discordrat | 700d9122601a761201eecd11ac6cd21ff23be101de641df0f0fc8a5e46df7258

Analysis

max time kernel
137s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 18:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.exe
Size

78KB
MD5

443dbdd00a5f762cc93a2a3832ddac98
SHA1

361d26a05242dbc3f8cf027ffab64ed615d111ae
SHA256

700d9122601a761201eecd11ac6cd21ff23be101de641df0f0fc8a5e46df7258
SHA512

54a07d5bc11a82c00e544d5c31365e11cac1be659f11766b55432d866cebcd6f59c312b7b18f417868c2ecccf23aabd2dc9404b0d72905b42398854221b1b668
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+9tPIC:5Zv5PDwbjNrmAE+bIC

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTE3OTA1OTg1MDEzNTc0ODczMA.GGxVFo.7St6scgSuA_AF4ZkQihNuZJGi0x3Rz9-ucto_M
server_id
1240359327257333804

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4328	Client-built.exe

C:\Users\Admin\AppData\Local\Temp\Client-built.exe
"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4328

Network

DNS

gateway.discord.gg

Client-built.exe

Remote address:

8.8.8.8:53

Request

gateway.discord.gg

IN A

Response

gateway.discord.gg

IN A

162.159.130.234

gateway.discord.gg

IN A

162.159.133.234

gateway.discord.gg

IN A

162.159.136.234

gateway.discord.gg

IN A

162.159.135.234

gateway.discord.gg

IN A

162.159.134.234
GET

https://gateway.discord.gg/?v=9&encording=json

Client-built.exe

Remote address:

162.159.130.234:443

Request

GET /?v=9&encording=json HTTP/1.1
Connection: Upgrade,Keep-Alive
Upgrade: websocket
Sec-WebSocket-Key: gce1yvr3sX4E3+OUXMy11w==
Sec-WebSocket-Version: 13
Host: gateway.discord.gg

Response

HTTP/1.1 101 Switching Protocols

Date: Wed, 15 May 2024 18:18:39 GMT
Connection: upgrade
sec-websocket-accept: du8D7TdOAKoj8iqfxCNJctDBP/Q=
upgrade: websocket
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2vIPqYbrj%2FutLToYIVKddf5boSwYBb%2FNjkbYp9HAZFWdaAApjVm11VyWOhOsMXbKL3OGP0EDfEJ2%2FDFRcw3RNFyoP16j%2F6aSmI1IUQbWc4x3Fq9hxGh6PrQ7xkZ%2BVKGEE90CWg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 884521ba9c6cdccb-LHR
DNS

g.bing.com

Remote address:

8.8.8.8:53

Request

g.bing.com

IN A

Response

g.bing.com

IN CNAME

g-bing-com.dual-a-0034.a-msedge.net

g-bing-com.dual-a-0034.a-msedge.net

IN CNAME

dual-a-0034.a-msedge.net

dual-a-0034.a-msedge.net

IN A

204.79.197.237

dual-a-0034.a-msedge.net

IN A

13.107.21.237
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fWvVQ9nQhDKXSo3LbxfatTVUCUwD_2UHyXDmJNOntJ-eSx1pNZQAM_JKyhgS-gFs0rQCrvv9HUDiIvYzM4hX5yHdTX8hGUpACov82Gi6wYxsTNJDFTCSCCeqQxd2GP6GQ4lzDfQyGDmZYm3Cmo7vorR785t09J94tkIIn8X5M83hYMW5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6573714b19291311dd321760a87d0ab3&TIME=20240426T135142Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fWvVQ9nQhDKXSo3LbxfatTVUCUwD_2UHyXDmJNOntJ-eSx1pNZQAM_JKyhgS-gFs0rQCrvv9HUDiIvYzM4hX5yHdTX8hGUpACov82Gi6wYxsTNJDFTCSCCeqQxd2GP6GQ4lzDfQyGDmZYm3Cmo7vorR785t09J94tkIIn8X5M83hYMW5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6573714b19291311dd321760a87d0ab3&TIME=20240426T135142Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MUID=0609AD85DEF46AD320A2B905DF4F6BA1; domain=.bing.com; expires=Mon, 09-Jun-2025 18:18:41 GMT; path=/; SameSite=None; Secure; Priority=High;
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: A7D410E1EA2D41A7B54463843B40C8AB Ref B: LON04EDGE0918 Ref C: 2024-05-15T18:18:41Z
date: Wed, 15 May 2024 18:18:41 GMT
GET

