Analysis Overview
SHA256
64ab805160794a3ce8b818c6b0c438a79623727fc7ec6f38a31655323450ec89
Threat Level: Likely malicious
The file Devotion.rar was found to be: Likely malicious.
Malicious Activity Summary
Downloads MZ/PE file
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Detects Pyinstaller
Unsigned PE
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Modifies registry class
NTFS ADS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 17:51
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-10 17:51
Reported
2024-05-10 17:54
Platform
win10-20240404-en
Max time kernel
131s
Max time network
145s
Command Line
Signatures
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Processes
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\blacklist.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.162.46.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 17:51
Reported
2024-05-10 17:54
Platform
win10-20240404-en
Max time kernel
147s
Max time network
142s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\winrar-x64-700.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\winrar-x64-700.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Devotion.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.0.66177261\1806144416" -parentBuildID 20221007134813 -prefsHandle 1724 -prefMapHandle 1716 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fbde589-e5c8-4ea2-9f70-d2a5794ab492} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 1812 1c04b8c8658 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.1.33083926\522662261" -parentBuildID 20221007134813 -prefsHandle 2156 -prefMapHandle 2152 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {691d38d2-cbd4-49e0-9540-07c0aee14c78} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 2168 1c040870a58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.2.1878647752\474308108" -childID 1 -isForBrowser -prefsHandle 3012 -prefMapHandle 2932 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b34f696-7ecf-4bbe-8941-54243d4394db} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 3004 1c04b85e158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.3.1393364663\1266820307" -childID 2 -isForBrowser -prefsHandle 3492 -prefMapHandle 3488 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d201b7ac-7526-4ff8-a1aa-baafe755b4e1} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 3472 1c040862558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.4.1692668076\1722216802" -childID 3 -isForBrowser -prefsHandle 3980 -prefMapHandle 3988 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5551c701-c999-4b09-89a3-02a62edad107} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 3992 1c050f7eb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.5.345770495\531071219" -childID 4 -isForBrowser -prefsHandle 4300 -prefMapHandle 4816 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {755317c0-0751-47c5-bef0-995b98afc29b} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4824 1c051bf2858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.6.893198203\924867005" -childID 5 -isForBrowser -prefsHandle 4980 -prefMapHandle 4984 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a75f433d-3218-466f-be11-4bfb8efd870e} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4844 1c05222e858 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.7.268163047\1942665104" -childID 6 -isForBrowser -prefsHandle 5156 -prefMapHandle 5160 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b5e654c9-3443-418e-84f3-13706fe84717} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 5260 1c05222eb58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.8.2069492340\7655912" -childID 7 -isForBrowser -prefsHandle 4064 -prefMapHandle 4080 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3e771e9-3547-4314-9572-eccd9b69a8fb} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4052 1c050f7d958 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2340.9.400800236\557827580" -childID 8 -isForBrowser -prefsHandle 4852 -prefMapHandle 4840 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc19fdd1-be1c-4093-a7fa-8eab7f2b01e7} 2340 "\\.\pipe\gecko-crash-server-pipe.2340" 4920 1c04bb27b58 tab
