
17s
Command Line
Signatures
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1904 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
| PID 1904 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
| PID 1904 wrote to memory of 2000 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\_MEI19042\msvcr90.dll
| MD5 | e82eeaa1e4591cedf8afa159217b6bb1 |
| SHA1 | 8ac3c6f0a62991c92df62ab8e239183081076b7f |
| SHA256 | 3359cf3a05a0070a273cb14b9d10992cf3ba1d95323df8ecdec199423cb6c9bd |
| SHA512 | 6d56e4c0323bfab21ae89be66e79b71736240ca85a4418f36c8009cf47ec9c7891b5b5592f95559840a84c705e9849fcb28d6c421b74f2811aab774bbf606840 |
memory/2000-94-0x0000000074C00000-0x0000000074CAF000-memory.dmp
memory/2000-93-0x0000000074CB0000-0x0000000075028000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\_ctypes.pyd
| MD5 | 47a51db6fd9a671761cd5e0b6e0b83d7 |
| SHA1 | fef0c42609aaf8043ed1a1742512f7732d3a22b3 |
| SHA256 | 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc |
| SHA512 | e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2 |
memory/2000-100-0x0000000075060000-0x000000007507E000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\_hashlib.pyd
| MD5 | b9bec1122b0d52d2737f8fde24678b37 |
| SHA1 | 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0 |
| SHA256 | 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f |
| SHA512 | 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037 |
memory/2000-103-0x000007FEF7390000-0x000007FEF752F000-memory.dmp
memory/2000-107-0x0000000074BB0000-0x0000000074BC4000-memory.dmp
memory/2000-109-0x000007FEF62D0000-0x000007FEF64E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\_ssl.pyd
| MD5 | 0f38005ba0792ceeb3f800b5a50b86d3 |
| SHA1 | ee4c4174e2c98ef63f2e1051c83eb39e7280a627 |
| SHA256 | a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61 |
| SHA512 | 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\_socket.pyd
| MD5 | efaaa811eb02d947aad2fd020a7ca585 |
| SHA1 | 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27 |
| SHA256 | ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af |
| SHA512 | 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a |
\Users\Admin\AppData\Local\Temp\_MEI19~1\_cffi_backend.pyd
| MD5 | b886ce72a56d6a45c876266d3aad9a0c |
| SHA1 | e3fba46feefedbd7f38c163ca867d0c5f83fa557 |
| SHA256 | ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3 |
| SHA512 | 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4 |
memory/2000-115-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2000-113-0x0000000074B90000-0x0000000074BA1000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\_multiprocessing.pyd
| MD5 | 4fcc93a09d15c138b21c436434189d82 |
| SHA1 | 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd |
| SHA256 | ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539 |
| SHA512 | 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 037c3157ce1f4e858e6efc44bc346e7a |
| SHA1 | 52fe78365725a24f6f892e44c8120ad11f5a9187 |
| SHA256 | a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a |
| SHA512 | e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0b880f6e0d8461cb80d1b4146237ee82 |
| SHA1 | 157347e0b5f13bb8131b2335d078ad1d86917ab1 |
| SHA256 | 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0 |
| SHA512 | 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 36f7426b735e4b0de5a32a7a829da7e3 |
| SHA1 | 966138f6ca8ad626fa698da974ce8e9eb2fcd675 |
| SHA256 | 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7 |
| SHA512 | 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd |
memory/2000-133-0x0000000074CB0000-0x0000000075028000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_MD5.pyd
| MD5 | f691f657d9f34de60611e633304cd76b |
| SHA1 | afeaf5693f43d26011ca123b1ed51be4ebc4120c |
| SHA256 | ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c |
| SHA512 | 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc |
memory/2000-154-0x0000000004230000-0x000000000423A000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_cfb.pyd
| MD5 | 42a856b5149573c30e5a1854f236232d |
| SHA1 | 3249efc68c8212c1c5a32482c5f02f08a3264da7 |
| SHA256 | f9f57bca51aad45051ef2694f46fd6376d0b8134b629181fbd6aa84e2c3543bc |
| SHA512 | 26f69b2334e95a16a9dd4aba7ec64fe8a6e23b60e435f1cf1d586b9539d0cc9eaf79b719c692b8d84e7ceb6557de2f399f7474a465218d45160d2c4be472ceff |
