File name:

Nightlight-Game-Launcher-NLLauncherV3.zip

Full analysis: https://app.any.run/tasks/676d3f37-d206-47d2-8ae0-4bc7096c32ff
Verdict: Malicious activity
Analysis date: June 20, 2024, 17:08:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

B49F77FAB8ACD52A8037895927BFCA47

SHA1:

58FB309602395D3F2C78A1B1F93A7CDA960C97AD

SHA256:

C7E6730AED6ACD7E28A4E9B9AD73E7E35E0AACE769543318E312E52A5A23C38F

SSDEEP:

98304:lbBVwg0+J0tMim8QKM/MsZhGpmv/5irkRODYHaozcf6gRdKluO/XkxfwH3GMmKSj:gwYCdrSAePS0oz/NmBoyi+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3700)

  • SUSPICIOUS

    • Reads settings of System Certificates

      • NLGL.exe (PID: 3320)

    • Reads the Internet Settings

      • NLGL.exe (PID: 3320)

  • INFO

    • Reads the machine GUID from the registry

      • NLGL.exe (PID: 3320)

    • Reads the computer name

      • NLGL.exe (PID: 3320)

    • Disables trace logs

      • NLGL.exe (PID: 3320)

    • Manual execution by a user

      • control.exe (PID: 2708)
      • NLGL.exe (PID: 3320)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3700)

    • Reads Environment values

      • NLGL.exe (PID: 3320)

    • Reads the software policy settings

      • NLGL.exe (PID: 3320)

    • Checks supported languages

      • NLGL.exe (PID: 3320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:06:18 12:57:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Nightlight-Game-Launcher-NLLauncherV3/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe PhotoViewer.dll no specs nlgl.exe control.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1828C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2708"C:\Windows\System32\control.exe" SYSTEMC:\Windows\System32\control.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\control.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3320"C:\Users\admin\Desktop\NLGL.exe" C:\Users\admin\Desktop\NLGL.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Nightlight Launcher
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\nlgl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
3700"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Nightlight-Game-Launcher-NLLauncherV3.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
Total events
11 560
Read events
11 505
Write events
55
Delete events
0

Modification events

(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Nightlight-Game-Launcher-NLLauncherV3.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
11
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Modules\GTAV\launc.dllexecutable
MD5:54DB45E017F53F9D94CB4B941098F4AB
SHA256:CA5C7F415B7810A984778823E8052D18FFC4C2AAD1BB1F512FC6F8604E418EF9
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Launchers\RDR2Launcher.pytext
MD5:8D0190463D6E736C9B796772BA08CEF3
SHA256:D53A607BEDC90F124A10CFE6A6E6FD0C7A766395E71B47EC8634A9494337595B
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Modules\GTAV\PlayGTAV.exeexecutable
MD5:7B43B28B900A6F424424B130355143B4
SHA256:09AD7647EA9B4AFCA94B33EFC9341CACDB248773778620C38F76565E59F383AD
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Modules\GTAV\orig_socialclub.dllexecutable
MD5:0FE478ED14CD81342DC54022C0E5BDC2
SHA256:B0D37C9CC7B5D47D0D7122C201060422B5B265BD30339F9D56B3E430B5F28372
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Modules\MCForWIN10\Launcher.exeexecutable
MD5:0D99A45748E44931D02FB41E9109E75F
SHA256:AF297A03AA02C3F3F77AB8C61D9E89F952C7EE41E646D6A93A0E2F050EB7C81F
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Modules\MCForWIN10\Custom.dllexecutable
MD5:28C87BB3B0A5CA2C9808E83993C3DA03
SHA256:C53E2FE707E0A58286C0CA7E15988C7E07A5C6609744465D5099131D115D4A3D
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Modules\RDR2\RDR2Launcher.exeexecutable
MD5:575F03BF8910A59C64ADA326F006810C
SHA256:539E9978502075D9A6927DC9ED82EFCCC9D1AADF19BD75B1E7A680B7300DB0D0
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\README.mdtext
MD5:96896822FC574988B17C8CBBA0306B9E
SHA256:AB6C7C6731513EA0ECA0FF6FB197237090BE466341BF45A585419C00F1BBBC23
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\SCRS\NLLMAIN.PNGimage
MD5:5B59B655AAA820C2AED2F3FA0C4F58A1
SHA256:9A6D4A0049831AB0CF389A8AD582E4EC5357BBE420B556950F3CDEBFFC0DBDA2
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3700.12803\Nightlight-Game-Launcher-NLLauncherV3\Modules\GTAV\socialclub.dllexecutable
MD5:0078A3357B01B569B7168DF06B951C38
SHA256:2130A3195FC093D2EB138D7E9A795461936F6F358FC98A67DEA3AE5EFFD6A2D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
15
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
193.108.153.18:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
DE
unknown
1060
svchost.exe
GET
304
217.20.58.99:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a9f83325acc8ca75
US
unknown
1372
svchost.exe
GET
200
23.48.23.143:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
1.01 Kb
unknown
1372
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
973 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1372
svchost.exe
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1372
svchost.exe
193.108.153.18:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.48.23.143:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
unknown
1060
svchost.exe
217.20.58.99:80
ctldl.windowsupdate.com
US
unknown
3320
NLGL.exe
13.107.42.12:443
koyxlw.am.files.1drv.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
ctldl.windowsupdate.com
  • 193.108.153.18
  • 193.108.153.12
  • 217.20.58.99
  • 217.20.58.101
  • 217.20.58.98
  • 217.20.56.44
  • 217.20.58.100
whitelisted
crl.microsoft.com
  • 23.48.23.143
  • 23.48.23.156
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
koyxlw.am.files.1drv.com
  • 13.107.42.12
unknown
github.com
  • 140.82.121.4
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Nightlight-Game-Launcher-NLLauncherV3.zip