C:\Users\Admin\Downloads\winrar-x64-700.exe
"C:\Users\Admin\Downloads\winrar-x64-700.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 44.233.67.78:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| N/A | 127.0.0.1:49773 | tcp | |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.107.243.93:443 | push.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| N/A | 127.0.0.1:49780 | tcp | |
| US | 35.164.250.149:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | 149.250.164.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.67.233.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | tcp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 172.217.16.238:443 | consent.google.com | udp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | plus.l.google.com | udp |
| GB | 216.58.201.110:443 | plus.l.google.com | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| US | 8.8.8.8:53 | www.win-rar.com | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.68.195.51.in-addr.arpa | udp |
| DE | 51.195.68.163:443 | www.win-rar.com | tcp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\33dbb9ba-8f7f-4514-a0ea-73e9f06da39a
| MD5 | 25c4468b1ec4b08e2fbbe7eadcf5bfc7 |
| SHA1 | ca394d7865d2fc67fa81ac5df1586bd607719a20 |
| SHA256 | fe747ceb802435231e57e46ce331dfac3cc58f6f5c2464e99e6ab1cdcacba26a |
| SHA512 | ff3ee3a9c2ec5f30bebfcc6d96bd65ea34a76a59da79140ceeb2616d93a1e7982b037cd5fb57f45e34116501cacaf69d97c5896f1872e3855ab5496695f538fd |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\c5d78617-9a0a-4dd7-9f35-ba224661efde
| MD5 | 5ee79338c946e2d7ddc262f7c4df4d85 |
| SHA1 | 459b36af58479041cdc6ac9e3738b77a29d1f0a0 |
| SHA256 | 2e2caec7e92d5632daf9f9765cb4ff66ff9a5edcaf568d7e859b7f3384ebb6d1 |
| SHA512 | d343728cc216135e281f02fd290afb8e74fcc8cb9760ab4006d7b2b528181f661b3971a9d33e690e259bc8b44a9150772b88607c69732f7cf03b289479551a5d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
| MD5 | d6ed07a903acb132bfc7b8a491dbea00 |
| SHA1 | e82e1defe92817b467095284fdd801f96f9aaa43 |
| SHA256 | 49cbffe165ca0cee3314639f72106dcb6167f6d1d7465f73a1fc183c94afacb8 |
| SHA512 | 2d1f31a37682a068a84e89515b4d111efc245033a00aee4c625f3ec7caad1b346a1894bc68741d90af520fa8d4b38eecce301cb7a01fcfed10081554dec29524 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 8b4b1caf72de265e649f6e146ce532e8 |
| SHA1 | 95038ded000926ea273e7d30cb5262a73c94107e |
| SHA256 | 8ec099ef20aa46be461e93c0999b0c67983c28219ed7ec7f062ecbcc3ae9d03b |
| SHA512 | af542de4956782d01f6e85a26d397d721242ceb7a92aed208ccd3c87fc7cf8f2b074e2d5c2ef89f0938cc05dec0152fe524baf741e0ad3069a603b1fa469f7aa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
| MD5 | 9b56f2c51e0a89c31f4586abc113885e |
| SHA1 | 5661101255d1dadb26fa62af8b096afb1c0475be |
| SHA256 | 820a26cba6cadd9ad3d328314c3d6a59bdd55953ab4607c39ad0ed198b182bd8 |
| SHA512 | 19667857e820a82f35af1e96aab027b25b71478aa0856c0e5d650906e8d1268f88f719a1f6939de9c182cb7ad00519b2eda7e5dde6d0563b151fcb6b171aad95 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | f6fe0ae5a1de7f528d5db597be79c957 |
| SHA1 | 5057b666a93e9c0f6657f5ac9cbd6b35e0ecf254 |
