discordrat | f4682ac003ffe913d397b9f2f5d3a4e251feae26e704827e1f495d9240b17e20

Resubmissions

23-06-2024 18:06

240623-wp2tqssbpj 3

23-06-2024 18:04

240623-wnmy7aybrf 1

14-06-2024 20:34

240614-zcpkesyejk 10

Analysis

max time kernel
1050s
max time network
969s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

us.txt
Size

173B
MD5

6b6c81989aa83c39a795eec2ea4692d7
SHA1

91c2949ba4e3832b32d7c9e3083d265cebaf69b4
SHA256

f4682ac003ffe913d397b9f2f5d3a4e251feae26e704827e1f495d9240b17e20
SHA512

6e13df78169a1a0f8dc8069aaec1da8a12db976fe57fecf30d59dfc6a0820c7e45d1b90187ac4763fbefdafb8313a8523a5f954f882b3891c7ed9d8ee5ce069a

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
3236	Client-built.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133628709019252765"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3660	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
4104	chrome.exe
4104	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe
Token: SeShutdownPrivilege	3764	chrome.exe
Token: SeCreatePagefilePrivilege	3764	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3764 wrote to memory of 4680	3764	chrome.exe	88
PID 3764 wrote to memory of 4680	3764	chrome.exe	88
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5044	3764	chrome.exe	89
PID 3764 wrote to memory of 5088	3764	chrome.exe	90
PID 3764 wrote to memory of 5088	3764	chrome.exe	90
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91
PID 3764 wrote to memory of 3832	3764	chrome.exe	91

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\us.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b1b0ab58,0x7ff9b1b0ab68,0x7ff9b1b0ab78
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:2
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1800 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:3832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4428 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4596 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4732 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4956 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5076 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3012 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2924 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2676 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4312 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5292 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2396 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 --field-trial-handle=1992,i,12365945780612356271,6281802491495291473,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3944

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:2760

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:4896

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7ffc2bef13a7204da25033bb1a4e78a5

SHA1
7a34a83b62fa003f6ae93a3528e4731e9c68867b

SHA256
f24d37a9c23d13cb4ea85d93a2a3acbbb7ff5f99419ff403673662666ef23174

SHA512
6ac8e9cfd499995ba2f548a0560eaad9179095adcf71d728406e0c247e56e8ffb61747e242594322748b2ea546c33515435050aeba7484a41011c8e0b33a52d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c7b2440bbc151c104fe3f0f285c714df

SHA1
d91cece0625524e414ef01cf3b1b9322faa41d45

SHA256
eee303d3b8757cafc744aefe6071efc9c0d8b2fa90e018009a7b715c16672de0

SHA512
8960b201bdb645a8eece388de4ebfe46f3621797ff74ff58c073b5f7b12734de56dd55e35989f582cc100c605b49ccd104827d1aa9718f8590f166e59e1459e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c880e5e76814b2850f168ee3841b21f2

SHA1
ab2c5a111c4c09b77e2810268dc52962d00515f5

SHA256
f7124a77baa7eb34a481cd8a29a687fe907099a9865c613f0dac20d3107b34c5

SHA512
cfcb2ac1bd8c695816f1712ebe0bce2a9f08c3db8e2f0a8655c807b04d3cc6efd3e492b269c8382f1fcc4ea54ef43898f965c7fb1d5018c6da266964aaf557f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
d27dab1abef1df03f3c7939c2795a099

SHA1
b26fb5c6f2cd06dc6af62cedb9659f34234ed225

SHA256
c3779fe20fe10a0b1cd76022fe0d660eab4d63e72aee618d90fe23824648d4aa

SHA512
37b669a888e892b9d1196081e15a48b66d4d7abfcc84be57552c3f1e108a580d015cb5742490d7698ff1accc2795fc90ca01997be9e8f55e1a4af9cba7afb014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9ee4336b939f9e83d346fd5d5f8817f1

SHA1
be380d2d0743b1c95eccca5cd712aee2cc516ac9

SHA256
70f72d7f6550c82c018e73d2e1752c7165311f789962d4143fb366e6894e888c

SHA512
b803585cdeb24052389df829d2d560b5e9e8e4300c8e0edbdb779ca3e50818b031102c3b50858e13dc40fedefd411f692d0d093e73d38eeef0c9a2defe5e6caf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
359496bb74a1d0a5d0dcb577331bb2cd

SHA1
7d632f65d777913247695a237d294535b1c03f12

SHA256
21a61ae9216f08fc6c5daa7a70a2500ee0f7f5e25ae2fb16d64de260c028272a

SHA512
8d040562ab51c6e0706b730963f461f5039e6d4761b43eb584da2565db5795a7dfd11f790fba7dd2d85bc80ddd5f19dc30e43426b76a61cd799a39ea33076eb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0ea70e1bfada7fed83f2983271cd18ff

SHA1
9a7945876e4a607313ba505fa612243f2777e14c

SHA256
2892f16b95a42c13d4faa4b2d9c9a6eb396418f2cde392479442b8b8d33e0e93

SHA512
c287a389b5cc145c13416309bae71450080b86abdcb131a38879ee133d0b37e86ee69c9c6f0f6fd3e0184d199ecc9c2e3e84428567da01ac45f810bedfcc9dc3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
6c86977a145b73c042baa06378669450

SHA1
1f531eb2e5529729bd0562c3350898c659a7ba78

SHA256
ba4f5bd496962ea106bb2e2d5875fb2defe943ea79fe641eb45aee3165f44338

SHA512
e1e7ef4c063342b827810510f85b87362eeae049b274517e3591c128b46a6777ce267a2263bd52dfaaba3a0631a1e3d97adfb13a666899ae8d208ef4c2eefb9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
36f752f8a5aa2f36a715f7e497e7c9c0

SHA1
241087440214541d1065c9cab6dac8825a1386de

SHA256
2ceae48c1967d65fc67c0ab5b8037b3d766bb0e9ceb845bc39f0df658486552f

SHA512
c6e8ff33fd98b6342456aa74b5bd6c503cd76fe69c3ada86bca713ef47d22868ef809a2e535b27e3fa36740150b11e632a9615cb16a8781c2484a763999004e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b97130b6176327ec94dd7009afe910c2

SHA1
1262a1e2c6d4b3ec6c080b3b2e039b0415282737

SHA256
3b8293f214a3f8009b95481bb8008f85982744ffa11ce2f01084a4a89f2cef2e

SHA512
8068f486fcd1c5d65184fa1916e9db8d0832dfc75080521e74a8795dd5e8fb8799e88a5a3af4cfe1432b503dbf22065e0cb4d9fc04739cbecfc1ecf5fbd0ff57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
96b05bbb3fb51272373ac10f01b3af39

SHA1
868202e35754db673c7e565c2c4717af356164d8

SHA256
479b5522d22a6a76f0346c166b18d91a3c576128c9671164b4f37d01e32e3e00

SHA512
304e4447e0edfceba1a7ff748ab14e36e003de46e107aab85327ac9e0ff4e2299cb8ad73f157f72a766b86706cbd85c316a2b20de8c972edb849e9afd29acdc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
68f5085709eb8ab0235f1f564a5fa8e9

SHA1
ab08de19c8125ca26e9141e581d56cc8d8ab75a0

SHA256
da7ea337f28ac1240144a68ce528a2701223951b5343571fb50ba29f40c53609

SHA512
f0d6a750e421f9b6e459c1f7ec82d0ee9a30f1bdfc805c529521eae218cf258ccff1d9aef4ecbfa5d1a0b63352089bfea414d1807dbdbea1b17b08ac16237258

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5c15451cde323d476c49b9994398345e

SHA1
bd51912720118329ad0d1d942fc17f7d4b71a4ca

SHA256
4360aee736bbf39e1e833cfc1fc0eb5e5fef5d2206dad81bfefbc14ff7e1b580

SHA512
32be1cd35b402304d2ccf92e7860b12264582193be83330c3576358de97517c488e8012c90644ee1674b3cf10656e1a6d00b0dbf6dc7f17628a16eae99cf7005

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
32340166400cc4c93e786713c78afab4

SHA1
6fa0e37f8158c648fd10f965d86b642e467df4a5

SHA256
0f1c2879a0c305e8a989624baf7d254b09ff26357d06b733d60409bca0ab3470

SHA512
572cf5259094dccc01b326d6419b821a15de2f09d098ff2857d83258401d72f9fc11d81b103739c2786cb4fbeb601ff79ac7a71ba61bf3427f27ab340dabbec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
59cfe33e8ebea8121237f4db9955ffb7

SHA1
d3903e81c425b119aa1a1b28b6f8e6206bfdbc25

SHA256
dc2e837a833d547f3e27735e476fc344f8e9fb6852ccc995aee0ac9c2fabfea6

SHA512
b517ee727f04465e08bcf8f55b329a504cfc334d3b8eeb45b214ef7d101db8886eed8db77c4b34d69b067cfd6f0db5e03f2f7e4cb1ed21e82a725eb4c18e7631

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
2590ea4916c2eb79c32c169740d41251

SHA1
6cf451c683603312c9562874cf1e4e16ea4260c2

SHA256
894deb8a8b296277092ff2964416ab219c4da7148d5fd2268b52464ba6f43081

SHA512
539cc502e6a299c9734b40b3f16dd75a620a2cf8e2fa08ac22b67538382529b306535ab7c07786f0ee0823d167706b24634559dcc36576845af7439ee72f484c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
276KB

MD5
7925dbac638debc76a956db15c8e07e5

SHA1
77fb7f001581d42d468f619d40743928ba86d480

SHA256
bd4471d30f88a018a8d4a5f2bcc32d03d82290eaf3f311e12e9ce52664c70557

SHA512
229e07adc581d089de1ad189a39c8986e943adc9da97159a6f70c2ef1af75b357fdcf7d23b58934aac45ad49b287632e33e49bfdebbb171973387673300d52ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
1265d427769f5b8a1a9908d9429b96bd

SHA1
e4b5e73a93660f433ae69152d11c2a887de74d2f

SHA256
0a51aebfd4dda4d8a1037ecc8170bfa501398e8058c69d7205e2aa820c5fd429

SHA512
2044076eadd834c6d4d3758cc7b57bebc9eccf3ff7fe84528422c41798eac561a209d0971cb68eb09a7ebba2add20b0210a313ac9b31a75ef4f1459388810a47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57e251.TMP

Filesize
88KB

MD5
d94134785b2bf1b87d29e6516f57d4d0

SHA1
4c685763bed1b8ebe18265e7d9f69fb183ad9e5e

SHA256
92f1604cfe841d7e9d96c60f4fb01f3c8b9be5870703327799ca1229225ee785

SHA512
78c0854f89d614825f029ffb9272d4e613fff9b9c02406a7a135fe3709bd1d6cdb1e841fbf4bde0d5150d2dfb9d9e9574629eeb06d03796db815d9530b3e8b61

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
0c71acb6f3b39536e293e74932de76d1

SHA1
ffe809c0ba351e0cccd67955fb7320af0ad35436

SHA256
a0cbc0fcfa908d7876d43148d2ae45e420c016cd09426d7ac72b412789818cfe

SHA512
7eaf0f316fd53fcf9187c70bfe5b6707b627322585d2ec5e30da4bc4dc2437a1f1170c8f47fc7f7548cc82407d72a1583a911495f9981a333eb7cb3668fa3a50

Download Submit
memory/2760-220-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2760-236-0x000000007449E000-0x000000007449F000-memory.dmp

Filesize
4KB

Download
memory/2760-221-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2760-234-0x0000000008290000-0x00000000083B2000-memory.dmp

Filesize
1.1MB

Download
memory/2760-224-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/2760-223-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/2760-222-0x0000000005450000-0x00000000059F4000-memory.dmp

Filesize
5.6MB

Download
memory/3236-366-0x00000173E3E70000-0x00000173E3E88000-memory.dmp

Filesize
96KB

Download
memory/4896-240-0x000001BB3C540000-0x000001BB3CA68000-memory.dmp

Filesize
5.2MB

Download
memory/4896-239-0x000001BB3B0C0000-0x000001BB3B282000-memory.dmp

Filesize
1.8MB

Download
memory/4896-238-0x000001BB20B00000-0x000001BB20B18000-memory.dmp

Filesize
96KB

Download