memory/2000-173-0x00000000042E0000-0x00000000042EC000-memory.dmp
memory/2000-177-0x0000000004340000-0x000000000434A000-memory.dmp
memory/2000-181-0x00000000043A0000-0x00000000043AB000-memory.dmp
memory/2000-180-0x0000000004380000-0x0000000004394000-memory.dmp
memory/2000-179-0x0000000004360000-0x000000000436B000-memory.dmp
memory/2000-178-0x0000000180000000-0x0000000180033000-memory.dmp
memory/2000-176-0x0000000004300000-0x000000000430A000-memory.dmp
memory/2000-175-0x00000000042F0000-0x00000000042FC000-memory.dmp
memory/2000-174-0x000007FEF62D0000-0x000007FEF64E1000-memory.dmp
memory/2000-172-0x00000000042D0000-0x00000000042DB000-memory.dmp
memory/2000-171-0x0000000074BB0000-0x0000000074BC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Util\_strxor.pyd
| MD5 | 8d949b8d57800e9fa987a3d2065d5367 |
| SHA1 | 26a45267cbb36e1210dded23ff216f54ee70749a |
| SHA256 | c2a9aed762416a6fb6cce4eef7fc563b90443fc2e4faf8ff68fb9492c191276c |
| SHA512 | eafcaa5105eacecfc5acca8cbdc18d6697e989f07a1d9414ec9f88a151da41451e177ec2a530f1029e2917682380c9c98cdf094926877ecc94218400afa9005c |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_ctr.pyd
| MD5 | 14e408131308a7d6a3152929f85ecee3 |
| SHA1 | fe5522b9a581ba5ef21c79e3d1455b4bfbfcb7f9 |
| SHA256 | 4278868447219fc08764b019a525e808ff7b2a1a93ba69f89aacb055d873d045 |
| SHA512 | f0c1cbe9af08d7f0ad0fea8eb249f3853cc829b4159b43fc80d2d974c33d2c91221598631020a1a7e729687f73b54681aa1e1f6239fe0d675cd864f00990ab84 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_ofb.pyd
| MD5 | 5851cca8ded21a61cc20b540cbec87be |
| SHA1 | d5522d375c2e5e2d539bdf59293be9cb630f11bc |
| SHA256 | 5e98091bc225d94707fe7faf0ed1761e09e1e554afd5e9ab69a8cf218446fcc0 |
| SHA512 | 27428b93f9b04a729221f21b02fbd7c0f30bf40c284912f4669bbd06f7837713fb60336e49ee4e894cc837c7d2be01b2d0fb13c7a7855e0752780a949f644b5a |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_cbc.pyd
| MD5 | d74a913440a64400134b1c0486eb192d |
| SHA1 | ef2fdb0ce21ec7543cc795d12ddabdf8e2a7fc93 |
| SHA256 | 29ac9789e7f5d4c51032166cace333f43db6f4df8c9d813b90fe28bf3addac72 |
| SHA512 | 8a168ff35ef8aa2485a13064b261a15b7e17f220e80f2f7cb9f478a74b5fdac44f702203d0dc63cacb3326cc6391f2508e44836a121032694ac5385f3b7057e0 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Cryptodome\Cipher\_raw_ecb.pyd
| MD5 | 144be71653797bdb74bc85f67ea42fc1 |
| SHA1 | f1235f2e6f40c4521f6dbb008adb7d09cb21e26d |
| SHA256 | 29673d1ae2d5c695d6936c6f7d6eb2a246cf06f5541da469b249eef9ff33d8f8 |
| SHA512 | d9e172de87033abf071a00ddb2f7122c0929aedf6993caf0d009836d6ac33deef27f4bbe0aceb0a309707df49175d3ce7906661487268911521131c5bd93941b |
memory/2000-160-0x0000000004250000-0x000000000425B000-memory.dmp
memory/2000-159-0x000007FEF7390000-0x000007FEF752F000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_ARC4.pyd
| MD5 | 2b29c56a942884590348d658c8b089b5 |
| SHA1 | 08712bfd10c8c0eff61c41573d29604d27293780 |
| SHA256 | fedbc8d4bb85d878d9cfed2d5b9af4e04c18e4ed4e470b3ea4e3f960fc72faf9 |
| SHA512 | e218ce7cc9e0bf5585a86f2819dc4accc814fbbe9a59c6d25edd89e64eb8e254d0b87d439f7fa3a302709be282c54b9074280e0cfa871bddc6f2fec2f6ed98be |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ocb.pyd
| MD5 | d6074b3341f2998e5781db601a2386ed |
| SHA1 | d513e9134cb919776d5286067487695d61b81458 |
| SHA256 | 697e1d66c4444b601ad75a887d53db420bcbdcc521066174ee595fc4762363cb |
| SHA512 | 18aac19e29c9f15bce6795cdaf1bcf19472c86786f6589cf6d5b516f92690b8b0ff2ccd440664f62f26f23d05311296389a3ae1f3a8c8eabe563031f04d8a5b9 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_ghash_clmul.pyd
| MD5 | 2a173603e4770b75c1d60b3e8248c028 |
| SHA1 | 1b955d2800fbc79b975ced1f90ddcde3e713efa1 |
| SHA256 | f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f |
| SHA512 | 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_ghash_portable.pyd
| MD5 | cf6a2d528f6f0c8e3a80094fd6127792 |
| SHA1 | 70b758f75bef965c1514fd6f36021e351cfc76be |
| SHA256 | dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056 |
| SHA512 | d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Util\_cpuid_c.pyd
| MD5 | 11645c64306545732e48609025cb15af |
| SHA1 | 688a8e71789b9419eb672bed62944391ac7c9cad |
| SHA256 | aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6 |