| SHA256 | d54cc7c63499a26a74cf6ec0b2e9b83e27ff7d574663008b889d2497a755d177 |
| SHA512 | e802e9227f6d73bbde3cd5b8ca1343299af4df511bb5c16a87f7bd821c9b238bc30e88421536ac5464a8a82eeb545afbc49c731c348f3f8c2eff91eafc0860c6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 7c7c9212c9d0ec48e7eda8cc676d06e5 |
| SHA1 | 0b3f263d8be13683eb82f43da414cb78dd45d920 |
| SHA256 | 52072aa6af51da5dac46d15718dcf0bb4b3b2f019753b36132896c22ad8d70a3 |
| SHA512 | ced27d57ea431828187fad58c813ee586821367392447359f88d52a3e84bb7c6cf79d95b3bc53111ae4249e179fee3013a756fb80175c9a40e3bc839ac403c94 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
| MD5 | 201abafee173fcbe6d7c647e8767d0fe |
| SHA1 | ea49d4ff3a90513c9d4f202d9990e691b3e0fc1f |
| SHA256 | 9a4ca55078658373d45f9b691c7cbf4c823a0f35c2bd7ecb0b24f8a1a6ae21ce |
| SHA512 | 34b89b6dd03ff8f4b2c8149feffac78466d75a35ab8d24f0ac142c3e04f2b7ea23f557b1e60e9778a910417b27cf30d82da29db0d79b181fe22af4856d2a0a01 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\cache2\doomed\25688
| MD5 | bb60ce18df43fc888983e874dbaa0470 |
| SHA1 | 15d543667fb7d941783f63772cffb20393a3aedf |
| SHA256 | df443fc53c42fc1cb1d2b6a82c7031ea9efb4b3cc809f6ec631bf5450b160d2d |
| SHA512 | b44a246d3783ea7a84b128c8abff8cf0510a14037e31d19b3f3fa265b09739d1a3783723fe1b49490be49597b1df4d282d3cef20926c9c21193de1d53ae39ca6 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2ded1a369d2d55af268e045dc21ff6a6 |
| SHA1 | 6852fe8f82f124cdcd8eb66c70857743d2656cdb |
| SHA256 | 7bc16e4fce21a502a99cfbaa59d72d6c15c62393935234df48c439aab7bf49cd |
| SHA512 | 82aa6b6f7dbbe19b6a30367a684ea8a1339631b242b10b9c30401d0daf2456c3f982b3742c5c435e4a14fe24a4bbea6da108567ea28d2157eee98c1e0ec44749 |
C:\Users\Admin\Downloads\winrar-x64-700.Am6mo5jA.exe.part
| MD5 | 4a302706bfa1985c87a909c649b0bfc6 |
| SHA1 | ad99667ba6049b70303f6944e9c747d3316aa7b9 |
| SHA256 | 1c11b5676172e451d7879ee30936772a951a1eaee659fddc2c6232fec135de11 |
| SHA512 | 17b56264a85d467e3c7f52ec4c7cf2f2203a276f5ebef056606072781964887dd0dcf34dc7bfd025454fe9a7ef44753aa8d98dce2d0f6eb692aa6e21397f951d |
C:\Users\Admin\Downloads\winrar-x64-700.exe
| MD5 | 48deabfacb5c8e88b81c7165ed4e3b0b |
| SHA1 | de3dab0e9258f9ff3c93ab6738818c6ec399e6a4 |
| SHA256 | ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24 |
| SHA512 | d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | bf5e7a33f3aba1b770d58291f3826149 |
| SHA1 | 4eb2da05e2bdb1000b0af9fcc6c18a29245936e3 |
| SHA256 | d7e7b56b8728c5dec43bd8df4feafe7eb1c08dd4bffe2d261ba7042eb4afd71f |
| SHA512 | 4eeea129925c57fb4bac0420038b4c89d75b76616ceba465d486e932116b9e191d915683098234ccff8801847c3b3666bf53cf045b67671ba6d06554c916399a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 2fce92508cada6eca36d89a29ec71050 |
| SHA1 | d0d04930fef53c9064fbf3ab202cf7eebbddf154 |
| SHA256 | 4d76075a688a69cd1f346f35aa991d6b62107df8ecda0e15a28fd3e3711d20f0 |
| SHA512 | 6c1cafe49de44a701d644239eb548392f8480c94de941366f8dd413754dd4dce1e16e115972d4c0c01a37f24442c084759615e98c322dadd677f0d0fda0466b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 17:51
Reported
2024-05-10 17:54
Platform
win10-20240404-en
Max time kernel
142s
Max time network
136s
Command Line
Signatures
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Devotion.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Devotion.exe
"C:\Users\Admin\AppData\Local\Temp\Devotion.exe"
C:\Users\Admin\AppData\Local\Temp\Devotion.exe
"C:\Users\Admin\AppData\Local\Temp\Devotion.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mode 133, 30
C:\Windows\system32\mode.com
mode 133, 30
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title D
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title De
