discordrat | f90669c7bcd467c792eab17dc8a329b23bafbebb35051b6a4462b3ee87f66316

Resubmissions

29-06-2024 22:54

240629-2vtm7sydke 10

Analysis

max time kernel
273s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hey.txt
Size

118B
MD5

0133448e7470cd0c4243ec703b4cada4
SHA1

709195ac12c0af0853a451c9a98426f71e6b583a
SHA256

f90669c7bcd467c792eab17dc8a329b23bafbebb35051b6a4462b3ee87f66316
SHA512

9569ff406041a8eae14b2713f38cd9d42f9fd0a3e10b64aa3dd843898873edf2307782418b180b649f23335ddff0e141c053e19344c5f8a9d2abcce2a8c80310

Score

10^/10

discordrat persistence rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1NjcyNDgxOTk0NTE5NzU3MA.GYJhy6.Km8cn1qtZGfDDPaCiMubtGhlUypWOcHVwmlioY
server_id
1256725681149182056

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 2 IoCs

pid	Process
3596	Client-built.exe
4060	Client-built.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133641752936647843"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3648	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4376	chrome.exe
4376	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 420	4644	chrome.exe	88
PID 4644 wrote to memory of 420	4644	chrome.exe	88
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 2912	4644	chrome.exe	89
PID 4644 wrote to memory of 3664	4644	chrome.exe	90
PID 4644 wrote to memory of 3664	4644	chrome.exe	90
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91
PID 4644 wrote to memory of 2412	4644	chrome.exe	91

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\hey.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb5874ab58,0x7ffb5874ab68,0x7ffb5874ab78
  2⤵
  PID:420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:2
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2952 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3920 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:3996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4872 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2960
- - C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff60a19ae48,0x7ff60a19ae58,0x7ff60a19ae68
    3⤵
    PID:2128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5104 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3016 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2964 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=1812,i,7583424142456938427,10359639561586889131,131072 /prefetch:8
  2⤵
  PID:4636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1628

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
PID:2732

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe" C:\Users\Admin\Downloads\release\dnlib.dll
1⤵
- Executes dropped EXE
PID:4060

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
6fed5dccffe6e8659d88795947cf90f3

SHA1
4d88e680613b34259e477b98c21a9250a6c6468b

SHA256
dc89a4aa0e889753644c41c493939e2aa30af7e897b04c81384e6f784899e285

SHA512
6ba4db55d2ff05a1814bcb1f5e669e9a25ae29c986053a80e933dd291012fd9bf04777ce53add33dca91de3508005715bbc7007017f08b5b0c4ca692938b1435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
018586010139ead4fcbce3d24d0e73e1

SHA1
f990aa03e288800b872ac01b153688501de1929a

SHA256
1837cfa9074793ffae82437d544181f205b127bc754697c6fb268b83614d11e2

SHA512
fe217037647adfe64e8efc793a649ae98b5850bc18cb52913da7a3a9b57a8e737a6f210e876af7c1d38a7231c43e756f4b7d46c759827d2ae1032bbce95aba9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
c437803f26524bf37c83f335fe578cd0

SHA1
9f4f111d17e85eabe3d792f06abea66d35227a2e

SHA256
8c6a81cd2ad6161b95eae9042154e134dfa4b95518f1336099fbb50c8130845a

SHA512
acae5e96c03ac8bab41c7eda5c62d3dfab41d2b5a102c4ffa34897a573f2a09879ad51062a1a78a9f4d34ebc071f45c1e058a896b78f242d32fc19c19bd93482

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
61b0aaab0ed8fcddb6e2cc5b69d8aea5

SHA1
d442774324a2439154b9a93bc27a99ba3705bbe0

SHA256
1e044408d8228df113dee72dd42b3e7e06e13775287e473e80796020fdfa953e

SHA512
a7d599cad64551c3457b28b7a2bd08abbd4fdd58aee71ee0952d09d0606fad8669cbdbb96cd21851a5a8dcc27a99a3e282eed844f71d9fd7a95e3bf369cfd58b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c66d3446528290c3afcdd728a8287d62