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fWvVQ9nQhDKXSo3LbxfatTVUCUwD_2UHyXDmJNOntJ-eSx1pNZQAM_JKyhgS-gFs0rQCrvv9HUDiIvYzM4hX5yHdTX8hGUpACov82Gi6wYxsTNJDFTCSCCeqQxd2GP6GQ4lzDfQyGDmZYm3Cmo7vorR785t09J94tkIIn8X5M83hYMW5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6573714b19291311dd321760a87d0ab3&TIME=20240426T135142Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

Remote address:

204.79.197.237:443

Request

GET /neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fWvVQ9nQhDKXSo3LbxfatTVUCUwD_2UHyXDmJNOntJ-eSx1pNZQAM_JKyhgS-gFs0rQCrvv9HUDiIvYzM4hX5yHdTX8hGUpACov82Gi6wYxsTNJDFTCSCCeqQxd2GP6GQ4lzDfQyGDmZYm3Cmo7vorR785t09J94tkIIn8X5M83hYMW5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6573714b19291311dd321760a87d0ab3&TIME=20240426T135142Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6 HTTP/2.0
host: g.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0609AD85DEF46AD320A2B905DF4F6BA1; _EDGE_S=SID=20330D82085960CA008F190209FA6148

Response

HTTP/2.0 204

cache-control: no-cache, must-revalidate
pragma: no-cache
expires: Fri, 01 Jan 1990 00:00:00 GMT
set-cookie: MSPTC=uW663U-AbZ7MGB6GlkvXDIbUxnXjzucDn1SoGoP4XKI; domain=.bing.com; expires=Mon, 09-Jun-2025 18:18:42 GMT; path=/; Partitioned; secure; SameSite=None
strict-transport-security: max-age=31536000; includeSubDomains; preload
access-control-allow-origin: *
x-cache: CONFIG_NOCACHE
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 7DA036FB06D1420183864F482D4FFFC0 Ref B: LON04EDGE0918 Ref C: 2024-05-15T18:18:42Z
date: Wed, 15 May 2024 18:18:41 GMT
DNS

234.130.159.162.in-addr.arpa

Remote address:

8.8.8.8:53

Request

234.130.159.162.in-addr.arpa

IN PTR

Response
DNS

138.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.32.126.40.in-addr.arpa

IN PTR

Response
DNS

237.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

237.197.79.204.in-addr.arpa

IN PTR

Response
GET

https://www.bing.com/aes/c.gif?RG=0d47f4b5026c4dd689eccd82b504b5b3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135142Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

Remote address:

88.221.83.235:443

Request

GET /aes/c.gif?RG=0d47f4b5026c4dd689eccd82b504b5b3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135142Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984 HTTP/2.0
host: www.bing.com
accept-encoding: gzip, deflate
user-agent: WindowsShellClient/9.0.40929.0 (Windows)
cookie: MUID=0609AD85DEF46AD320A2B905DF4F6BA1

Response

HTTP/2.0 200

cache-control: private,no-store
pragma: no-cache
vary: Origin
p3p: CP=BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D6D4091C2C6F46A684C82845BC159C8D Ref B: AMS04EDGE1609 Ref C: 2024-05-15T18:18:42Z
content-length: 0
date: Wed, 15 May 2024 18:18:42 GMT
set-cookie: _EDGE_S=SID=20330D82085960CA008F190209FA6148; path=/; httponly; domain=bing.com
set-cookie: MUIDB=0609AD85DEF46AD320A2B905DF4F6BA1; path=/; httponly; expires=Mon, 09-Jun-2025 18:18:42 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.e753dd58.1715797122.61e1ccc
DNS

235.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.83.221.88.in-addr.arpa

IN PTR

Response

235.83.221.88.in-addr.arpa

IN PTR

a88-221-83-235deploystaticakamaitechnologiescom
DNS

235.83.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

235.83.221.88.in-addr.arpa

IN PTR
DNS

196.249.167.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

196.249.167.52.in-addr.arpa

IN PTR

Response
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR

Response

77.190.18.2.in-addr.arpa

IN PTR

a2-18-190-77deploystaticakamaitechnologiescom
DNS

77.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

77.190.18.2.in-addr.arpa

IN PTR
GET

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

Remote address:

88.221.83.235:443

Request

GET /th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90 HTTP/2.0
host: www.bing.com
accept: */*
cookie: MUID=0609AD85DEF46AD320A2B905DF4F6BA1; _EDGE_S=SID=20330D82085960CA008F190209FA6148; MSPTC=uW663U-AbZ7MGB6GlkvXDIbUxnXjzucDn1SoGoP4XKI; MUIDB=0609AD85DEF46AD320A2B905DF4F6BA1
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-type: image/png
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QWthbWFp"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
content-length: 1107
date: Wed, 15 May 2024 18:18:45 GMT
alt-svc: h3=":443"; ma=93600
x-cdn-traceid: 0.e753dd58.1715797125.61e2bd9
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

28.118.140.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

28.118.140.52.in-addr.arpa

IN PTR

Response
DNS

157.123.68.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

157.123.68.40.in-addr.arpa

IN PTR

Response
DNS

171.39.242.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

171.39.242.20.in-addr.arpa

IN PTR

Response
DNS

99.56.20.217.in-addr.arpa

Remote address:

8.8.8.8:53

Request

99.56.20.217.in-addr.arpa

IN PTR

Response
DNS

79.190.18.2.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.190.18.2.in-addr.arpa

IN PTR

Response

79.190.18.2.in-addr.arpa

IN PTR

a2-18-190-79deploystaticakamaitechnologiescom
DNS

43.58.199.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.58.199.20.in-addr.arpa

IN PTR

Response
DNS

43.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

43.229.111.52.in-addr.arpa

IN PTR

Response
DNS

tse1.mm.bing.net

Remote address:

8.8.8.8:53

Request

tse1.mm.bing.net

IN A

Response

tse1.mm.bing.net

IN CNAME

mm-mm.bing.net.trafficmanager.net

mm-mm.bing.net.trafficmanager.net

IN CNAME

dual-a-0001.a-msedge.net

dual-a-0001.a-msedge.net

IN A

204.79.197.200

dual-a-0001.a-msedge.net

IN A

13.107.21.200
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 442324
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D2DC36950C864F1B910F2771A2DB2E2B Ref B: LON04EDGE1111 Ref C: 2024-05-15T18:20:23Z
date: Wed, 15 May 2024 18:20:22 GMT
GET

https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

Remote address:

204.79.197.200:443

Request

GET /th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041

Response

HTTP/2.0 200

cache-control: public, max-age=2592000
content-length: 394521
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth&ndcParam=QUZE"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 22B14EA15D41458E9B6030204DC34CE5 Ref B: LON04EDGE1111 Ref C: 2024-05-15T18:20:23Z
date: Wed, 15 May 2024 18:20:22 GMT
DNS

200.197.79.204.in-addr.arpa

Remote address:

8.8.8.8:53

Request

200.197.79.204.in-addr.arpa

IN PTR

Response

200.197.79.204.in-addr.arpa

IN PTR

a-0001a-msedgenet

162.159.130.234:443

https://gateway.discord.gg/?v=9&encording=json

tls, http

Client-built.exe

1.5kB
4.2kB
13
13

HTTP Request

GET https://gateway.discord.gg/?v=9&encording=json

HTTP Response

101
204.79.197.237:443

https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fWvVQ9nQhDKXSo3LbxfatTVUCUwD_2UHyXDmJNOntJ-eSx1pNZQAM_JKyhgS-gFs0rQCrvv9HUDiIvYzM4hX5yHdTX8hGUpACov82Gi6wYxsTNJDFTCSCCeqQxd2GP6GQ4lzDfQyGDmZYm3Cmo7vorR785t09J94tkIIn8X5M83hYMW5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6573714b19291311dd321760a87d0ab3&TIME=20240426T135142Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

tls, http2

2.7kB
10.0kB
23
17

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fWvVQ9nQhDKXSo3LbxfatTVUCUwD_2UHyXDmJNOntJ-eSx1pNZQAM_JKyhgS-gFs0rQCrvv9HUDiIvYzM4hX5yHdTX8hGUpACov82Gi6wYxsTNJDFTCSCCeqQxd2GP6GQ4lzDfQyGDmZYm3Cmo7vorR785t09J94tkIIn8X5M83hYMW5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6573714b19291311dd321760a87d0ab3&TIME=20240426T135142Z&CID=530628298&EID=530628298&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

HTTP Response

204

HTTP Request

GET https://g.bing.com/neg/0?action=impression&rlink=https%3A%2F%2Fwww.bing.com%2Faclick%3Fld%3De8fWvVQ9nQhDKXSo3LbxfatTVUCUwD_2UHyXDmJNOntJ-eSx1pNZQAM_JKyhgS-gFs0rQCrvv9HUDiIvYzM4hX5yHdTX8hGUpACov82Gi6wYxsTNJDFTCSCCeqQxd2GP6GQ4lzDfQyGDmZYm3Cmo7vorR785t09J94tkIIn8X5M83hYMW5%26u%3DbXN4Ym94JTNhJTJmJTJmZ2FtZSUyZiUzZnByb2R1Y3RJZCUzZDlOMEg2MktaM0JYViUyNm9jaWQlM2RpbnBfcm1jX3hib19zdGFydF9UUHRpdGxlX2VuZ2FnZQ%26rlid%3D6573714b19291311dd321760a87d0ab3&TIME=20240426T135142Z&CID=530628298&EID=&tids=15000&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984&muid=B64DD8ED08746C05824A19614CB097A6

HTTP Response

204
88.221.83.235:443

https://www.bing.com/aes/c.gif?RG=0d47f4b5026c4dd689eccd82b504b5b3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135142Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

tls, http2

1.5kB
6.5kB
17
11

HTTP Request

GET https://www.bing.com/aes/c.gif?RG=0d47f4b5026c4dd689eccd82b504b5b3&med=10&pubId=251978541&tids=15000&type=mv&reqver=1.0&TIME=20240426T135142Z&adUnitId=11730597&localId=w:B64DD8ED-0874-6C05-824A-19614CB097A6&deviceId=6825828828100984

HTTP Response

200
88.221.83.235:443

https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

tls, http2

2.2kB
6.3kB
17
11

HTTP Request

GET https://www.bing.com/th?id=OADD2.10239359720591_10PHTLBML42K6TRZO&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=24&h=24&dynsize=1&qlt=90

HTTP Response

200
204.79.197.200:443

tse1.mm.bing.net

tls, http2

1.2kB
8.1kB
16
13
204.79.197.200:443

https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

tls, http2

30.2kB
873.4kB
638
635

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313430_12K7UVO7ZVIINTRIE&pid=21.2&c=3&w=1080&h=1920&dynsize=1&qlt=90

HTTP Request

GET https://tse1.mm.bing.net/th?id=OADD2.10239360313429_1X5GXWWD8KTODKAD6&pid=21.2&c=16&roil=0&roit=0&roir=1&roib=1&w=1920&h=1080&dynsize=1&qlt=90

HTTP Response

200

HTTP Response

200

8.8.8.8:53

gateway.discord.gg

dns

Client-built.exe

64 B
144 B
1
1

DNS Request

gateway.discord.gg

DNS Response

162.159.130.234

162.159.133.234

162.159.136.234

162.159.135.234

162.159.134.234
8.8.8.8:53

g.bing.com

dns

56 B
151 B
1
1

DNS Request

g.bing.com

DNS Response

204.79.197.237

13.107.21.237
8.8.8.8:53

234.130.159.162.in-addr.arpa

dns

74 B
136 B
1
1

DNS Request

234.130.159.162.in-addr.arpa
8.8.8.8:53

138.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

138.32.126.40.in-addr.arpa
8.8.8.8:53

237.197.79.204.in-addr.arpa

dns

73 B
143 B
1
1

DNS Request

237.197.79.204.in-addr.arpa
8.8.8.8:53

235.83.221.88.in-addr.arpa

dns

144 B
137 B
2
1

DNS Request

235.83.221.88.in-addr.arpa

DNS Request

235.83.221.88.in-addr.arpa
8.8.8.8:53

196.249.167.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

196.249.167.52.in-addr.arpa
8.8.8.8:53

77.190.18.2.in-addr.arpa

dns

140 B
133 B
2
1

DNS Request

77.190.18.2.in-addr.arpa

DNS Request

77.190.18.2.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

28.118.140.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

28.118.140.52.in-addr.arpa
8.8.8.8:53

157.123.68.40.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

157.123.68.40.in-addr.arpa
8.8.8.8:53

99.56.20.217.in-addr.arpa

dns

71 B
131 B
1
1

DNS Request

99.56.20.217.in-addr.arpa
8.8.8.8:53

171.39.242.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

171.39.242.20.in-addr.arpa
8.8.8.8:53

79.190.18.2.in-addr.arpa

dns

70 B
133 B
1
1

DNS Request

79.190.18.2.in-addr.arpa
8.8.8.8:53

43.58.199.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

43.58.199.20.in-addr.arpa
8.8.8.8:53

43.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

43.229.111.52.in-addr.arpa
8.8.8.8:53

tse1.mm.bing.net

dns

62 B
173 B
1
1

DNS Request

tse1.mm.bing.net

DNS Response

204.79.197.200

13.107.21.200
8.8.8.8:53

200.197.79.204.in-addr.arpa

dns

73 B
106 B
1
1

DNS Request

200.197.79.204.in-addr.arpa

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4328-1-0x00007FF83E493000-0x00007FF83E495000-memory.dmp

Filesize
8KB

Download
memory/4328-2-0x0000023CCFAE0000-0x0000023CCFCA2000-memory.dmp

Filesize
1.8MB

Download
memory/4328-0-0x0000023CB53F0000-0x0000023CB5408000-memory.dmp

Filesize
96KB

Download
memory/4328-3-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

Filesize
10.8MB

Download
memory/4328-4-0x0000023CD02E0000-0x0000023CD0808000-memory.dmp

Filesize
5.2MB

Download
memory/4328-5-0x00007FF83E490000-0x00007FF83EF51000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Request

HTTP Response

HTTP Response

DNS Request

DNS Response

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.