| SHA512 | 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3 |
memory/2000-146-0x00000000004E0000-0x00000000004EA000-memory.dmp
memory/2000-145-0x0000000074BD0000-0x0000000074BF5000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Protocol\_scrypt.pyd
| MD5 | 7d5d2e773317ba63b5166c88318790a9 |
| SHA1 | d65b858ea27b58b6d396ea909082927740664ea1 |
| SHA256 | 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e |
| SHA512 | a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_Salsa20.pyd
| MD5 | ef5dbc1a371e487adaff7cb7f5ed9446 |
| SHA1 | 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc |
| SHA256 | 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1 |
| SHA512 | c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f |
memory/2000-139-0x00000000004D0000-0x00000000004DC000-memory.dmp
memory/2000-138-0x0000000074C00000-0x0000000074CAF000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_SHA256.pyd
| MD5 | de77ed5a1f2a9f6ecbb75cdfb9fa1a23 |
| SHA1 | 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd |
| SHA256 | 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0 |
| SHA512 | dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee |
memory/2000-135-0x00000000004C0000-0x00000000004CC000-memory.dmp
memory/2000-134-0x00000000004B0000-0x00000000004BB000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Hash\_SHA1.pyd
| MD5 | f9734d4549191c6b4048f65ff7c5cd56 |
| SHA1 | 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d |
| SHA256 | cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80 |
| SHA512 | 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Util\_strxor.pyd
| MD5 | 239a69fa1fc7297debeeaa42449a055f |
| SHA1 | 9407b4ddd4ae2da49198d0b083f113fa2eceb44f |
| SHA256 | 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3 |
| SHA512 | 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ctr.pyd
| MD5 | e99802c2b523c4c2c8fc1d89ee6db877 |
| SHA1 | af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63 |
| SHA256 | 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf |
| SHA512 | 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ofb.pyd
| MD5 | bd64a9dd340d9f32deaf7f545d5256c0 |
| SHA1 | 6e43ed4524ef0e6e77b233b85adac0220eb3203d |
| SHA256 | 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e |
| SHA512 | 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 2e6ab434cee9840a4fde4d45c57b1c5e |
| SHA1 | 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e |
| SHA256 | bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274 |
| SHA512 | 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6 |
\Users\Admin\AppData\Local\Temp\_MEI19~1\bz2.pyd
| MD5 | 39a1f78896f228b494a9157991b8ce4b |
| SHA1 | bb1da3b695206e82a019fc6d0e9d3e899b194b1d |
| SHA256 | d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa |
| SHA512 | 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751 |
memory/2000-97-0x0000000074BD0000-0x0000000074BF5000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI19042\python27.dll
| MD5 | d2b1ae6331f7b5573892f8458ef903ba |
| SHA1 | e9f55a79e7fe086e93937302801e676e3ea3869a |
| SHA256 | f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2 |
| SHA512 | dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242 |
C:\Users\Admin\AppData\Local\Temp\_MEI19042\NLChecker.exe.manifest
| MD5 | 6e405b4261e0578fbdfaf93615ecf43e |
| SHA1 | f3d5993b5599fc85fc83dd1def58ac2d83672d4f |
| SHA256 | 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4 |
| SHA512 | 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe |
memory/2000-182-0x0000000074CB0000-0x0000000075028000-memory.dmp
memory/2000-183-0x0000000074C00000-0x0000000074CAF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win10-20240404-en
Max time kernel
22s
Max time network
17s
Command Line
Signatures
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1608 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
| PID 1608 wrote to memory of 4864 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI16082\NLChecker.exe.manifest
| MD5 | 6e405b4261e0578fbdfaf93615ecf43e |
| SHA1 | f3d5993b5599fc85fc83dd1def58ac2d83672d4f |
| SHA256 | 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4 |
| SHA512 | 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe |
C:\Users\Admin\AppData\Local\Temp\_MEI16082\python27.dll
| MD5 | d2b1ae6331f7b5573892f8458ef903ba |
| SHA1 | e9f55a79e7fe086e93937302801e676e3ea3869a |
| SHA256 | f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2 |
| SHA512 | dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242 |
\Users\Admin\AppData\Local\Temp\_MEI16082\msvcr90.dll
| MD5 | e82eeaa1e4591cedf8afa159217b6bb1 |
| SHA1 | 8ac3c6f0a62991c92df62ab8e239183081076b7f |
| SHA256 | 3359cf3a05a0070a273cb14b9d10992cf3ba1d95323df8ecdec199423cb6c9bd |
| SHA512 | 6d56e4c0323bfab21ae89be66e79b71736240ca85a4418f36c8009cf47ec9c7891b5b5592f95559840a84c705e9849fcb28d6c421b74f2811aab774bbf606840 |
memory/4864-94-0x000000005F4C0000-0x000000005F56F000-memory.dmp
memory/4864-93-0x000000005F570000-0x000000005F8E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\bz2.pyd
| MD5 | 39a1f78896f228b494a9157991b8ce4b |
| SHA1 | bb1da3b695206e82a019fc6d0e9d3e899b194b1d |
| SHA256 | d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa |
| SHA512 | 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751 |
\Users\Admin\AppData\Local\Temp\_MEI16~1\_hashlib.pyd
| MD5 | b9bec1122b0d52d2737f8fde24678b37 |
| SHA1 | 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0 |
| SHA256 | 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f |
| SHA512 | 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037 |
memory/4864-103-0x00007FF844620000-0x00007FF8447BF000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\_ssl.pyd
| MD5 | 0f38005ba0792ceeb3f800b5a50b86d3 |
| SHA1 | ee4c4174e2c98ef63f2e1051c83eb39e7280a627 |
| SHA256 | a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61 |
| SHA512 | 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24 |
memory/4864-109-0x00007FF843E90000-0x00007FF8440A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\_cffi_backend.pyd
| MD5 | b886ce72a56d6a45c876266d3aad9a0c |
| SHA1 | e3fba46feefedbd7f38c163ca867d0c5f83fa557 |
| SHA256 | ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3 |
| SHA512 | 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4 |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 037c3157ce1f4e858e6efc44bc346e7a |
| SHA1 | 52fe78365725a24f6f892e44c8120ad11f5a9187 |
| SHA256 | a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a |
| SHA512 | e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8 |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_ctr.pyd
| MD5 | e99802c2b523c4c2c8fc1d89ee6db877 |
| SHA1 | af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63 |
| SHA256 | 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf |
| SHA512 | 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_MD5.pyd
| MD5 | f691f657d9f34de60611e633304cd76b |
| SHA1 | afeaf5693f43d26011ca123b1ed51be4ebc4120c |
| SHA256 | ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c |
| SHA512 | 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc |
C:\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_ghash_clmul.pyd
| MD5 | 2a173603e4770b75c1d60b3e8248c028 |
| SHA1 | 1b955d2800fbc79b975ced1f90ddcde3e713efa1 |
| SHA256 | f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f |
| SHA512 | 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600 |
memory/4864-168-0x00000166A5350000-0x00000166A535B000-memory.dmp
memory/4864-173-0x00007FF844620000-0x00007FF8447BF000-memory.dmp
memory/4864-179-0x00000166A54A0000-0x00000166A54AB000-memory.dmp
memory/4864-178-0x00000166A5480000-0x00000166A5494000-memory.dmp
memory/4864-177-0x00000166A5460000-0x00000166A546B000-memory.dmp
memory/4864-176-0x00000166A5440000-0x00000166A544A000-memory.dmp
memory/4864-175-0x00007FF843E90000-0x00007FF8440A1000-memory.dmp
memory/4864-174-0x000000005F450000-0x000000005F464000-memory.dmp
memory/4864-172-0x00000166A5400000-0x00000166A540A000-memory.dmp
memory/4864-171-0x00000166A53F0000-0x00000166A53FC000-memory.dmp
memory/4864-170-0x00000166A53E0000-0x00000166A53EC000-memory.dmp
memory/4864-169-0x00000166A53D0000-0x00000166A53DB000-memory.dmp
memory/4864-167-0x00000166A1840000-0x00000166A184A000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_ghash_portable.pyd
| MD5 | cf6a2d528f6f0c8e3a80094fd6127792 |
| SHA1 | 70b758f75bef965c1514fd6f36021e351cfc76be |
| SHA256 | dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056 |
