59a5632736ce0a74810969b57eedc5b27d24b7867393cb92c37d1b1591b6be81

Analysis

max time kernel
268s
max time network
274s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-04-2024 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

poster copy.jpg
Size

474KB
MD5

c38cc38dfa5ae512d1841170da49ccc1
SHA1

a64033c83c25763f4a42c8a5c60185b3c27519b0
SHA256

59a5632736ce0a74810969b57eedc5b27d24b7867393cb92c37d1b1591b6be81
SHA512

965fd231f83726e5e57d2ef3b624e3ce3a8a37d2fcde61a1745d6ea46b41919f0bc8def67ae0079d8cebe03656d538fa7569f1874923acbf5c75ef24e19011c1
SSDEEP

12288:l+vhqYr1pbsJXQGJ/7xrvZgexHJ8hEsTvsT0ph:l+vhJrSrZge9o4U

Score

7^/10

ransomware

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

MLG.exe

pid process

1636 MLG.exe

pid	process
1636	MLG.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
132	camo.githubusercontent.com
133	camo.githubusercontent.com
134	camo.githubusercontent.com
154	drive.google.com
155	drive.google.com
156	drive.google.com
157	drive.google.com
131	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs
ransomware

Defacement
T1491

Modify Registry
T1112

Processes:

MLG.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp" MLG.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	MLG.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Control Panel 2 IoCs

evasion

Processes:

MLG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\WallpaperStyle = "2"	MLG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\TileWallpaper = "0"	MLG.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings firefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

Processes:

firefox.exe7zFM.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\MLG.rar:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\EULA.txt:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exe:Zone.Identifier	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4744 NOTEPAD.EXE
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

2644 7zFM.exe

pid	process
4744	NOTEPAD.EXE

pid	process
2644	7zFM.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

firefox.exe7zFM.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2420	firefox.exe
Token: SeDebugPrivilege	2420	firefox.exe
Token: SeDebugPrivilege	2420	firefox.exe
Token: SeDebugPrivilege	2420	firefox.exe
Token: SeDebugPrivilege	2420	firefox.exe
Token: SeDebugPrivilege	2420	firefox.exe
Token: SeDebugPrivilege	2420	firefox.exe
Token: SeRestorePrivilege	2644	7zFM.exe
Token: 35	2644	7zFM.exe
Token: SeSecurityPrivilege	2644	7zFM.exe
Token: 33	2400	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2400	AUDIODG.EXE
Token: SeDebugPrivilege	2420	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

firefox.exe7zFM.exe

pid process

2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2644 7zFM.exe
2644 7zFM.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exe

pid process

2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe
2420 firefox.exe

pid	process
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2644	7zFM.exe
2644	7zFM.exe

pid	process
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe

pid	process
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe
2420	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 4288 wrote to memory of 2420	4288	firefox.exe	firefox.exe
PID 2420 wrote to memory of 992	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 992	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 3620	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 5000	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 5000	2420	firefox.exe	firefox.exe
PID 2420 wrote to memory of 5000	2420	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\poster copy.jpg"
1⤵
PID:4268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.0.1856894760\1944202381" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1676 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e22e34c-d6eb-46bd-a368-962a660a4ecb} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 1780 21d82df5158 gpu
3⤵
PID:992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.1.1762528581\1542053061" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bfecccc-3a2d-4e71-994c-b98d5e5091a7} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 2136 21d82cfee58 socket
3⤵
PID:3620

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.2.35472776\789539696" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2756 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d9bcaa1-682e-4bf6-8bef-948faabe06c2} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3048 21d82d6c158 tab
3⤵
PID:5000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.3.1816382261\573649444" -childID 2 -isForBrowser -prefsHandle 3576 -prefMapHandle 3572 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1824fd3d-6112-44ef-9531-3db53775593c} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3588 21d857b3258 tab
3⤵
PID:3784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.4.841437538\1545827566" -childID 3 -isForBrowser -prefsHandle 4412 -prefMapHandle 4408 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {efbc9d3e-6a6e-4a5d-b958-aa5c7f29e719} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4424 21d88ab1558 tab
3⤵
PID:2768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.5.1247472796\806928633" -childID 4 -isForBrowser -prefsHandle 3800 -prefMapHandle 4800 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a324d82f-818b-4415-b0ac-702c6ee98b9b} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4680 21d8935f258 tab
3⤵
PID:4088

