discordrat | 3aaaeeb54b1a0b2dbfc1a598cc7b955f410c92598b8989595033ba10800b9f56

Resubmissions

30-06-2024 04:13

240630-etefkatenc 1

29-06-2024 23:12

240629-26y23asdlk 10

29-06-2024 22:59

240629-2yv1fayejb 10

Analysis

max time kernel
1379s
max time network
1326s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hey.txt
Size

118B
MD5

d466352784b8f01440ae607b001e3919
SHA1

163e3d87e84b7b74c5c612d9a86c029c32f1b3d9
SHA256

3aaaeeb54b1a0b2dbfc1a598cc7b955f410c92598b8989595033ba10800b9f56
SHA512

532622b9a459caeb6432a5d13f24a05c6c665e5207aa350356e079f81a286a0876ea25872628f948ebda3319c039e2a697083a37e72c2c2329c24a8dc2255d83

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjcyNDgxOTk0NTE5NzU3MA.GYJhy6.Km8cn1qtZGfDDPaCiMubtGhlUypWOcHVwmlioY
server_id
1256724819945197570

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 6 IoCs

pid	Process
2796	Client-built.exe
1844	Client-built.exe
3620	Client-built.exe
5052	Client-built.exe
4628	Client-built.exe
2828	Client-built.exe

Loads dropped DLL 8 IoCs

pid	Process
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641763648600629"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1596	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2140	chrome.exe
2140	chrome.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe
Token: SeShutdownPrivilege	2652	chrome.exe
Token: SeCreatePagefilePrivilege	2652	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
2652	chrome.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe
3044	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 3644	2652	chrome.exe	92
PID 2652 wrote to memory of 3644	2652	chrome.exe	92
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 4812	2652	chrome.exe	93
PID 2652 wrote to memory of 1852	2652	chrome.exe	94
PID 2652 wrote to memory of 1852	2652	chrome.exe	94
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95
PID 2652 wrote to memory of 724	2652	chrome.exe	95

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\hey.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb21a1ab58,0x7ffb21a1ab68,0x7ffb21a1ab78
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1684 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:2
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2120 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4336 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4616 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:1792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4544 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3204 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3168 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:916
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6e9f3ae48,0x7ff6e9f3ae58,0x7ff6e9f3ae68
    3⤵
    PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4824 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4084 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4696 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2452 --field-trial-handle=2012,i,12442714025340143091,12194797937042675856,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:4888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3904

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:2908

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2796

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3620

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:5052

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:744

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:4476

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:3656

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:1080

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3044

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:1844

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:2556

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
59KB

MD5
4bc7fdb1eed64d29f27a427feea007b5

SHA1
62b5f0e1731484517796e3d512c5529d0af2666b

SHA256
05282cd78e71a5d9d14cc9676e20900a1d802016b721a48febec7b64e63775f6

SHA512
9900aecac98f2ca3d642a153dd5a53131b23ceec71dd9d3c59e83db24796a0db854f49629449a5c9fe4b7ca3afcdd294086f6b1ba724955551b622bc50e3ba1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001b

Filesize
130KB

MD5
9446510042bf99532b01766c30fc2c89

SHA1
670bf1cb1199501ac3c2af52ca072c6e18ab59c1

SHA256
aad677ed5c4458689811b5e0c3532827a9fcf6602e99baa7fd62b1a7fa900732

SHA512
84c45125cb56f56ef84808fa9db47f7ae7618cc4a75824c22ff075bbdabc6f10bc195703e4c0a1c7eadaa9db492ad2c280e724ed4e3f50c8357f69c16df39266

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3c315f22eca6ea660143bdb06529bfca

SHA1
187187d9370deeadb5a13de30571ddf4648d9ee0

SHA256
c2401eeacd7180ba6b89c42e2cbc8758b62cfa9302be6f453523f8548daa9e33

SHA512
0a173a08e2a6ec2282a5ab5742350efb3cae8e314112553ac4b4f5ed1d6d046294567b1aa57f93d7c59cf92976c763e0d475f6155299c10d2d87811eab6fed01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
27256a5a314de8217fa15d5740ac9e91

SHA1
59d25789d7843d66ee6c4e48db021d471ccf7af6

SHA256
59d9338f579d919615b67ef793a18e3a40b77d0746cb55a5440de796f2073843

SHA512
dfd6df7edf52ca317d3b96398abf1fd0482e2336e26f940e6961e0b0c1b173981be8db5860c72d2ac9695e40d4818b34d2c3f6be62f46bc80de591d3945fd4a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
abb720a43baff7b9643a59f4b62f68df

SHA1
2820b978b60a04e88a1209ee2b9f0d805cf02ac9

SHA256
63e29c7ed87401f29635c297416ee429851b4ac019b9183a74886046bcef81ba

SHA512
d0df47e946af5e2f04786273fd319c19a2ccac2d14abc37a6d0de8834c3762ca6a0c6f3a3617de71ac0d5bb88a2bf8fa92be8c6acd821480b3e031dd61fd0586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0c21abb1174e9aa3f4d4907056dd9e6b

SHA1
a96f329e01bce9e95656a0c85e735fa5a3e980f7

SHA256
7b933caf00c78e98a159cc9e46b53437c00d933038cd8b26cc453b01fbb3ba91

SHA512
c6f3b580bcc3d95eb9ccfcbd41be31cec1ee2644a231ceec7d454dc3270b5338c3b620c3cff9b041b475ec9374f400dde3641da3733f340631e810e12422562d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c44fd59f4655b493a8af72dd1e8fc597