| SHA512 | d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Util\_cpuid_c.pyd
| MD5 | 11645c64306545732e48609025cb15af |
| SHA1 | 688a8e71789b9419eb672bed62944391ac7c9cad |
| SHA256 | aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6 |
| SHA512 | 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3 |
memory/4864-159-0x000000005F4C0000-0x000000005F56F000-memory.dmp
memory/4864-157-0x00000166A17F0000-0x00000166A17FA000-memory.dmp
memory/4864-156-0x000000005F570000-0x000000005F8E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Protocol\_scrypt.pyd
| MD5 | 7d5d2e773317ba63b5166c88318790a9 |
| SHA1 | d65b858ea27b58b6d396ea909082927740664ea1 |
| SHA256 | 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e |
| SHA512 | a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_Salsa20.pyd
| MD5 | ef5dbc1a371e487adaff7cb7f5ed9446 |
| SHA1 | 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc |
| SHA256 | 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1 |
| SHA512 | c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f |
memory/4864-146-0x00000166A17E0000-0x00000166A17EC000-memory.dmp
memory/4864-145-0x00000166A17D0000-0x00000166A17DC000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_SHA256.pyd
| MD5 | de77ed5a1f2a9f6ecbb75cdfb9fa1a23 |
| SHA1 | 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd |
| SHA256 | 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0 |
| SHA512 | dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_SHA1.pyd
| MD5 | f9734d4549191c6b4048f65ff7c5cd56 |
| SHA1 | 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d |
| SHA256 | cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80 |
| SHA512 | 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004 |
memory/4864-137-0x00000166A17C0000-0x00000166A17CB000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 36f7426b735e4b0de5a32a7a829da7e3 |
| SHA1 | 966138f6ca8ad626fa698da974ce8e9eb2fcd675 |
| SHA256 | 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7 |
| SHA512 | 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Util\_strxor.pyd
| MD5 | 239a69fa1fc7297debeeaa42449a055f |
| SHA1 | 9407b4ddd4ae2da49198d0b083f113fa2eceb44f |
| SHA256 | 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3 |
| SHA512 | 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_ofb.pyd
| MD5 | bd64a9dd340d9f32deaf7f545d5256c0 |
| SHA1 | 6e43ed4524ef0e6e77b233b85adac0220eb3203d |
| SHA256 | 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e |
| SHA512 | 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502 |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0b880f6e0d8461cb80d1b4146237ee82 |
| SHA1 | 157347e0b5f13bb8131b2335d078ad1d86917ab1 |
| SHA256 | 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0 |
| SHA512 | 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e |
\Users\Admin\AppData\Local\Temp\_MEI16~1\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 2e6ab434cee9840a4fde4d45c57b1c5e |
| SHA1 | 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e |
| SHA256 | bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274 |
| SHA512 | 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6 |
memory/4864-115-0x0000000180000000-0x0000000180033000-memory.dmp
memory/4864-113-0x000000005F430000-0x000000005F441000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\_multiprocessing.pyd
| MD5 | 4fcc93a09d15c138b21c436434189d82 |
| SHA1 | 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd |
| SHA256 | ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539 |
| SHA512 | 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e |
memory/4864-108-0x000000005F450000-0x000000005F464000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\_socket.pyd
| MD5 | efaaa811eb02d947aad2fd020a7ca585 |
| SHA1 | 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27 |
| SHA256 | ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af |
| SHA512 | 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a |
memory/4864-100-0x000000005F470000-0x000000005F48E000-memory.dmp
memory/4864-97-0x000000005F490000-0x000000005F4B5000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI16~1\_ctypes.pyd
| MD5 | 47a51db6fd9a671761cd5e0b6e0b83d7 |
| SHA1 | fef0c42609aaf8043ed1a1742512f7732d3a22b3 |
