discordrat | hxxps://gofile[.]io/d/vg1Pjm

Analysis

max time kernel
78s
max time network
77s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-10-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/vg1Pjm

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI5MzY4MTEyNTMyMjkyMDAyMg.GHJfv9.tfuMP5Xy9zJB67D_6d0UpD39_ZIr6TqJf5Y6EM
server_id
1293975894108540940

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
3916	Znyth_test.exe
900	Znyth_test.exe
2520	Znyth_test.exe
1360	Znyth_test.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
68	discord.com
74	discord.com
2	discord.com
32	discord.com
34	discord.com
45	discord.com
49	discord.com
66	discord.com
75	discord.com
43	discord.com
47	discord.com
73	discord.com
76	discord.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Znyth_test.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 955298.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Znyth_test.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1040	msedge.exe
1040	msedge.exe
1752	identity_helper.exe
1752	identity_helper.exe
3392	msedge.exe
3392	msedge.exe
4696	msedge.exe
4696	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3916	Znyth_test.exe
Token: SeDebugPrivilege	900	Znyth_test.exe
Token: SeDebugPrivilege	2520	Znyth_test.exe
Token: SeDebugPrivilege	3592	firefox.exe
Token: SeDebugPrivilege	3592	firefox.exe
Token: SeDebugPrivilege	1360	Znyth_test.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe
3592	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3592	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 3756	1040	msedge.exe	80
PID 1040 wrote to memory of 3756	1040	msedge.exe	80
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 788	1040	msedge.exe	81
PID 1040 wrote to memory of 1672	1040	msedge.exe	82
PID 1040 wrote to memory of 1672	1040	msedge.exe	82
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83
PID 1040 wrote to memory of 424	1040	msedge.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/vg1Pjm
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74643cb8,0x7ffb74643cc8,0x7ffb74643cd8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,16659392532712569184,7809596092277513670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Users\Admin\Downloads\Znyth_test.exe
  "C:\Users\Admin\Downloads\Znyth_test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Users\Admin\Downloads\Znyth_test.exe
  "C:\Users\Admin\Downloads\Znyth_test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Users\Admin\Downloads\Znyth_test.exe
  "C:\Users\Admin\Downloads\Znyth_test.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2988
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1944 -parentBuildID 20240401114208 -prefsHandle 1872 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d3538e5-a294-4467-962a-425cfb1efc24} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" gpu
    3⤵
    PID:1416
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2344 -parentBuildID 20240401114208 -prefsHandle 2336 -prefMapHandle 2324 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b00cc8e-5fe5-4c50-9c67-d691cddf93de} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" socket
    3⤵
    PID:3656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3328 -childID 1 -isForBrowser -prefsHandle 3320 -prefMapHandle 3316 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {691f63d9-93e1-488f-b741-04701f703238} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:1828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3936 -childID 2 -isForBrowser -prefsHandle 3928 -prefMapHandle 1104 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e688d56-859c-4f2a-b1d3-bedcfd3ccd08} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:2816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4548 -prefMapHandle 4552 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb7802fe-7ea9-464e-bdf4-337fdc2ed0b7} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" utility
    3⤵
    - Checks processor information in registry
    PID:1972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5344 -prefMapHandle 4836 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a05675b-158a-465d-826a-a5a340abca83} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:3516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5480 -childID 4 -isForBrowser -prefsHandle 5488 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e2319c-2bd8-40cd-a273-9d75ace5fef6} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:2572
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5688 -childID 5 -isForBrowser -prefsHandle 5696 -prefMapHandle 5700 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1144 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2fe4646-63f5-467b-bed0-511b2f5499f0} 3592 "\\.\pipe\gecko-crash-server-pipe.3592" tab
    3⤵
    PID:3444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2316

C:\Users\Admin\Downloads\Znyth_test.exe
"C:\Users\Admin\Downloads\Znyth_test.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
b7fa5f5fd63bba25e10c7e4b4a218eea

