discordrat | 194b5e1208373e83ed9d71e0c0942c4ca6f28bc51a5a017d7ad698fd3e69fd76

Resubmissions

29-06-2024 21:55

240629-1s9e7s1amp 10

Analysis

max time kernel
334s
max time network
337s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hey.txt
Size

95B
MD5

8e85956f74c9671e198ca63981e6fa2d
SHA1

79754ca5cabf36bd36b9b642ddd19ea7730e6043
SHA256

194b5e1208373e83ed9d71e0c0942c4ca6f28bc51a5a017d7ad698fd3e69fd76
SHA512

e184ab8035900a541828796f4e85bfbd4a7aaf57c5fb18682b7b6e8624e70bbc368b03b7d16f962f150bb7e31e6139ba0078a858ebd492a7106b91962f6e9e7b

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjcyNDgxOTk0NTE5NzU3MA.G8tcWY.JxWGI29w9bbShu6dB5zHBJbADl_rUjiDGP8sCU
server_id
1256725680662777948

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 5 IoCs

pid	Process
1472	Client-built.exe
3312	Client-built.exe
4640	Client-built.exe
3432	Client-built.exe
1040	Client-built.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641717752824503"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4728	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe
Token: SeShutdownPrivilege	1032	chrome.exe
Token: SeCreatePagefilePrivilege	1032	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

pid	Process
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
1032	chrome.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe
3696	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 4592	1032	chrome.exe	93
PID 1032 wrote to memory of 4592	1032	chrome.exe	93
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 4296	1032	chrome.exe	94
PID 1032 wrote to memory of 2856	1032	chrome.exe	95
PID 1032 wrote to memory of 2856	1032	chrome.exe	95
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96
PID 1032 wrote to memory of 1940	1032	chrome.exe	96

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\hey.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba57cab58,0x7ffba57cab68,0x7ffba57cab78
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1752 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:2
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2200 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4280 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:4220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4564 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3168 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4640 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3160 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1812,i,1035727144972233268,3693350787230368348,131072 /prefetch:8
  2⤵
  PID:3440

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2976

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:1700

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3312

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4640

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3432

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:5448

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3696

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1040

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:4664

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:2856

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:1192

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:1400

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
89c790fc06d649453a64dd4d0bcf6862

SHA1
62f55241eab7636f63090c53ea04dc714d542939

SHA256
48b3baf54110363fede8132b50962fd4d63be0e5d009fca7d3a7fc95995028cf

SHA512
bc68706edbaa283eff29b02ec19217e8fcd11ed29dbd58112b42c27d3cae115b234f75fee603a39f25352bc2ed37c577767368e45e75919baadd2eb5de6c22c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7c09f74d02a59889ebf4d1bb8a80280e

SHA1
6229b2d5603e048189d457305f0d674147247a71

SHA256
fe1a54fd8f73bd99c04fc30e93585f912cdbc1edd3cc2ef415d9a022ebe23c8c

SHA512
a0082a4437a3fd38829a284cb818964133a0c08a5c98e7c8853772d46d7a1ada667126935398cab38838427c53bb22346905399555b5650010c76b9799be67f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8f67282dd2657ef68d2b0fe59c864cf7

SHA1
5c5d26aea5a0d54ba1b2ad8cf52adb4d15d9e6fa

SHA256
19c88ad3e56e70687adae25ac396240cb785ec39c096f344961310ff522c6393

SHA512
ad5dafb578cd23e888ae440391cc594864c6c22cc3502738eb83878ea4ce99dd51c6a66148f1e9fcc5e8cba22c8ce9f2b5e1bae39ad2f33e33e20472a941ec8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1a6549b9cdda069656d4c6a9df458ae0

SHA1
0eebf2900fb4c3075b1b1d90de5ae02773ae87a5

SHA256
0525b9d029fd6cfe1046d1baed05f4b7e81af4c3b2aa648b4008f643abb0ba80

SHA512
ae58c49bc2028cda284f9faac77fa2d49eac9836646e70e07f97f4b0f47593bfedde5113c1b7031b700f3f7ccaa8e99a1386e394cea7db63cfd83ce48788cc18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
51410f6b01b63a10dcd83722e7bb7895

SHA1
c87f0f6044142a376cbfea4a8ea9eb1ed3a172c5

SHA256
0e59d467315d22e45ca45b599f3c1c604eb55c97d2f10bb5aa715077180e46e0

SHA512
9786683ee3d71a45c8994e4fdd6f4fe5bf80266c502873677365e9af3475700ca24349d16c065eedd630714b2035aad468c5b1c94a5c7c4c33dd40cd950c8ee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
240dfe8b3c94ff8fe2d526bdce69e8a0

SHA1
9b43e1ae1ba36f03a61f3e27e004958520b39db0

SHA256
4689408d9847b92eae5eb450f1120053e74ffad1403610daa64658ab48dac4e9

SHA512
bf3e5854e1ea6a0196028713246199be6ab93b20cdd818f7d1e786bd1e7eb8f2a8605cb81a365a71dd96998ba4335cd8c25bdfc63d1f2cf5a3739041dfb09ff8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a7bfb7bb4cde19d2bb00879828c0d760

SHA1
5580e73f529d130588dc9442ede9e6470329cb7b

SHA256
b045f30b1eb6001e533cad8578e7b36618f71dcf79b61034f002db746f29fcef

SHA512
096d38c64b9f8560680ebea7b6cac25012edb1df910ef5e95f2c7ed9da6a6cf0aad24c689da00158038b37f7c960e9eec9e9090cf72a3e9ecf1eadb815330391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8a604942cf4b3437135958d21c0cebe2

