Description	Indicator	Process	Target
N/A	discord.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	N/A

Processes

C:\Users\Admin\AppData\Local\Temp\newgame.exe

"C:\Users\Admin\AppData\Local\Temp\newgame.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	gateway.discord.gg	udp
US	162.159.136.234:443	gateway.discord.gg	tcp
US	8.8.8.8:53	234.136.159.162.in-addr.arpa	udp
US	162.159.136.232:443	discord.com	tcp
DE	159.89.102.253:443	geolocation-db.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	185.199.109.133:443	raw.githubusercontent.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp

Files

memory/1140-0-0x00007FFA0B7C3000-0x00007FFA0B7C5000-memory.dmp

memory/1140-1-0x00000164614D0000-0x00000164614EA000-memory.dmp

memory/1140-2-0x000001647BB50000-0x000001647BD12000-memory.dmp

memory/1140-3-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/1140-4-0x000001647CE20000-0x000001647D348000-memory.dmp

memory/1140-5-0x00007FFA0B7C3000-0x00007FFA0B7C5000-memory.dmp

memory/1140-6-0x00007FFA0B7C0000-0x00007FFA0C282000-memory.dmp

memory/1140-7-0x000001647EDF0000-0x000001647EFA3000-memory.dmp

memory/1140-8-0x000001647B9C0000-0x000001647B9CE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-08 22:56

Reported

2024-06-08 23:00

Platform

win10-20240404-en

Max time kernel

131s

Max time network

151s

Command Line

winlogon.exe

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description	Indicator	Process	Target
PID 956 created 588	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\system32\winlogon.exe

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description	Indicator	Process	Target
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	discord.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A
N/A	raw.githubusercontent.com	N/A	N/A
N/A	discord.com	N/A	N/A

Sets desktop wallpaper using registry

ransomware

Description	Indicator	Process	Target
Set value (str)	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp69AD.tmp.png"	C:\Users\Admin\AppData\Local\Temp\newgame.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 956 set thread context of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A
N/A	N/A	C:\Windows\System32\dllhost.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	N/A
Token: SeDebugPrivilege	N/A	C:\Windows\System32\dllhost.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 956 wrote to memory of 3312	N/A	C:\Users\Admin\AppData\Local\Temp\newgame.exe	C:\Windows\System32\dllhost.exe
PID 3312 wrote to memory of 588	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\winlogon.exe
PID 3312 wrote to memory of 644	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\lsass.exe
PID 3312 wrote to memory of 728	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 912	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1000	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\dwm.exe
PID 3312 wrote to memory of 60	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 832	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1096	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1124	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1180	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1208	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1324	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1332	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1360	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1384	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1508	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1540	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1584	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1596	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1676	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 3312 wrote to memory of 1692	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1804	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\svchost.exe
PID 3312 wrote to memory of 1820	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 3312 wrote to memory of 1912	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 1952	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2032	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2040	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\spoolsv.exe
PID 3312 wrote to memory of 2124	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2392	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2408	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2432	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2488	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2652	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2664	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\sysmon.exe
PID 3312 wrote to memory of 2692	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2700	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 2712	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 3012	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\wbem\unsecapp.exe
PID 3312 wrote to memory of 3064	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\sihost.exe
PID 3312 wrote to memory of 2364	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 3216	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\taskhostw.exe
PID 3312 wrote to memory of 3268	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 3396	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\Explorer.EXE
PID 3312 wrote to memory of 4012	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\RuntimeBroker.exe
PID 3312 wrote to memory of 4004	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\DllHost.exe
PID 3312 wrote to memory of 4812	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 4724	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\svchost.exe
PID 3312 wrote to memory of 920	N/A	C:\Windows\System32\dllhost.exe	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
PID 3312 wrote to memory of 3000	N/A	C:\Windows\System32\dllhost.exe	c:\windows\system32\svchost.exe
PID 3312 wrote to memory of 4044	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\DllHost.exe
PID 3312 wrote to memory of 3572	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\ApplicationFrameHost.exe
PID 3312 wrote to memory of 4296	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\System32\InstallAgent.exe
PID 3312 wrote to memory of 432	N/A	C:\Windows\System32\dllhost.exe	C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k dcomlaunch -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Schedule

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s nsi

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s UserManager

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Themes

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s EventSystem

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s SENS

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s NlaSvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s Dnscache

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s StateRepository

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k networkservice -s CryptSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s Browser

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

c:\windows\system32\sihost.exe

sihost.exe

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc

c:\windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k localservice -s CDPSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

c:\windows\system32\svchost.exe

c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\ApplicationFrameHost.exe

C:\Windows\system32\ApplicationFrameHost.exe -Embedding

C:\Windows\System32\InstallAgent.exe

C:\Windows\System32\InstallAgent.exe -Embedding

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Users\Admin\AppData\Local\Temp\newgame.exe

"C:\Users\Admin\AppData\Local\Temp\newgame.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{ad5ed378-c8a3-4b39-8d20-ed2b9ba235c8}

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	gateway.discord.gg	udp
US	162.159.130.234:443	gateway.discord.gg	tcp
US	8.8.8.8:53	234.130.159.162.in-addr.arpa	udp
US	8.8.8.8:53	discord.com	udp
US	162.159.136.232:443	discord.com	tcp
US	8.8.8.8:53	geolocation-db.com	udp
DE	159.89.102.253:443	geolocation-db.com	tcp
US	8.8.8.8:53	232.136.159.162.in-addr.arpa	udp
US	162.159.136.232:443	discord.com	tcp
US	8.8.8.8:53	253.102.89.159.in-addr.arpa	udp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	8.8.8.8:53	cdn.discordapp.com	udp
US	162.159.135.233:443	cdn.discordapp.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	8.8.8.8:53	233.135.159.162.in-addr.arpa	udp
US	8.8.8.8:53	raw.githubusercontent.com	udp
US	185.199.108.133:443	raw.githubusercontent.com	tcp
US	8.8.8.8:53	133.108.199.185.in-addr.arpa	udp
US	162.159.136.232:443	discord.com	tcp
US	162.159.136.232:443	discord.com	tcp
US	8.8.8.8:53	30.73.42.20.in-addr.arpa	udp
US	185.199.108.133:443	raw.githubusercontent.com	tcp
US	162.159.136.232:443	discord.com	tcp

Files

memory/956-0-0x00007FFFED903000-0x00007FFFED904000-memory.dmp

memory/956-1-0x000001D13E880000-0x000001D13E89A000-memory.dmp

memory/956-2-0x000001D158EA0000-0x000001D159062000-memory.dmp

memory/956-3-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

memory/956-4-0x000001D159790000-0x000001D159CB6000-memory.dmp

memory/956-5-0x00007FFFED903000-0x00007FFFED904000-memory.dmp

memory/956-6-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

memory/956-9-0x000001D159170000-0x000001D1591E6000-memory.dmp

memory/956-10-0x000001D140490000-0x000001D1404A2000-memory.dmp

memory/956-11-0x000001D1404C0000-0x000001D1404DE000-memory.dmp

memory/956-12-0x000001D1591F0000-0x000001D15922E000-memory.dmp

memory/956-14-0x00007FF8097B0000-0x00007FF80985E000-memory.dmp

memory/956-13-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

memory/3312-17-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3312-18-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

memory/3312-19-0x00007FF8097B0000-0x00007FF80985E000-memory.dmp

memory/3312-16-0x0000000140000000-0x0000000140040000-memory.dmp

memory/956-20-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

memory/588-23-0x000001595F5F0000-0x000001595F613000-memory.dmp

memory/956-161-0x00007FFFED900000-0x00007FFFEE2EC000-memory.dmp

memory/3312-176-0x00007FF80A4D1000-0x00007FF80A5DF000-memory.dmp

memory/588-236-0x00007FF80A575000-0x00007FF80A576000-memory.dmp

memory/1000-244-0x0000028332100000-0x000002833212A000-memory.dmp

memory/644-243-0x00000192728A0000-0x00000192728CA000-memory.dmp

memory/588-235-0x000001595F620000-0x000001595F64A000-memory.dmp

memory/3312-231-0x00007FF80A4D0000-0x00007FF80A6AB000-memory.dmp

memory/1000-35-0x00007FF7CA560000-0x00007FF7CA570000-memory.dmp

memory/1000-34-0x0000028332100000-0x000002833212A000-memory.dmp

memory/644-32-0x00007FF7CA560000-0x00007FF7CA570000-memory.dmp

memory/644-31-0x00000192728A0000-0x00000192728CA000-memory.dmp

memory/588-26-0x00007FF7CA560000-0x00007FF7CA570000-memory.dmp

memory/588-25-0x000001595F620000-0x000001595F64A000-memory.dmp

memory/3312-21-0x0000000140000000-0x0000000140040000-memory.dmp

memory/3312-15-0x0000000140000000-0x0000000140040000-memory.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD807.tmp.csv

MD5	9310b0081385ad706af0d3d70739c5e1
SHA1	129f808bc779b5b1468fd9ef738712006aa12424
SHA256	f088a11b7403408cf1ce020a0f59709fe00922fcc05fdfaea057271b05f4f86a
SHA512	71f6fa39c8051de60f2cdd7c4bec001bf3733f84da7710499dba7ebd8ae52704d0219af7ad8f58cafbf9ee492e1c2029e490c0d0460a164845ad36513546fe88

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD846.tmp.txt

MD5	9e379b2165f876fde18740b1e3b715bc
SHA1	73254ea81fb1686fbc8c78066d4cfad823b6c40c
SHA256	cc19b1b0ef0f30341e6020c231818981a31760e81f250338777c3a20dec0e7ce
SHA512	8615fabae7f1c36799f7745c5eaad5b2f880775d52ff76db2735aced92df26eac9b56b8f1f5e4e765b0baf4f6e904d1fbcc00138b43dadd26b7890ec33f42df5

Sample ID	240608-2w6ddsad42
Target	newgame.exe
SHA256	16cef3c03efe6d11b261709e330058536b7bd186fad81e932f2a9db1cef78610
Tags	discordrat persistence rat rootkit stealer ransomware spyware

Malware Analysis Report

2024-09-11 09:20

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files