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.6.981717931\133183534" -childID 5 -isForBrowser -prefsHandle 4976 -prefMapHandle 4980 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0af0722-f4c9-4ab7-b1a9-4a591e7ac78d} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4968 21d89361058 tab
3⤵
PID:4520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.7.1655557889\1043231382" -childID 6 -isForBrowser -prefsHandle 5172 -prefMapHandle 5176 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec188856-f55e-460c-8a9f-da64bca1f578} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5160 21d8935fe58 tab
3⤵
PID:2460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.8.56030557\1702739205" -childID 7 -isForBrowser -prefsHandle 5576 -prefMapHandle 3800 -prefsLen 29562 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b33a09a6-51a2-4345-8d02-7e9c136b24e9} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5352 21d92829e58 tab
3⤵
PID:2356

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.9.1011419428\1760801480" -childID 8 -isForBrowser -prefsHandle 4484 -prefMapHandle 5716 -prefsLen 29737 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6faa3fd0-4c71-4f06-a72a-69148d67a9da} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5352 21d8b75b158 tab
3⤵
PID:4164

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.10.129210850\1505843262" -parentBuildID 20221007134813 -prefsHandle 6032 -prefMapHandle 6028 -prefsLen 29737 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b43388b7-caff-41f5-91c4-bf026ffa278e} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5952 21d8f08be58 rdd
3⤵
PID:3372

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.11.1815415335\157745347" -childID 9 -isForBrowser -prefsHandle 6156 -prefMapHandle 6152 -prefsLen 29737 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4ccb234-54a4-4c38-a418-117bd97fd288} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 6168 21d8f360358 tab
3⤵
PID:2184

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.12.1598949687\1272446004" -childID 10 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 29777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e235133-3690-4c24-b4db-7574b9274d4f} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 4660 21d8e320b58 tab
3⤵
PID:5676

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.13.1531255879\1860303062" -childID 11 -isForBrowser -prefsHandle 5448 -prefMapHandle 5628 -prefsLen 29777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d9da70b-efb5-4aca-92bc-e87aca89860a} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 5440 21d8f088258 tab
3⤵
PID:5976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2420.14.841426523\1867323797" -childID 12 -isForBrowser -prefsHandle 4440 -prefMapHandle 6552 -prefsLen 29777 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {47c3b915-e383-42be-8702-ce70ccaa2666} 2420 "\\.\pipe\gecko-crash-server-pipe.2420" 3528 21d9282a158 tab
3⤵
PID:5340

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EULA.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4744

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\MLG.rar"
1⤵
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2644

C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exe
"C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exe"
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:1636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x428
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\cache2\entries\C72D4296C2EBC6FD41A9F780CD0C8F30F0FF937C
Filesize
13KB

MD5
0d079bf0645b0e4b391280136ae3f3a0

SHA1
9dfe2e2cc27ec0a6a6b6c48962e1913650bd4e8d

SHA256
702e56324b2c66a9bdac3b69e2e98a95df6ad68e7053f31461043052acccefdf

SHA512
43db4353ce15cf1f2c3c1cb290f75f5bbe32ea2c3c5c166998bf8dca76405ec3c73dbd80c1c78ffedc12d0e952ed3f557512acac4f9d9ac0a6defdf10895461f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\41eh5pdr.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO45A0584A\MLG.exe
Filesize
14.3MB

MD5
634728f2fe391f5369bf655cc7c2b482

SHA1
9da51bfb54343dc4d9220c3bb785dd2a1ea7c17e

SHA256
f6d1641642cebcdbef6bb2f110d0e3c6b592679d18f9dea71ac484c518417ea8

SHA512
07d0d3ec375e441e128bc9c5d2067f983bee1967e3075c3b76ddc5339ecccaf28fe2d626bb237ea2ba1aac475136c8be33a7e11a61286a70406fae95cf90e3ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
19KB