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Dev
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devot
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devoti
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotio
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion M
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Ma
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mas
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass D
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM -
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - L
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Lo
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Log
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Logi
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Login
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Login
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Login H
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Login Hu
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Devotion Mass DM - Login Hub
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI18882\setuptools-56.0.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\python39.dll
| MD5 | 1d5e4c20a20740f38f061bdf48aaca4f |
| SHA1 | de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0 |
| SHA256 | f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366 |
| SHA512 | 9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\VCRUNTIME140.dll
| MD5 | 18049f6811fc0f94547189a9e104f5d2 |
| SHA1 | dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6 |
| SHA256 | c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db |
| SHA512 | 38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\base_library.zip
| MD5 | c6b38adf85add9f9a7ea0b67eea508b4 |
| SHA1 | 23a398ffdae6047d9777919f7b6200dd2a132887 |
| SHA256 | 77479f65578cf9710981255a3ad5495d45f8367b2f43c2f0680fce0fed0e90fb |
| SHA512 | d6abc793a7b6cc6138b50305a8c1cad10fa1628ca01a2284d82222db9bd1569959b05bdf4581d433ff227438131e43eec98bf265e746b17e76b1c9e9e21d447d |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_ctypes.pyd
| MD5 | 7322f8245b5c8551d67c337c0dc247c9 |
| SHA1 | 5f4cb918133daa86631211ae7fa65f26c23fcc98 |
| SHA256 | 4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763 |
| SHA512 | 52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2 |
\Users\Admin\AppData\Local\Temp\_MEI18882\python3.dll
| MD5 | ea3cd6ac4992ce465ee33dd168a9aad1 |
| SHA1 | 158d9f8935c2bd20c90175164e6ca861a1dfeedb |
| SHA256 | 201f32a2492b18956969dc0417e2ef0ff14fdbf57fb07d77864ed36286170710 |
| SHA512 | ebae7c4d134a2db79938c219fa0156b32ec2b9a57a92877e9283ce19d36b40bf7048ca4d9743e1a1d811f6cb1c7339a6dd53c48df81838e5c962be39bf6d5d3b |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
\Users\Admin\AppData\Local\Temp\_MEI18882\_socket.pyd
| MD5 | 478abd499eefeba3e50cfc4ff50ec49d |
| SHA1 | fe1aae16b411a9c349b0ac1e490236d4d55b95b2 |
| SHA256 | fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb |
| SHA512 | 475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\select.pyd
| MD5 | fed3dae56f7c9ea35d2e896fede29581 |
| SHA1 | ae5b2ef114138c4d8a6479d6441967c170c5aa23 |
| SHA256 | d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931 |
| SHA512 | 3128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_bz2.pyd
| MD5 | a991152fd5b8f2a0eb6c34582adf7111 |
| SHA1 | 3589342abea22438e28aa0a0a86e2e96e08421a1 |
| SHA256 | 7301fc2447e7e6d599472d2c52116fbe318a9ff9259b8a85981c419bfd20e3ef |
| SHA512 | f039ac9473201d27882c0c11e5628a10bdbe5b4c9b78ead246fd53f09d25e74c984e9891fccbc27c63edc8846d5e70f765ca7b77847a45416675d2e7c04964fc |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_lzma.pyd