SHA1
3d8e0d6dfd4f933d56b6eb42e71d3c1f54393d8e

SHA256
adb266818d8960fec62609d78c9250c3ca350c5c3e969e449be4887ed42b63d7

SHA512
63ff788992e544029e412e6c1bf90d157e80e7461e2c8d16862c2fcb5b6c22ed992d7bdbc92b145fce600e161b298f943249389e2dc357140b9326a423b7584d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f055d55789b43bc843d59ed3d2fafc5c

SHA1
1f8dfedfee6ca1316b409bdf4d469ce5aabae0c0

SHA256
fee1a197a86baef2435a7bd0b2eb86e6fa05e2147a55651804d7b9a55d01a98e

SHA512
5cccb3af9c384f0731ea599bf22ff20990b15f17e1142954b936ccc1f416d80fb3a7273250b574017559c155e9c0d18d60a5ba415f41a42d95054d697882f98d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
f0fb9e97f87f8c64260a532b62ecc888

SHA1
490444346198e306c80349677467d9220e039f5b

SHA256
b48b32d2278c3f2649debf7881e7f2aded455ab821d00983b3c723d0b20e96bc

SHA512
faeb3eef7ce92f8308103c4b28ccfe4bf6cbdb6b75414049bc7bd0ab892c0d481422f73b9a3ee7757de3449ac980768b7e4aa242fb73e97d29b6e8acfedfbd3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
027e2da5a327b3794c9d60ed2881bb1c

SHA1
93956f9126968835aad4d32787dce9c974bc9f75

SHA256
f78f3b36351f527acb503f0830118261fe8261d02e79fc8dbedc1add702cc3a6

SHA512
af676e2255add1786be1dcb9e317842b6374b59854db3c46c015ec1cf41588ac3cae4c4ef5589baa8309ad940d82b29f27e82fa7d4673f73974ca54dfeeac237

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
073c6ddfc3fa3641ca1f4b0c93ad8cf3

SHA1
dd0f4e6ebbbcd452a0a1247594fac2192c1e708f

SHA256
bc129aaaddd629f575e2041acb7695f5b37130b2543586a87680d999c46c2e19

SHA512
c9284ac49899899b6f4e2df601072703d120ff256acfc2b373bc26f42335b691021d090f3f30afc38ea01a6308367663c813b0c3c43b42330a8617c98a7289f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
66a74daa2b90f82013a46b9c4cc3d291

SHA1
43b8dd7a6c53c7a3dc97e504863dbfc81f92ab9c

SHA256
fd17cab0757be44d2258cf7426046dd4e0f5d0833b86d204e1db379f0242047b

SHA512
54ec8907ca0c8f43935b78400dce84828ef0d342511f7a4d3cef2ab77f416cf84fd00a640b142e814d8cb0c6281fa5f61e9e37cdb907747999556d925fe1f2e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe578bc5.TMP

Filesize
120B

MD5
0d95bc1f6d9cb26069d5b989a70ba99d

SHA1
0a3a95743dac9eb9a5361ec8daeb1ea6f644320e

SHA256
0e804090a41945530f4f15d9753f8d4d795cc5e760b461103f94b407933a5d54

SHA512
1ef27a4bc2887d255b4b7b45aa93749c28aaf1152a7daf17b6323409db4547e2875a3b4db7d260746426d582aa487a09c24668e0171433deb9bee83b3e333572

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b1e4e406-aadb-4712-9e28-39ba73fc058a.tmp

Filesize
8KB

MD5
aa7270027262c33ba45ba439c561d194

SHA1
fb92ec39ca6f1a0f978dcf0d874eac3081ed7bd3

SHA256
42b56a5b9e05eac40d9e0af978fc1c0c7c7b30b6451b9873877b8c87776d63e5

SHA512
5e3d98bf14bff2f1c2d753532482d9e5199882a55804a531a2c1d5918a6e7ec4053f1c428e72c7545a2396187efe560325447c3a623c71741c99e6674ef7669e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
272KB