| SHA256 | 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc |
| SHA512 | e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2 |
memory/4864-180-0x0000000180000000-0x0000000180033000-memory.dmp
memory/4864-182-0x000000005F4C0000-0x000000005F56F000-memory.dmp
memory/4864-181-0x000000005F570000-0x000000005F8E8000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win11-20240508-en
Max time kernel
20s
Command Line
Signatures
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3912 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
| PID 3912 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe | C:\Users\Admin\AppData\Local\Temp\NLChecker.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
C:\Users\Admin\AppData\Local\Temp\NLChecker.exe
"C:\Users\Admin\AppData\Local\Temp\NLChecker.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI39122\NLChecker.exe.manifest
| MD5 | 6e405b4261e0578fbdfaf93615ecf43e |
| SHA1 | f3d5993b5599fc85fc83dd1def58ac2d83672d4f |
| SHA256 | 2ae660d4e253e36fe08e9efb3b723558413be17700d9df80c59192a49d6976b4 |
| SHA512 | 4a6c37c1f307c8dca40512e6a4e40ddb59dc6ca6b581ca4a2da5cbf9abcc17cd9467d5eb25a050025a5f3d0b367782cbceac69e09fb6c3825730cca54d223abe |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\python27.dll
| MD5 | d2b1ae6331f7b5573892f8458ef903ba |
| SHA1 | e9f55a79e7fe086e93937302801e676e3ea3869a |
| SHA256 | f9f9643cfcd248836e071d2ab5fc626211eab58a648d290cdf3711b9ecfde5e2 |
| SHA512 | dc7af4eab50dafbe83c48e312d386ccfafedf51a58231228b5dd21221912f7028fea930eb826bf2174ccb2d26ea483e65780b4a480797cd4d7bada6becf2b242 |
memory/3740-91-0x0000000059FF0000-0x000000005A368000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_ctypes.pyd
| MD5 | 47a51db6fd9a671761cd5e0b6e0b83d7 |
| SHA1 | fef0c42609aaf8043ed1a1742512f7732d3a22b3 |
| SHA256 | 6d0c1677f6ccbe91c16032aac3a99ae09c684729bc0c153f1c0157ea2e560ecc |
| SHA512 | e6ae1d9b4f07574da8ff427d514b01964f4431bea021b31cbd94151346ac918e64ab694370eaf16e977b5289052d1a76440dc848e42b26e213d19a0f7f0490e2 |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\bz2.pyd
| MD5 | 39a1f78896f228b494a9157991b8ce4b |
| SHA1 | bb1da3b695206e82a019fc6d0e9d3e899b194b1d |
| SHA256 | d9ac819de2aa2be5d575f57325a0d3ba6f6ba0516a04face096c3f693ea1eeaa |
| SHA512 | 43fc4ae3d7c7e5d2ff346311bfe4407e1b41d7410101d2acfbf2d2fde0448e87a359ce23c0dc74b30a8a673c148ba332132306684e4ac327d2dfd5be79d95751 |
memory/3740-97-0x0000000059EF0000-0x0000000059F0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39122\_hashlib.pyd
| MD5 | b9bec1122b0d52d2737f8fde24678b37 |
| SHA1 | 787a8eb4bb45f3019bc5890e3e92a37b7faee4a0 |
| SHA256 | 0dfd1ee1f50986efd0f967f0e4665216ef5301bdecbefb6b183bb70303e7709f |
| SHA512 | 2b341fb67370e9e590bd242899bfe1735def66eb166cb4d0898fd7aab671a1a6a6eb18b155bd223a55d469875350f74b7ff94fcc35990639994c467e88313037 |
memory/3740-95-0x0000000059F10000-0x0000000059F35000-memory.dmp
memory/3740-100-0x00007FF848940000-0x00007FF848ADF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_socket.pyd
| MD5 | efaaa811eb02d947aad2fd020a7ca585 |
| SHA1 | 35d122e58a453d3c4a5fa81031fb9dfa6aec6f27 |
| SHA256 | ae6436d7ae7366cd0ec6ae065a851028fdc5a14094d4e928a9ad8752f2b1a9af |
| SHA512 | 319cd32759b8e5cb0086107ec6a3f35c60b2449a9db5e35b21f16e21271adcbdb6501cec2a566191fc9e63a48edca32fbef235931ee6210597b4eb83fa49844a |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\_ssl.pyd
| MD5 | 0f38005ba0792ceeb3f800b5a50b86d3 |
| SHA1 | ee4c4174e2c98ef63f2e1051c83eb39e7280a627 |
| SHA256 | a2e0b349bb1bfd39094c59e7b096bbf0953b74f58e8efa4d675604f33eccbc61 |
| SHA512 | 212d1be7bc797f511e9949a5a76b6d07009d40bc4e0c6b6f114c72cae193dc22d2c2662d234ac163d6b4bd341383dc2cd199895ca09bde08dfa2f7b8d997de24 |
memory/3740-105-0x0000000059ED0000-0x0000000059EE4000-memory.dmp
memory/3740-106-0x00007FF837520000-0x00007FF837731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_multiprocessing.pyd
| MD5 | 4fcc93a09d15c138b21c436434189d82 |
| SHA1 | 9a94f9f7f9f00f100cfec8b4af46f0d335e85ecd |
| SHA256 | ee66b937adf6adcf2efe3777018c09a3677251393777234c7853b8708fc2c539 |
| SHA512 | 00f984ab9a9f6842ec036d48d51fd3572870c9a1d23487af2f40130b0077e887fa51b1657ab7f8420d0bfb54eb204a1594799baeaa0075f6aec51f52c4ae3b9e |