| MD5 | cdd13b537dad6a910cb9cbb932770dc9 |
| SHA1 | b37706590d5b6f18c042119d616df6ff8ce3ad46 |
| SHA256 | 638cd8c336f90629a6260e67827833143939497d542838846f4fc94b2475bb3e |
| SHA512 | c375fb6914cda3ae7829d016d3084f3b5b9f78f200a62f076ec1646576f87694eec7fa6f1c99cbe30824f2fe6e2d61ecdeb50061383b12143cd2678004703199 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\pyexpat.pyd
| MD5 | 498c8acaf06860fe29ecc27dd0901f89 |
| SHA1 | cebd6c886fca3c915d3a21382ea1c11a86738a3e |
| SHA256 | e338df1432d8e23c0399f48fa2019fbaa3051fae6e7d214c731a0b8de7d0388e |
| SHA512 | b84ea694feb4f5d13d53dd928603e744b29bc611357ac9350b460bd9f8876f3f0489d289ab2cf53e86dc497e98ebf60cfe4fbe08a5e3320505a191d23de035ee |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\win32api.pyd
| MD5 | 0afa0ac73c1659570e529f51f3a0d8c6 |
| SHA1 | f4f7d659bcac3409395aa92a72ba90d0c7db204f |
| SHA256 | b541e3d53be2db7da8e1c16496958fc6c8034ccc8ac763fd00e4a6fbd1162944 |
| SHA512 | 0bb76bd92cbbd8f1f42a309b9f17124136032a41f7e75977fff4e208794218ed01574c7253a75fa7254cfcdb5f7920ebd8847fff9e851c3a6559eb6ed80590fe |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\pywintypes39.dll
| MD5 | 977f7ef232671b94251d8eaddd15390d |
| SHA1 | 97d9035a5f21df0267f4ae8cd203a92917aab970 |
| SHA256 | 4ece6771f1206b99dba4e5cf988051472f530bf90bb3114d3fd7377b3f34dfa6 |
| SHA512 | 1f556c661d3dd963cd563230a1ac1707905ffbfb3d76081f3dd316b40ce55ce1bfcc431f744de98ab3249760d4386cccd54a483b01f98017ff75c6603d316988 |
\Users\Admin\AppData\Local\Temp\_MEI18882\pythoncom39.dll
| MD5 | 3d4173aaa79ba343f2aa7c1ef69171cc |
| SHA1 | 43f410e02c0b5b8f7dc8c2ebf82c7584050f5674 |
| SHA256 | bceebaba98080a11b7eb83c8d43357a8b3387eeb03f40acccd834cf8f47316a1 |
| SHA512 | 76322c3646050559695355a931d310283e9672cf95742de676884e9810a5440f2b13d84f007bae8d996d67ab20d546cd616eeeb7a47f0cfe63424c901c9dddf0 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_ssl.pyd
| MD5 | cf7886b3ac590d2ea1a6efe4ee47dc20 |
| SHA1 | 8157a0c614360162588f698a2b0a4efe321ea427 |
| SHA256 | 3d183c1b3a24d634387cce3835f58b8e1322bf96ab03f9fe9f02658fb17d1f8c |
| SHA512 | b171f7d683621fdab5989bfed20c3f6479037035f334ea9a19feb1184f46976095a7666170a06f1258c6ddf2c1f8bdb4e31cbfd33d3b8fa4b330f097d1c09d81 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\libssl-1_1.dll
| MD5 | 50bcfb04328fec1a22c31c0e39286470 |
| SHA1 | 3a1b78faf34125c7b8d684419fa715c367db3daa |
| SHA256 | fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9 |
| SHA512 | 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\libcrypto-1_1.dll
| MD5 | 89511df61678befa2f62f5025c8c8448 |
| SHA1 | df3961f833b4964f70fcf1c002d9fd7309f53ef8 |
| SHA256 | 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf |
| SHA512 | 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668 |
memory/4908-1170-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1168-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1166-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1164-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1162-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1160-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1158-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1156-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1154-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1152-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1150-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1148-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1146-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1144-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1142-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1