MD5
eeda39a546ea064c136931fdc2d94bed

SHA1
59080194030f181593d98cc496a115cf84f55bad

SHA256
5806e0b14446a78b28e101602ca4bc56630d28bf4b37e19f27436f3e51cf851a

SHA512
0c93e3f15927c739a6d6f43093fd6974069c8d9e1bd45f236df6e310d2d90fc0c450e22f7d7a5057d4f98c45ee2512708d22e167d565ff3dc53078845ffba390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
97KB

MD5
47b7bab289c1be238c30c731f768a647

SHA1
97e2114b1b21fe4a0f455ef6dd3bf24d1209ccee

SHA256
2e9bdc8ff4c2fc9a0ca55370d903b6be852194a29fa87c8d1954e38c94aa6bdf

SHA512
ab1881973188d20601b09af8b37bcf0d5abca7ad295ef4ad489f405edbc34885a180ad964402cedbd6c6311ce6d4ce0be428fade91820ce4e89324848fa4b3c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
cac6cbd894d7fe0aaca30b7fbd9b43bd

SHA1
d011ae00c149a16e48695f74e1d3ae17712ae2b1

SHA256
c63a8d543ad7d88e6654dfacbc271d0c517d5b998a2a00ee8c85d5b97debc344

SHA512
e07259b3f04e9ac17a1779380dd5f764b9f1cb118c762034e9b4e4062a5055757da4eb6e1c97d80ae3f59968a7b5488eefcee7bcbeba717fc1731585b0eadf05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d801.TMP

Filesize
89KB

MD5
88afb0e133cd2e3aaae6380341f414b2

SHA1
3e9b444ccc1f17ee65a92f49cb0bf3de6a12df93

SHA256
06cbcdb3b8e0f90c1cfd5279466a499a457e924934c6264edef564a2cbeede60

SHA512
75a1ebc3fd695816c23ac910d58913fb455d44c11abc3904557b8455732a14456107e3500ce9edc280d7746c84efe0070dd373ae1493b3df9cb05f02bde75b9b

Download Submit
C:\Users\Admin\Downloads\Discord-RAT-2.0-2.0.zip.crdownload

Filesize
12.1MB

MD5
c783c73fd3b91ea1bc82d0505252baea

SHA1
bc18d717daa70f480ae1a18b3995adfc63800898

SHA256
66620a1b56658de7c44954cee362da73aad69a223cb65f5225e60bd4b2e11b51

SHA512
502210fd47bde3bf5a6c1e322b17f877c9e36076d0a36d6f732b54714541f66f8aec08f9f610f1ad6626ed3611fb11c2dc29637e62eb0d5dcc836778c2d28692

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
b38fdbcb0f3c93e4941bfb006b4f6381

SHA1
263b40852db1a14ed37fed0e2c66636d20abd35a

SHA256
57c557fc96428d8d497ca20c62a9362a5e7cbf61184222965b3b5edbddaf3920

SHA512
92db4519ae4763c949384a96a6ca1596eea45fed53a9edfa9bc9bc48c9f9eaba524b2f9e37284b767588beef18d3ba50f44b9c9c26b44bca9919342d3994fdd2

Download Submit
memory/2732-477-0x00000000052B0000-0x00000000052BA000-memory.dmp

Filesize
40KB

Download
memory/2732-476-0x0000000005200000-0x0000000005292000-memory.dmp

Filesize
584KB

Download
memory/2732-475-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/2732-496-0x0000000008560000-0x0000000008682000-memory.dmp

Filesize
1.1MB

Download
memory/2732-474-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/3596-509-0x0000027B41A40000-0x0000027B41A58000-memory.dmp

Filesize
96KB

Download
memory/3596-510-0x0000027B5BFC0000-0x0000027B5C182000-memory.dmp

Filesize
1.8MB

Download
memory/3596-511-0x0000027B5C800000-0x0000027B5CD28000-memory.dmp

Filesize
5.2MB

Download
memory/4920-513-0x0000027F89150000-0x0000027F89168000-memory.dmp

Filesize
96KB

Download