SHA1
f29e2050ddd36a6603c9829114ead4c6f9438fae

SHA256
cdcfcd8b83d84d3e741c7621d49794f72ea56ef814ad1ff7fa5c63dd5edf695d

SHA512
1969ed3a70e5e7ea949a589503602b6380285338baa62d5e25c16d61dafc28a9374dca7fb3ed9305435e5b854dfe87cfc35daca3ec522277500dbfcd2ec47b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
930B

MD5
0157b8b1360bb9e747407208e118d1b2

SHA1
24666758d5a498b9b1564bdf012b158ca7456de9

SHA256
974c755d97a136b59b287470f7ae088e264071c928cd1174b61f71f1b948b6b9

SHA512
242f36a2e2c4da0c7a7bd7bf199cb47755cf7c5c1643815d32b6912b6c86b66e85d7f997431ad4abde893981c55de2113dfe90a01fe0812b05f8f3690a466df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
caf757870291bc62386e608b5119e78c

SHA1
0d187ddd92ecf05cd4a0268de510f879e8d0bc4c

SHA256
0d2c4874eade0f9ae2245400dfe7309f6397476258562a1e19a45602b5ad7106

SHA512
1338d7e6fc3067052f9c3d6696f59e8e95db76ff3045692cb1f39c36cf1938ec034c24b2e106c402a086885546f45eb2bcccd56ded7ea6df271829ccc53773b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2aad8ce4df39e6eec559832facd060e

SHA1
d0f9f0377366ad92f3bc687de245af32953d62e2

SHA256
83b38f95676bfef5b4bad4f2a77b5eeec3bdb0142ceac2fa1bf47d0b9f00c26d

SHA512
ef53aef0a2590cb3c56023c1eab068d6ac53f97252cb9544879ead95d86a628dc6725476a6cc216c8a3dca3f8202a7b7ce8a9898f451b2bbca66235d08e00a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
75d013b05867d39f9bfb4c93951ef5cd

SHA1
0b360174baea50f5d27b0aa7802665c80f65397d

SHA256
84de8cc4ececca580c19e330e7379bf680050b1c832dc640a91a93683b806d3a

SHA512
2a3936fc6cd2fa8ed08bde1d4b8cff9d85450c7f11e0d2304f6ce3acf3ba2fdc821f747aa21c787dc6cd8a32d2cbcb1868cfa3b01097e656da0f61fc5f4f831e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
65d94d8ac9f7d4acd781f633942bab0d

SHA1
fcf2a8ccf7dbfa2eb4c4fdf1fb8575abe6534b13

SHA256
da40279d4a0268c88349037ff49548b5d6cd4bc085df8ba4472138ef508eeff0

SHA512
453c3d2a86d76d665a27370892f85cd0022d8253faabf8150f5c67581b1e7bfc1673181fee262e5259f11f29e4ad2ad9952d7d9dc16c96b3074ddb00c63cbda1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
642d6cd95995e1783073f42964140bce

SHA1
13c4ed3ed2ddfbb680d544b07230cdea6ba51fc6

SHA256
f456e08f6111134b7f283507e4f82555a831047c87dc659d630a0daf08b39665

SHA512
243010e6b5e703030448354579ecded079a86e17f36f2aac4f168e687b4b7a7dcaf295caaf693ee5f797062d602b7499091983ea04c752efe6e7b00d1a57f393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e7ea89cc066fcb4642014456c9235d9

SHA1
86ef42610e1cbc41a531f24a187fd7b5f7213136

SHA256
9c0f1289c32d2b731c8ab5549918f8cfca1e0f40eab42a6cf2d05e8ea1150318

SHA512
3a6e7a0a136a51a2a3d89ffe9fcc1e4723e4ac52daf742d26ca606a8b91eaeddfea33dbc35f70907275876bc0c0ee059e863845f0eb216c5390806b1c1acfed3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e964e35caebe0f0f18004acab419edeb