MD5
fe11eebeed07c9c95ad284ebe203d402

SHA1
754eecbc7cbc18079cc06313ec352c99f5a16665

SHA256
b15fbd0d570c5642b162867c4c027dd6a83284d011522bf523ad1a4c1e345c13

SHA512
9950679c04297f3328b24cd1d53e9fb89527ca6d8c2d4e9e6e48b47f379ff85b73af53cf500a4b7f0f89879bbbdd3ec13b0bf9af1a1deb05436c774aac196342

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\db\data.safe.bin
Filesize
2KB

MD5
f9d4e64f2d77d5d723e303f492b1c1c6

SHA1
e989bd0e5668b3b4094303a1ca187e2f67db9335

SHA256
bc055281e56f6ec2108c69e777b8fdf276cf291a67f728da11c6fed66c4df181

SHA512
75c75d47ba06f41ced5b8ef330d48a8de6b3aed1ff7205f36945ca297e745a5b3d29964b7d87a7d7341e168e889567fd1f9d1d8e6a62872d9ebc19a2888d449d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\6ab39e12-9d11-42fb-8077-885573ebfa3b
Filesize
11KB

MD5
a553de20e674fdbe71d5d7508615a9d0

SHA1
470f0b7a3aabf8c803d91cd4be52acaa57a3ccf9

SHA256
4b82070f6a25ed0ac7752c5edb77bfec03352d11f95c860e5c657216c3c99e64

SHA512
93add0716b4d3c937579542a6494088c9ec8c6ce266a663c3a88c606db2e7cae4da48d58fcaba0f67a1c8fa242bbc78ae35f585d2601c1a8f3fd571112812534

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\datareporting\glean\pending_pings\af4e617f-4141-4512-a0cf-cdb4f2455f76
Filesize
746B

MD5
78b97d0dbfc264606f608e9fbb833086

SHA1
a202aded2c1b426e6c68f42fb29276362b38ca07

SHA256
e6fc0b7ded824f04394dc3a5f07c5576f37e88e86084143cdc4bce0d481d901f

SHA512
c62323261a795563691a8c22b048d7398309c472ec0d3a853b5f9b2205c2aad33cb11dbd29b4c64790a77145f5e035e6eee9bc8e299296e5b5dd880f7822c681

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js
Filesize
10KB

MD5
f7625317ba43441c17c8f172dd0546b9

SHA1
3b54916796416f54c1490ef3d3245a826d3dc84e

SHA256
c3d7437ef04deb1f141cbbe17c66fb8ad031cf8fb6f036429a7afbac824cdb35

SHA512
ba23b3d455c2b5bacb74e2830a65bb4c6dcebd1474a5102de296a4a6d7b4862f21bd0b83935440f7129443731b6b3c4f284cb9b4d1f6a4abd510a5a0277b831b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs-1.js
Filesize
7KB

MD5
61d2b9f974e32070d678f09bc11af7e3

SHA1
4497edbd2f3cc2994d9427ab1030a1e2fe57c27a

SHA256
5ee37960cc8e81857df3d728993503a31b8fedf395c1414175d7a1d0b4aa22a3

SHA512
12c7e8116a76b419f1c0cb3798b8a86ce1a68fc201c161b73b1e4fb3559879bfc0cd05d67bd7de8cc43040af0493c4be65b7e41c1ab46341ba1b22d69d744997

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js
Filesize
6KB

MD5
47a3018d6f2cf92def15cac5d4657c1b

SHA1
58bf49fc564085971366e25a9db5e26ca1c9727d

SHA256
0ba954aacb299e9f7493fac179fc8f2be362b0f9929c3a9119a369aef173cca8

SHA512
2eddbe4ddf9fb76642f77e5a45a59ac7a195ff42a1716ffb2cc1bd3c172fa427f8ddc4650a3716964cf473c5a1e089de2dbdecce62c1cc3867e16dd8e43b5c56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\prefs.js
Filesize
6KB

MD5
d6e2564880cd90f1119d002ae1f51766

SHA1
a2de1cfce0385a1620c252acbc092991e98b91fd

SHA256
6f6ba941dca3efe3e159b941dbc39f367003810e5d1ab73019152cfe1939822b

SHA512
94441dcab44bc763cfc19876dbe1e1e5da40d1ab00905de192510af18d453e99576990fd3e6c31886fe676e43bcc87b645f17e92c775552779584e1b71311a6b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
7ad5a1833f5ae41b94af83c878e2d5c0

SHA1
ebdf5c4ea3d361b2be515dc5ce4d1b75a251ac49

SHA256
22fa07c9e34504642fac2ca5ee2bbae8d228e3a345d0cf6791725b091d8eb5b2

SHA512
baa00f61319b707f8effb359546365d4ffab822775dd18a273d796923c9200bfa4944a82c41b624d948b2d9830037ba38c6e62664065b7d831e4c76ed9f57ba9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
719123b23b1ba79020be5492e7b80019

SHA1
6cd8613ec6ca678c04df6da30d9f780a9e7e5939

SHA256
91003332238156876694561e63ba4432a06d08f4cf74f5719c5a8292daa2c62d

SHA512
2eaa28a06f56d95c6dd391293a84844d4b8d18e8b375912092b6c281db453baffdf49b189226c15d35b98cad37b928643d25aef3746cd10ba471e6c322e98fab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
6a91814421ee083c38befe17b691e5e1

SHA1
84584fe3274374f479c2483659c01f3a32ea65cf

SHA256
374933866c96d49d9c80ead9da6c2f6843904978b0f27bd955b5bdc16a8733b0

SHA512
a7e2e5887543dd5090c05333460cd7032d20405634549430a333ba90b12111059767a71f1aec5ca813ed37d27632fe6671cdb855e810eb9b3c9dd3b1a8df6bba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
6a5de58ef838f4a3f7845fd96b4243e3

SHA1
96d72dd483b1cefc938a9cd6a37ac88f0e7f5dfe

SHA256
0542d9b2878b0dc2d4f48cf0cb131b4b687f2acd8a80127bfd8c322e89dd6041

SHA512
b8cc3c2ae7e285021e02c7dde8b9ea23625cd844cc0f280003a3e0300cb8d5d71419945bd0ff8adfea9859165c9113ca2c8edcd858484fd1d7c1f87b0aa453fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
8KB

MD5
72125f59ec12ff72462e8a9067d7dcc9

SHA1
4bbdd6d6ad16c3eb6474265ec3dcf872b0515eb6

SHA256
c4028a575b1dda606bceff142e17c1285838da7acb0389f0eb0fd189e0fc5af6

SHA512
3628bee1728640c925f0e75f50609fc8d465b42543b208d89554925b2684e62a0b2ce56b20f0087ec0828898ede5c11d5f6c182cf9073c5278f273d3618c44df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1KB

MD5
71be7f78649fdf83d0cdb040a21d7f0e

SHA1
78f8a7afac864a2044e8326876c175a49813a770

SHA256
564a5e6b9abb4a5c2381405de330fd8cc8d48abb78dabd0f9b60d2037bf70b6c

SHA512
f7b3104fe2aeebed379753e9f507ebbb7c77ceb2d07cb3c5304e7ee05bdabbaf1221315da38b694c459e7d2566cafe7a94debfe8e2cf69877f3c006094b6813b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
7261c56aef5503145ee8a577fcacb26c

SHA1
965c3180cf27f3288a879461db1bbe6d4354108f

SHA256
7deb1ddf10c6db0c16719384d5f10a2dcb00a8d8375c4ec7d265804c1bf9e2b0

SHA512
ab529307c4d413c436dd6b668bd3985f59b974f65e91e1b9ad828950e2f6e2ea8ecf7e1409b6626277541fd32fe4455ec3b1e3e3e9117c81b186092228525fac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
5KB