SHA1
0ac52225e2a391e35faa81ea1e7b4e656fddc2e1

SHA256
a198b7c4ca2efd37c3ca87fe5512dc7ab28b1b951d70b5a770add36b542fc743

SHA512
cf9ffc44bfed632e2638151ec383c32ecf7157e93f3659c2b139802ac74ab017ec65bb3bfcbad9b8d268737d61d4d62c96971b0f2f978721d1d46eebedf1404e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9822996b7deaf753ac1fec96c61574cc

SHA1
83d38d37144df397ea3653b2d646793726dab0f5

SHA256
ec1baff5afc4260fc00f0f6de59bfc00a1232b1848b26ea4e9d0f5da83599ad8

SHA512
f56a86cb550467ac59f5b40b29aef498d537a0ee901729519d6d95143c070a4832291e39ce3837b1bab73a0e916d998fd4afea67dbcd82a961f235ec18e0d5bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
541c45ef2f663357049840e429d23832

SHA1
a77fa322e0654f3fcd8a8712df4b06e6cc93c4ec

SHA256
5951ac6ca3a61be7ec210e4b804c88c14cc7d9aa1d47ce07b3d63158023185ce

SHA512
ac18f023bbc8ba9e4cf53d3542901b8463600b5573d7065885c3d28a14be7d4227de0eb9317338ab82cda9c9dec6b2a6553d3df1e578edece4ca8fcb3c131e19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2671e5123634f1d76de6d72f1ff3d444

SHA1
84d90c8057083d7c25651e0c13656a2d93290a3c

SHA256
73fd859bcea2a99d1694b71a04b8bb1c0a515cdbc110710eccd7ffe690bb5d48

SHA512
0caae85e131364af4c0299d281995220572dd413a6bfb914cd35b9db22a717178efe6728e25b503501c890657fca06f7781b37050dc88376aa7ef5729c7b5fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
648c6fa862800959aac2388f9bcd4202

SHA1
df90e6e11112fef8b078e3a5faaf79697400e6d5

SHA256
135fa6b6e6443857d097227fbdd37731a0cf504dbad8e51fd5c342282b7d6237

SHA512
1e5e9dad322c87953d7e3734eef87589de8ef8c1f5cc7c7df07cb61e6d8905e97586ac06fc865a5ea5f9ae54bf16fa0d63de4a33da8b6fab6f9a74cc87b4bc55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
228e606e223091eb43dd560d06fe22ca

SHA1
6522a43c2509c6a4c9d587dfbea4dc625061803e

SHA256
3b9cde4cce00f73536046b19513cda2c2100843b0fb81759e805ad9c51df50b1

SHA512
2121c1ff2a0ceb9b0264b705288de74bcbf13c6bb83a9eb04762e17d08ba276664654129653ecb47766d7ba60192cd218736875392777bdf423630b29960dd68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
edd0c9ec23a2da8f43be789852ed5cfd

SHA1
7afec073ba496123ddae005c573a55f2030ad682

SHA256
a5cb0919a8e2473ca132658bed0cd090efe329540e8d9c1e756dcab2c41e21b8

SHA512
62a4b40e4ba08e53c761dde46a2504c25ec214c752ec65d145e172fd5090089ac7491febe8649ac7162f58c508dd83c5b3cb0a9e1a7d749ba7ad108a51d6f476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
41121310a167d4b5cdce38036319334d

SHA1
193bfa6d06d73d9738e0788555a1fa6ac133a922

SHA256
4058fa2ee6dda7e1d96a9c1039f25224601d4675c6f66680c01a954534bbe45d

SHA512
c3da078874e236bf46b64a8e0d5fb86ca61eb8e06176931ac1897a0db6dd870ddb3d1ea016f789bba698750726935bccd3e4ffad4a4c0bdfa763ad3d678c7bd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
dc5421edd17f4ac7fda45381937c3c96

SHA1
cb29d1787876d25e8238d550de3624911f811361

SHA256
508fcf2c2adc879cc5da4e35a43bf6bed093238582fd1930ed4dcd959f8e1c9a

SHA512
57cbbb35a319a595792f50a20cd9d034b1d9cc27355c7429de2fed866b72b3a9a9f436f64782d13e0cb9db8193caabd33c559787801664d39ff34064f42675b7

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
74d3742b94a42574846c9abd2d6356bb

SHA1
542cbc9a500feb90253d88462e1bf3da65f44b3c

SHA256
76c992fb5338986a99fc8a04b9e8dec606e55bd3f3faa151d1152bae7f094b3b

SHA512
47e2cd14be4bccba664b4018216e35127e42cdf6de1cd14f8afc2be9c736671d431cce3c6fd567375e44c8e917bdec41b97baf64421afc2088cea05d7e70154e

Download Submit
memory/744-418-0x000001CF7B1A0000-0x000001CF7B1B8000-memory.dmp

Filesize
96KB

Download
memory/2796-276-0x0000022EA7750000-0x0000022EA7C78000-memory.dmp

Filesize
5.2MB

Download
memory/2796-275-0x0000022EA6E10000-0x0000022EA6FD2000-memory.dmp

Filesize
1.8MB

Download
memory/2796-274-0x0000022E8C780000-0x0000022E8C798000-memory.dmp

Filesize
96KB

Download
memory/2908-270-0x0000000005D40000-0x0000000005E62000-memory.dmp

Filesize
1.1MB

Download
memory/2908-253-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/2908-252-0x0000000004A40000-0x0000000004AD2000-memory.dmp

Filesize
584KB

Download
memory/2908-251-0x0000000004F10000-0x00000000054B4000-memory.dmp

Filesize
5.6MB

Download
memory/2908-250-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/3044-421-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-419-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-431-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-430-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-429-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-428-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-427-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-426-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-425-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download
memory/3044-420-0x0000020637DA0000-0x0000020637DA1000-memory.dmp

Filesize
4KB

Download