Malware Analysis Report

2024-11-16 13:03

Sample ID 240909-19cgsstaqn
Target Client-built.exe
SHA256 b39337904af234ce5ab04051a009b9a8c60fa46bccc76d449800be886c123e0b
Tags
discordrat credential_access defense_evasion persistence rat rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b39337904af234ce5ab04051a009b9a8c60fa46bccc76d449800be886c123e0b

Threat Level: Known bad

The file Client-built.exe was found to be: Known bad.

Malicious Activity Summary

discordrat credential_access defense_evasion persistence rat rootkit spyware stealer

Discordrat family

Suspicious use of NtCreateUserProcessOtherParentProcess

Discord RAT

Credentials from Password Stores: Credentials from Web Browsers

Reads user/profile data of web browsers

Indicator Removal: Clear Windows Event Logs

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 22:20

Signatures

Discordrat family

discordrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 22:20

Reported

2024-09-09 22:22

Platform

win11-20240802-en

Max time kernel

79s

Max time network

74s

Command Line

winlogon.exe

Signatures

Discord RAT

stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1356 created 636 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\system32\winlogon.exe

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1356 set thread context of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
N/A N/A C:\Windows\System32\dllhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dllhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 1356 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\Client-built.exe C:\Windows\System32\dllhost.exe
PID 644 wrote to memory of 636 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\winlogon.exe
PID 644 wrote to memory of 688 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\lsass.exe
PID 644 wrote to memory of 984 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 476 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\dwm.exe
PID 644 wrote to memory of 1036 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1060 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1068 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1156 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1192 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1308 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1348 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1408 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1424 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1456 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1484 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1580 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1672 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1684 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1796 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1820 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1864 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1872 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1988 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 2024 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2052 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\spoolsv.exe
PID 644 wrote to memory of 2184 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 2272 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2388 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2396 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2424 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2508 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 2548 N/A C:\Windows\System32\dllhost.exe C:\Windows\sysmon.exe
PID 644 wrote to memory of 2576 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 2584 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2616 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2624 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2316 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\sihost.exe
PID 644 wrote to memory of 2640 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 2608 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\wbem\unsecapp.exe
PID 644 wrote to memory of 3360 N/A C:\Windows\System32\dllhost.exe C:\Windows\Explorer.EXE
PID 644 wrote to memory of 3492 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 3532 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 3912 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 644 wrote to memory of 4024 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\RuntimeBroker.exe
PID 644 wrote to memory of 4088 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 3596 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 644 wrote to memory of 4320 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe
PID 644 wrote to memory of 4576 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 4312 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 4988 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe
PID 644 wrote to memory of 1948 N/A C:\Windows\System32\dllhost.exe C:\Windows\System32\svchost.exe
PID 644 wrote to memory of 1232 N/A C:\Windows\System32\dllhost.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netprofm -p -s netprofm

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc

C:\Users\Admin\AppData\Local\Temp\Client-built.exe

"C:\Users\Admin\AppData\Local\Temp\Client-built.exe"

C:\Windows\System32\dllhost.exe

C:\Windows\System32\dllhost.exe /Processid:{b15c098a-0de5-4fc8-b599-1658c6219cdf}

Network

Country Destination Domain Proto
US 8.8.8.8:53 gateway.discord.gg udp
US 162.159.136.234:443 gateway.discord.gg tcp
US 162.159.138.232:443 discord.com tcp
DE 159.89.102.253:443 geolocation-db.com tcp
US 162.159.138.232:443 discord.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 162.159.138.232:443 discord.com tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/1356-0-0x00007FFC2EC73000-0x00007FFC2EC75000-memory.dmp

memory/1356-1-0x0000027648070000-0x0000027648088000-memory.dmp

memory/1356-2-0x00000276627A0000-0x0000027662962000-memory.dmp

memory/1356-3-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp

memory/1356-4-0x0000027663C20000-0x0000027664148000-memory.dmp

memory/1356-5-0x00007FFC2EC73000-0x00007FFC2EC75000-memory.dmp

memory/1356-6-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp

memory/1356-7-0x0000027662720000-0x000002766275E000-memory.dmp

memory/1356-8-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp

memory/1356-9-0x00007FFC4E7E0000-0x00007FFC4E89D000-memory.dmp

memory/1356-10-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp

memory/1356-12-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp

memory/644-11-0x0000000140000000-0x0000000140040000-memory.dmp

memory/644-15-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp

memory/644-16-0x00007FFC4E7E0000-0x00007FFC4E89D000-memory.dmp

memory/644-19-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp

memory/644-18-0x00007FFC4FD81000-0x00007FFC4FEAA000-memory.dmp

memory/644-17-0x0000000140000000-0x0000000140040000-memory.dmp

memory/644-14-0x0000000140000000-0x0000000140040000-memory.dmp

memory/644-13-0x0000000140000000-0x0000000140040000-memory.dmp

memory/476-33-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1036-45-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1348-68-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1348-67-0x00000190A6910000-0x00000190A693A000-memory.dmp

memory/1308-65-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1308-64-0x000001E9EBBC0000-0x000001E9EBBEA000-memory.dmp

memory/1192-60-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1192-59-0x0000020275000000-0x000002027502A000-memory.dmp

memory/1156-57-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1156-56-0x000001E97A860000-0x000001E97A88A000-memory.dmp

memory/1068-54-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1068-53-0x0000024392FA0000-0x0000024392FCA000-memory.dmp

memory/1060-48-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/1060-47-0x00000274E5FB0000-0x00000274E5FDA000-memory.dmp

memory/1036-44-0x000001ADC7340000-0x000001ADC736A000-memory.dmp

memory/984-40-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/984-39-0x000001FB05890000-0x000001FB058BA000-memory.dmp

memory/476-38-0x000002355A420000-0x000002355A44A000-memory.dmp

memory/688-37-0x000002319A330000-0x000002319A35A000-memory.dmp

memory/636-36-0x00007FFC4FE24000-0x00007FFC4FE25000-memory.dmp

memory/636-35-0x00000296AAD20000-0x00000296AAD4A000-memory.dmp

memory/476-32-0x000002355A420000-0x000002355A44A000-memory.dmp

memory/688-28-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/688-27-0x000002319A330000-0x000002319A35A000-memory.dmp

memory/636-24-0x00007FFC0FE10000-0x00007FFC0FE20000-memory.dmp

memory/636-23-0x00000296AAD20000-0x00000296AAD4A000-memory.dmp

memory/636-22-0x00000296AACF0000-0x00000296AAD13000-memory.dmp

memory/1060-259-0x00000274E5FB0000-0x00000274E5FDA000-memory.dmp

memory/1036-258-0x000001ADC7340000-0x000001ADC736A000-memory.dmp

memory/984-260-0x000001FB05890000-0x000001FB058BA000-memory.dmp

memory/1356-261-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp

memory/1356-262-0x00007FFC2EC70000-0x00007FFC2F732000-memory.dmp

memory/644-263-0x00007FFC4FD80000-0x00007FFC4FF89000-memory.dmp

memory/1356-264-0x0000027665F70000-0x0000027665FE6000-memory.dmp

memory/1356-265-0x0000027649EE0000-0x0000027649EF2000-memory.dmp

memory/1356-266-0x0000027665EF0000-0x0000027665F0E000-memory.dmp