SHA1
e1b7fb702a4b03cb6b783189cef277e48e67eb17

SHA256
f063a47005f7ac42c7ef47425b7d5a968260ae2b906c7acafdb0fe97b466b1d3

SHA512
83755a39aeeda156ca24592f1e77baf52eb108e4c59e0ce12645fe05e3be6f54a010d05563d57d07360e410e1d39fad229e76d832596c7c9b344f9db4fc1d936

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\maevrvll.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
24f3549058bc4bc9cdc7c14b7282d273

SHA1
31356e9c91c8a288a388fa705a5b815fb70c3613

SHA256
9775ad65bbc42c5296b40a44830aa8d3db72295ffe5638607793a583cafc1576

SHA512
cf31c167c1227958aaf2ba178e9fdc9fcbd07edd03236d8005331c9b0899b4971ba400206b448ae9e36d92e3fe3844426c2cfa5a76c8d6488021991f7716604f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
18ae794fc39a8f375bb0e5900f6c504d

SHA1
4dd1ab02d9624a0dc1318e772045428fd0789893

SHA256
817bf5d295f9f7717df13448beff55e2498ea81dcfd9942a0d5509415566327e

SHA512
2b0557fc1f9780e0e67b8fb948678b0fab380895033ac7adb621fdf5ba60c69039aada10f1b6ca425efc851ebb26d902035f260352d964bb12cfd6b34682a9c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\27443f66-b4e4-429d-b53a-dd81e229599f

Filesize
23KB

MD5
cb4a8197573344bbf715c54ee586f055

SHA1
41218a551d1cc43cc07614378424a9e10e143580

SHA256
a8d89bd053fa65c1dc13375e9364fe41766c8a243896051b40a61ec6b2e115a8

SHA512
e4c66c51e01a692c0ad8415e21424735cf7fc091db790e84d09706289b3e939ab204324982672bc5f1c64266ec78b122a5e475ae2cbdcbee5e58ae73895e13e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\95cd5a6a-6253-41f2-b332-3ee54ad450c3

Filesize
982B

MD5
c80ce87cb51d171c9358c43508988866

SHA1
2a1aa245887f015b2b5734d159d90ef64fa2fe22

SHA256
ced3b4bb8f24fd4c6d2232266f94a8ab7ca5d7ee8861bddef744f434dfdb890c

SHA512
1be3340af75e6cb92e860b535451e58855f74bf6152539b27ad06e912f945d0a2ece8273e86f8eabdfbe3f206e33ebfbae3b61daa795e8a2754b5a9a6404cc38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\maevrvll.default-release\datareporting\glean\pending_pings\a4739695-9083-4d79-ab9b-71f2c617cdc3

Filesize
671B

MD5
0dc4bc82b112223332d7cb4ebd236883

SHA1
b9e407965d6e7ba10e750e885e82d9b81c732cde

SHA256
9c1983aaa9361b8fb2139eff207db1d4a26a2f8e1570545de2cac0ab805be780

SHA512
9ee3b78de7fb294ee983cc5eb22356bb60906ea7757a22e85b8d8be3c731f8683a1a84ca67e8a4d87d283ddbb4d059e663524816bf900b3b499198048e8a2637

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 955298.crdownload

Filesize
15.8MB

MD5
e8de17aa7b8d041a42d3be4d9bb8b818

SHA1
27ef5d751b40d8c5e280638f3085676d08d36c8e

SHA256
d9faa13bea96aa5342700b711d3ca59d77642fe4b063446664e56d6051a70775

SHA512
2bad9ad4d974db98a0adc2bb0098b34a130ce2cb920d2c0977aaf37490ebb74f416b86018b4b1a6c2a8be7555376b76644fd77d8aadefbdffe2ce260437083b4

Download Submit
C:\Users\Admin\Downloads\Znyth_test.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/3916-142-0x00000215524F0000-0x0000021552A18000-memory.dmp

Filesize
5.2MB

Download
memory/3916-141-0x0000021551BF0000-0x0000021551DB2000-memory.dmp

Filesize
1.8MB

Download
memory/3916-140-0x00000215374F0000-0x0000021537508000-memory.dmp

Filesize
96KB

Download