140-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1138-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1136-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1134-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1132-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1130-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1128-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1126-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1124-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1122-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1120-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1118-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1116-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1114-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1112-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1110-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1108-0x000001DF35720000-0x000001DF35721000-memory.dmp
memory/4908-1107-0x000001DF35710000-0x000001DF35711000-memory.dmp
\Users\Admin\AppData\Local\Temp\_MEI18882\_pytransform.dll
| MD5 | 65abbdf722950c3fc3beac5c2beba9c8 |
| SHA1 | 4eea618919bedba32d0459befdd4a903ac0c4c71 |
| SHA256 | a6e7b592248e2c8833940bc9755ebfe0cbe1206941cd8cf2a4ceca363ae15cb1 |
| SHA512 | f3bc6e87aea7e10eaf7a53efd0969b8840e985c796d7b6bea044f1dd137038f84357fc3deb5334abd6d10889506695097237001a964618f602075c46c342014d |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_asyncio.pyd
| MD5 | c89b5ec34a76d00543d55748a7275cb1 |
| SHA1 | 341a61e181fc7957d326080354135e20d3d16fab |
| SHA256 | 3e521e119cfad53c8fcf67bbf26de2ecffe24cb13079f36a22339f0f8ad297a6 |
| SHA512 | b21514674bdb7ca392e35bfe1ecb3dbbe16bd8daf38fbeafb6182253551f3cdd37833df523ab6181555a6547f764224626fcb6403429decca1ed58dade2b01ef |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_overlapped.pyd
| MD5 | 071461aa318f97345f1f59a28cd4c110 |
| SHA1 | f4630cf01f27cd20d27a41a48708d27f03a61e37 |
| SHA256 | cd475a094ddbdc315c2a2072002b442d2e9fbd7aa0db3a037653acba74899ecd |
| SHA512 | 7cfbc92cb726c7f4b34e315303d9d983360d470ba1793529792122bdf2cc133c75e1c960a1b8602407743b3dfd7639153c226bc80f08afb5bd467f98194e722a |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\multidict\_multidict.cp39-win_amd64.pyd
| MD5 | d70507ffb5d2f6d527e32546fd138d0e |
| SHA1 | 3c43e86ac5afa6c4064b17fcaff45be5a2bbb9d3 |
| SHA256 | 9fb82e21ee4f4d37d019b7053e6be4d9eed8c92cd12a3f7211125032c6e8cb22 |
| SHA512 | 15933d164c1df23bfe8960a465b6ceedb34b765861ce8cc53bb87fe37745c59f8ee132891b5dc408278b8ad78d7c098f450291350c2e577436ebf2d49ac53faf |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_hashlib.pyd
| MD5 | 88e2bf0a590791891fb5125ffcf5a318 |
| SHA1 | 39f96abbabf3fdd46844ba5190d2043fb8388696 |
| SHA256 | e7aecb61a54dcc77b6d9cafe9a51fd1f8d78b2194cc3baf6304bbd1edfd0aee6 |
| SHA512 | 7d91d2fa95bb0ffe92730679b9a82e13a3a6b9906b2c7f69bc9065f636a20be65e1d6e7a557bfd6e4b80edd0f00db92eb7fea06345c2c9b98176c65d18c4bdbf |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_uuid.pyd
| MD5 | 054e24e81058045be333f2437e38f75a |
| SHA1 | e4d958f57cb5269158975c0c94c4d70107748d0e |
| SHA256 | 36e15e9c7953c5fef0e83dafa86bf0d9fac2032d07c66e4a339deae8b1dca049 |
| SHA512 | 09b55b016b291dbcb4bf6a36f3438e538b29f57306eb2048e994c3ec7bad8a44e06ff653d4cd6b9a637bb3e4d4eb5fdff8aabe1d45b74ef8bf089d643ea32278 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\unicodedata.pyd
| MD5 | cd12c15c6eef60d9ea058cd4092e5d1b |
| SHA1 | 57a7c0b0468f0be8e824561b45f86e0aa0db28dd |
| SHA256 | e3ab6e5749a64e04ee8547f71748303ba159dd68dfc402cb69356f35e645badd |
| SHA512 | 514e76174f977cc73300bc40ff170007a444e743a39947d5e2f76e60b2a149c16d57b42b6a82a7fea8dd4e9addb3e876d8ab50ea1898ee896c1907667277cf00 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\yarl\_quoting_c.cp39-win_amd64.pyd
| MD5 | b9dbd65dd477f78e292494852ed9cfb8 |
| SHA1 | d0c78884460fc4fd9810a00c9cd728629db40da4 |
| SHA256 | e7af21ec47fa1aea28ecc7516b389102514e9e5720b4af89e7aa48b489d4a500 |
| SHA512 | ef139107342dbb251079a800f275dce170891b5ea829395b256adebee60cae4e14fc852a58b0f476b4b7d3d87cc180046e691a855e4edc62c1baace6b53ab96b |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\aiohttp\_helpers.cp39-win_amd64.pyd
| MD5 | 6815a1c38a30d6ae70027184c09adccf |
| SHA1 | ce5afe856c4445d173c0d524f139d1aed3cc4e65 |
| SHA256 | 399dfeee9a2f8c6a132c2d4d28931f4c6c0f1d1394de54b182a6457d9143a418 |
| SHA512 | efd4fa17a9611ca4337cc667b164e83745bbc4043c226e684957146c9bc2ba37c892940845ec2ff0142d3fe604654a12bf05022782d0c0c3194e4d109b5ebf4f |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\aiohttp\_http_writer.cp39-win_amd64.pyd
| MD5 | 1a518361de37d98224ff98bf47618ecf |
| SHA1 | f81def8f71d203aaf68774f6e1158ccceb5806bc |
| SHA256 | 84e8b37d6fd0162610deb3c1d4887f70e6447850321eea846f860efc2862704b |
| SHA512 | 7ffef935ba56e2bbad0c569e63f5d33d83dfc72e10252ee259c6fff9859c4e302405a8c017012a9efa6da40ecc1de1ad3248a89404d8532b78b177a6d2ce305f |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\_brotli.cp39-win_amd64.pyd
| MD5 | 2c7528407abfd7c6ef08f7bcf2e88e21 |
| SHA1 | ee855c0cde407f9a26a9720419bf91d7f1f283a7 |
| SHA256 | 093ab305d9780373c3c7d04d19244f5e48c48e71958963ceca6211d5017a4441 |
| SHA512 | 93e7c12a6038778fcda30734d933b869f93e3b041bb6940852404641a599fe9c8ee1168a2e99dcfb624f84c306aff99757d17570febabc259908c8f6cda4dbea |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\VCRUNTIME140_1.dll
| MD5 | 6e337d443990274b1e0ed308a1b28622 |
| SHA1 | 0da718746f6981aae57d7043d87de8eb4c11859c |
| SHA256 | 6c1e531c25ab2934a4ea9970598bc751d924d7cc5650df3e1282b61d6cd24f42 |
| SHA512 | dcdadb2b763c9d82f26dfe745a6a6477f15bfa512dd34972ded1fb8572df85eae359fc012b2415258470780a5ccdee1eb75ff4153d7784ca9be228b0ed4da292 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\MSVCP140.dll
| MD5 | c1b066f9e3e2f3a6785161a8c7e0346a |
| SHA1 | 8b3b943e79c40bc81fdac1e038a276d034bbe812 |
| SHA256 | 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd |
| SHA512 | 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728 |
C:\Users\Admin\AppData\Local\Temp\_MEI18882\aiohttp\_http_parser.cp39-win_amd64.pyd
| MD5 | 67946fe0102b3555988a8edd321946c0 |
| SHA1 | a93b16df8e9ccbfe2892e4676f58a695cde9604a |
| SHA256 | 636a925eb31c3a7de39cb9495613b13570606a0672d3e699cb6983287e0c01e3 |
| SHA512 | 786a4e6c49f77bf6cffce5c98cbc66d518075309dacc4c3df286d3c3bc21f7c0cf7986bf85e374827ec7951c13acdd031e76c336bd1fb4fd265aa03a8a28dfd1 |
\Users\Admin\AppData\Local\Temp\_MEI18882\aiohttp\_websocket.cp39-win_amd64.pyd
| MD5 | 5fdb53cff23dc82384c70db00ada94c0 |
| SHA1 | c52391eadeafe9933682c7dbee182200b0640688 |
| SHA256 | d1c463b5c7a878ef5358a63bb0ea9e87311fe1f416f762bd18b4888c170c647f |
| SHA512 | 2d81e2eed6b4f37c4178141a24cf4475d27378a5bad3b6f8af022b185050ee9832de5db31271e5ca6e5e397f2e8a2a36edf9ca7eb6e0a9b918e3e8618c22e60b |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-10 17:51
Reported
2024-05-10 17:54
Platform
win10-20240404-en
Max time kernel
133s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Devotion.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-10 17:51
Reported
2024-05-10 17:54
Platform
win10-20240404-en
Max time kernel
132s
Max time network
136s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\READ ME.md"
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.64.52.20.in-addr.arpa | udp |