memory/3740-109-0x0000000059EB0000-0x0000000059EC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\_cffi_backend.pyd
| MD5 | b886ce72a56d6a45c876266d3aad9a0c |
| SHA1 | e3fba46feefedbd7f38c163ca867d0c5f83fa557 |
| SHA256 | ed085929fc8e6edcf9f359d4382815a434a0dc6b550902533706c5af8e4477f3 |
| SHA512 | 07ec4f329acc0e70818d179f39bfe67f4fdc2b5b3c8dfe6dd59a11480cc42d491135a67c1bb3090329db1652e170e99401b26dd2a8fabda3b89c347a471480e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 2e6ab434cee9840a4fde4d45c57b1c5e |
| SHA1 | 32c7859abde475c1dc7a882eb8b0cf2b8285fb5e |
| SHA256 | bd7046fcf346f1a051060f58c29787dd01fa0614c36bff02f539104c83ace274 |
| SHA512 | 0106881287a188e51bfd6a84f24ce36e0059cc067b83849d4ae956ade3d1d02b8443d423f01bf85d668126e19f493dfc11bfe4d3bf4b8f894945a39871c0b4e6 |
memory/3740-113-0x0000000180000000-0x0000000180033000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_cbc.pyd
| MD5 | 0b880f6e0d8461cb80d1b4146237ee82 |
| SHA1 | 157347e0b5f13bb8131b2335d078ad1d86917ab1 |
| SHA256 | 093eaa37165b0f8dbf50b2acba7f998a8d535409ea0ed13fff3e645f865718a0 |
| SHA512 | 339638856dd48fa3be696c9af22121c3d2d7ed9aaf3d96c339291ba6eb076980364df30160e42ea2ab3ce37d991d7d5fcc08fcc3b590ea41d295e457657b561e |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 037c3157ce1f4e858e6efc44bc346e7a |
| SHA1 | 52fe78365725a24f6f892e44c8120ad11f5a9187 |
| SHA256 | a583c84197ef1dc5964194418d003eacf7c8d38eb039764e1da511d31a109a1a |
| SHA512 | e280da2e37ca841d8e53a77861b3880f5db8f5366e27040017e2621832c0712b7e732ff28cbe48b93c067dfe9f283da71e0dc7834c91e42766678ebb7b05b9c8 |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ofb.pyd
| MD5 | bd64a9dd340d9f32deaf7f545d5256c0 |
| SHA1 | 6e43ed4524ef0e6e77b233b85adac0220eb3203d |
| SHA256 | 379678ab8a52983ade8148e321f3fc28b05449312faec7d0f29d38813f47d09e |
| SHA512 | 568411b9a709077ccddb7f4cdd4aa9034e67a09f4e85e317800cde084c3526ab37e8344c14ba6b306ce812823981db658b9d00ee3645fde235e1e56996836502 |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_raw_ctr.pyd
| MD5 | e99802c2b523c4c2c8fc1d89ee6db877 |
| SHA1 | af68ee2ab9c5fe477f61a1be49ce84fa1e7c6a63 |
| SHA256 | 6283c8117727cc18568cf268da11f998c57bb2df9966c31809514e82c8581cbf |
| SHA512 | 2c4187e4294765016e2264d92a1a34785f9ff2a69084fda39cfd187116b8efc189505b2d8e878f4f652ccbc3889a42e9c36cd0f3789bb3e7e41197cbca9b6f2f |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Util\_strxor.pyd
| MD5 | 239a69fa1fc7297debeeaa42449a055f |
| SHA1 | 9407b4ddd4ae2da49198d0b083f113fa2eceb44f |
| SHA256 | 98c6a29470cd2a20e2dd2a09b0eb6156c29d1e900283eb844c993974d76208c3 |
| SHA512 | 176b62b3b402b4c24541d39016e5d65bd9f043a5222b468fa685bcf60d47595ce955f230c242613861aeb11e8a112d5f39dd9298041efb050d0d5f9b0032febb |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 36f7426b735e4b0de5a32a7a829da7e3 |
| SHA1 | 966138f6ca8ad626fa698da974ce8e9eb2fcd675 |
| SHA256 | 142b0e8a71a71dc59b6ba533ee865c3d174436bd9785c8910e742ca12c736dc7 |
| SHA512 | 8ee6a8059bf9032c412be55f1e6d5c2cf219463e4384f2b10749616a8f0055a1eed5c1dcbcd5cc94539caafb4a18921195bc6538bb9fe01be5c76cfd28682ccd |
memory/3740-134-0x0000025D52C00000-0x0000025D52C0B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_SHA1.pyd
| MD5 | f9734d4549191c6b4048f65ff7c5cd56 |
| SHA1 | 0a55e87a7dea6f19e6126f0baddf96f92a7ac16d |
| SHA256 | cc834acfd5ef9fde7bda34d250fd456a1f2b102289e62198bf41f96205151a80 |
| SHA512 | 014e300f7a157abacad58b9acf1e2d483b8687628179c3d93fbe3691751243fdf6503f84864c0309cce56e7bfab22c3d558137a3a9e3c2aa56958fc63d8aa004 |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_SHA256.pyd
| MD5 | de77ed5a1f2a9f6ecbb75cdfb9fa1a23 |
| SHA1 | 6c75eca2050627fc3676ddbbdd8c4dbba10ee6cd |
| SHA256 | 4087f562aa6d5716acf5d29195a23c9a69bb9449be7493dc185e10e367702de0 |
| SHA512 | dec8ebe6dcec4c28fe70191731c015933320cc2431c31172a4ad5eb0d11d20b981d39b216e05ed06720e070e3343b31b399300760b8f319439e6cf4e9b4d8eee |
memory/3740-143-0x0000025D52C20000-0x0000025D52C2C000-memory.dmp
memory/3740-142-0x0000025D52C20000-0x0000025D52C2C000-memory.dmp
memory/3740-141-0x0000025D52C10000-0x0000025D52C1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_MD5.pyd
| MD5 | f691f657d9f34de60611e633304cd76b |
| SHA1 | afeaf5693f43d26011ca123b1ed51be4ebc4120c |
| SHA256 | ef3802a73785be16f243515490beb4aa120f403ddd1b831998cd44559bc1c90c |