MD5
d155b2148de36d157e8aeff21759e51c

SHA1
3618312aeb956d4c6e09c8c60e41cdaa3bdc6709

SHA256
22b7da918a0c7a14ac8f1f055a2573fbe49f4717f0e19003f43edd5a8c671c1f

SHA512
e45a8105d121ac0eb35b78cb5a68f0b4936e3a173e402b6bf70226b3d774e1ed4a885a54fb7882ee0d2d5ece0a61c82fbb153a3d5b0fd9014548142e49dfa117

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\default\https+++www.youtube.com^partitionKey=%28https%2Cgoogle.com%29\idb\2232182701SeesravbiacteaWDosrgk.sqlite
Filesize
48KB

MD5
997a3bac033ad0ddabe1fedf99d01015

SHA1
a54f69cb6388f587b7cc000692991a7a192d2234

SHA256
43e16e4fe21ba06cbf15d5b6a4ba57cae3e55a15fcd9b0cd1a7bc51ab3d25775

SHA512
f0b038af59c80341b388d22f3f55ecfa35b45b98d38ce4e500e85e42854339a3c144be7feba439f0da8bc8aa4fdef72e0b744716bc9fa84a29c141523273eb83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\41eh5pdr.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
Filesize
7.7MB

MD5
fa756fe8825aa81c3901a0a551d7afec

SHA1
7456d906fb89c84318901945af58e0c99fd2f036

SHA256
83ccc0cb1c2fb5c76ec87358aebb10bb681559625dfcbff7c6568f625af6120c

SHA512
0f51f6468638139ea3e0c4c08e60f789591f402023c6365bc9ca2b9bc25db28a076d4b7afc8c3a6ebfaae4a6e770733560ccecf040f55fea61d0aa05ff755fe8

Download Submit
C:\Users\Admin\Downloads\MLG.Dbdy1EfY.rar.part
Filesize
24KB

MD5
46bb190b41d6959b3e9c538e05134308

SHA1
cb682c4b15aa6212599d3be31c1fa0356f67909a

SHA256
6d3d4fab38568a4b06dde14a1f6f59902ba3a548b1da437f68541be82e16b152

SHA512
666d7d2bb3209c1cd1182f0ca826c4de488c1d58a9ddae703273fec64b7389ed96d69a68e7f74ef8858101def35075562fc2e568c37524f76f8f8851062e31d7

Download Submit
C:\Users\Admin\Downloads\MLG.rar
Filesize
10.9MB

MD5
7c7fb86210ab287c5b1b8da0e493818e

SHA1
fd0c9501f63ab40ad21b18f744c0ab126407b305

SHA256
adad0eaee2468fbff99e0089b10b1afec28044a67c100bc70c90f24782a778fe

SHA512
d5e19368b06b73700e1f5b1bbd962ee5ef0293c8eea6f70ef2fe38681c2101f22b5ef6ad42208a0a1439e0435dd830cd94f673cb1756f0a078a181d94e7ec90b

Download Submit
C:\Users\Admin\Downloads\QhVeWCbe.txt.part
Filesize
1KB

MD5
73260f26eceb865bdcdd0c6dcb048734

SHA1
d6151f79bcc9cf4cdc1eaa856aee48ebeed5e6dd

SHA256
feeda441eef6bb3787db9dccfebf00f70ef30f5881ff2cb089f3e1dbc06d0c30

SHA512
2104cefa4087c91238a21b094f26bd48d188d6c40488b68c9656d47e1853a50533a4e5b2abda5b922572e01f60aee3b7d7e594c0f7e3491c3afe8f2fffbb5b4a

Download Submit
memory/1636-2826-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2808-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2816-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2825-0x00007FFE94620000-0x00007FFE9500C000-memory.dmp

Filesize
9.9MB

Download
memory/1636-2806-0x00007FFE94620000-0x00007FFE9500C000-memory.dmp

Filesize
9.9MB

Download
memory/1636-2829-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2832-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2845-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2868-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2880-0x000002CE66A60000-0x000002CE66A70000-memory.dmp

Filesize
64KB

Download
memory/1636-2807-0x000002CE63FB0000-0x000002CE64E08000-memory.dmp

Filesize
14.3MB

Download