SHA1
ccdbb2f55a3ccf34a3721d2736630ac0abc05a1b

SHA256
21842155ae9efbd7fd3b245241385ef56f32e81a48b59d350d3d0a8968dddff0

SHA512
6a3002c6833fb6da9b320d637f910d6401d6d366785bcd74d90e26e5bb74774564be828f0233fdac248c1a375ea9f7876703a8dd788481134eb1153e55bf36d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bbfe4acb5d801b9ce2207d4caab55d41

SHA1
c61936b47c984d7d49d2a8747d32faae88fa66c4

SHA256
89c0c600404bcd2ffe2270a09c769ee5e8eb5fef6ac97a98840c27c6e6ad3e90

SHA512
b33d99dcb466b69e3cfe5057e59ef5198fab96f4365bd05137e78ce7f195a32a58c5fad128dc3e28673888976b34ffe27d183be4e5a86cc02828f975f817c354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4183286e6053ebc75d97a9386b9c0d5c

SHA1
b132d5b115cee4891560baddbeef381c2848b233

SHA256
1c954baeec84b0d52cf61094ce68b58f23b6e04b0aeb99cd933bf004e6b954dc

SHA512
92d9d2c45edd755219b8638346490836881ec3060fd7045e8b046855e09921dadae1280ecfeba1fe6106467718b0994f202fb6330d52c1b13199058b80aa1d02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
2a2e67d20eb04478348f2e8a62fb5085

SHA1
35f0b2dda773e7770e57caae884491005a3fa865

SHA256
161260a156cd5f4a4191ad35e2df7912aca7670f87d891d0b8f953ac10e9ac4b

SHA512
e70b9a7778757fb08843e752c2e30ebbf27712be92eba48b4f6194667e0470c64c769c53da60e036603d3f77300346cd477a33255f2080d9e268da124ac27fe2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
1c731c641a5688d4e0363f161c8cfadf

SHA1
4a8d18954d11d94401153f3a625f731649fd66ba

SHA256
200ff9f7f0b7a31944b2e32bb08b07353de934bbae97236a99efde1414d0fb9d

SHA512
8247fa3f15c46e8c31bc5228ff22355ac808078980e6f914fad99a1164354120ebdfee47d77a0d5fd77a97a1c65def0cb5dde8fa2e6c1dfdd7209db925f3e9c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
679b546bbbe63e90934436c0a8b05b7e

SHA1
cd15d88b301ed71914dc5545ff6269fdf00062c7

SHA256
8cd0b3d6c3f85ce1b74f737a7339cefa3ee510da34f9f646940be008712f87dc

SHA512
10a3f974f32a34e612480b330bb8e93aecc98045c6d1ba8cd321b95b11ddbff2239f9da2901432789ddd0b696bb569a6e04094cdc458a5365e2f6002721273e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
98KB

MD5
ed90a964a936e7f65b6f87009bec1edf

SHA1
d17c38a80862cdab93a870570df92a2487fb98a9

SHA256
64c6e7f5b11b243a0c96cd845551bb03601c01f95a2a03b76f21c3fe5be60ab2

SHA512
6d3620b80a28a14f2da9aa0610a6c6107912c45383a77e186a12991357affe71abc7bb0021d558b6b8a1a3c3e9fdf36179d307e09199143219985ca1f85a00f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5802ab.TMP

Filesize
88KB

MD5
fcabf488d59e01f72322836ae32bd3ee

SHA1
65f9f0b207ecce13a5bb532869ed1eee46b1f79f

SHA256
3f27f6933f5890b52800edf7b241549f32e7d167dabb5046bc9bcd75f1e42b47

SHA512
21978773d7e7586a3804254d6c81baefd5859f6509837914ecbfb0653b0a1d69bfe1cba8a380e34804e3bac22e95d3cf4e11ffe6c9192fa77ecf3567d11f5704

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
e99dc6ba8a2be148f850fe3a93b56cd4

SHA1
5a6b96b8c413b4b5003bbe46da323f591a4ea451

SHA256
b078498024dfe8ab8688a724605123169dc5d347bbe644dd723198a3bcb78f17

SHA512
2a9d59208cd141996e16e0ceb9b23985220f50aaae39819f8a777b48af6bea43bf9fda3b8b2aa344d3ba8ff2f52b6c8080f8541fd8bb6c9862ef46411ebda876

Download Submit
memory/1472-282-0x0000023CB5E60000-0x0000023CB5E78000-memory.dmp

Filesize
96KB

Download
memory/1472-283-0x0000023CD0520000-0x0000023CD06E2000-memory.dmp

Filesize
1.8MB

Download
memory/1472-293-0x0000023CD0D20000-0x0000023CD1248000-memory.dmp

Filesize
5.2MB

Download
memory/1700-277-0x00000000068D0000-0x00000000069F2000-memory.dmp

Filesize
1.1MB

Download
memory/1700-262-0x0000000005650000-0x000000000565A000-memory.dmp

Filesize
40KB

Download
memory/1700-261-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/1700-260-0x0000000005BF0000-0x0000000006194000-memory.dmp

Filesize
5.6MB

Download
memory/1700-259-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/1700-258-0x00000000746AE000-0x00000000746AF000-memory.dmp

Filesize
4KB

Download
memory/3696-418-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-419-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-430-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-429-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-428-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-427-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-426-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-425-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-424-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/3696-420-0x0000018F20610000-0x0000018F20611000-memory.dmp

Filesize
4KB

Download
memory/4664-432-0x000001DC1EA90000-0x000001DC1EAA8000-memory.dmp

Filesize
96KB

Download