| SHA512 | 50730499346952abd875f9f810a809d937d8c066d6330e902032ac6307033b8c3c891dca52187599ac45f8624d38096ad4ba55eff24cc143181e466a257ac4bc |
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Cipher\_Salsa20.pyd
| MD5 | ef5dbc1a371e487adaff7cb7f5ed9446 |
| SHA1 | 75dfc9c414f6288c57307fedbb8b5b4a7a2efcbc |
| SHA256 | 15be6f4ffbc7f6db0247dc4a1a3194fed4f38c93c1fc71c01515ad3a59de75d1 |
| SHA512 | c74e28a2990b44555bc4b5af2cf171ee5cf08dfdb46e149d66dfad81e6639fc249044230a031ba14b9b24cbfec082a2c575b5def1b9ec408bf4e2d06015ce42f |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Protocol\_scrypt.pyd
| MD5 | 7d5d2e773317ba63b5166c88318790a9 |
| SHA1 | d65b858ea27b58b6d396ea909082927740664ea1 |
| SHA256 | 410646ad327b1096b9be25be92b8b0c35eb0c384741bdae8e340c77351509d2e |
| SHA512 | a7f6ad24ad9b18a934e018290e26fb25c4dc87097c789885d06b9d9e074dc6b47441ae3da19f1ab92ded4a1bd2659f843d942361d846eab770f83d3873b2a68f |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Hash\_ghash_portable.pyd
| MD5 | cf6a2d528f6f0c8e3a80094fd6127792 |
| SHA1 | 70b758f75bef965c1514fd6f36021e351cfc76be |
| SHA256 | dd1410ac66ebce4cf12a5c73af97c2295d897e3b7820b613b87af78987a81056 |
| SHA512 | d64a1c6fa77c5c7583783f2c6858ac306bdd86b1f57a0861e447cfe4805b6a5120f68ac5d65e6fdedc82bfa69462f6e0c61d67e57816d830a4d60c3e9d68990e |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Util\_cpuid_c.pyd
| MD5 | 11645c64306545732e48609025cb15af |
| SHA1 | 688a8e71789b9419eb672bed62944391ac7c9cad |
| SHA256 | aaf9dbc38c6490964531223105bc6a6b26da55543e353165e0c748ed20a839a6 |
| SHA512 | 7634747f1c47079eb8a3213adc294267dce69add539f0bfc1fd2bea0ff9787eb0f54f46ec3b726bf9e40a6f07f49e4227beb2dee9fdf34bcb6728c6b1cde23a3 |
memory/3740-161-0x0000025D56780000-0x0000025D5678A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39~1\Crypto\Hash\_ghash_clmul.pyd
| MD5 | 2a173603e4770b75c1d60b3e8248c028 |
| SHA1 | 1b955d2800fbc79b975ced1f90ddcde3e713efa1 |
| SHA256 | f4ac7cf80d72016fea440320696e46698ae0fee9f7d79713440f26148a856f2f |
| SHA512 | 1b23a684505c65c778a0fe9005b416a25ac6464f1c4bd37af50fbc6259df579906d557f0cfa62ce6b28b6d8c3bbd5ebb4d229216c5ff0d25359ca99f06302600 |
C:\Users\Admin\AppData\Local\Temp\_MEI39122\Crypto\Cipher\_raw_ocb.pyd
| MD5 | d6074b3341f2998e5781db601a2386ed |
| SHA1 | d513e9134cb919776d5286067487695d61b81458 |
| SHA256 | 697e1d66c4444b601ad75a887d53db420bcbdcc521066174ee595fc4762363cb |
| SHA512 | 18aac19e29c9f15bce6795cdaf1bcf19472c86786f6589cf6d5b516f92690b8b0ff2ccd440664f62f26f23d05311296389a3ae1f3a8c8eabe563031f04d8a5b9 |
memory/3740-160-0x0000025D52C30000-0x0000025D52C3A000-memory.dmp
memory/3740-159-0x0000000059FF0000-0x000000005A368000-memory.dmp
memory/3740-167-0x0000025D567A0000-0x0000025D567AB000-memory.dmp
memory/3740-174-0x0000000059ED0000-0x0000000059EE4000-memory.dmp
memory/3740-173-0x0000025D56850000-0x0000025D5685A000-memory.dmp
memory/3740-172-0x0000025D56840000-0x0000025D5684C000-memory.dmp
memory/3740-177-0x0000025D568B0000-0x0000025D568BB000-memory.dmp
memory/3740-176-0x0000025D56890000-0x0000025D5689A000-memory.dmp
memory/3740-175-0x0000000059EB0000-0x0000000059EC1000-memory.dmp
memory/3740-171-0x0000025D56830000-0x0000025D5683C000-memory.dmp
memory/3740-170-0x0000025D56820000-0x0000025D5682B000-memory.dmp
memory/3740-169-0x00007FF837520000-0x00007FF837731000-memory.dmp
memory/3740-168-0x00007FF848940000-0x00007FF848ADF000-memory.dmp
memory/3740-180-0x0000025D568F0000-0x0000025D568FB000-memory.dmp
memory/3740-179-0x0000025D568D0000-0x0000025D568E4000-memory.dmp
memory/3740-178-0x0000000180000000-0x0000000180033000-memory.dmp
memory/3740-181-0x0000000059FF0000-0x000000005A368000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win10-20240404-en
Max time kernel
16s
Max time network
17s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win10v2004-20240508-en
Max time kernel
30s
Max time network
31s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.178:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 178.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-06 07:51
Reported
2024-06-06 07:56
Platform
win11-20240508-en
Max time kernel
0s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\NLChecker.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding