discordrat | 2d069db98a21a63e56fc70ddca816a58693dc6da4026c6532627f3f5588a3df5

Resubmissions

22/09/2024, 13:04

240922-qa9cda1clk 10

22/09/2024, 13:01

240922-p9l6fs1cqd 8

Analysis

max time kernel
172s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/09/2024, 13:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox-Dumper-Remake
Size

296KB
MD5

bbdc5f8760f06019f002446b7a1c83f6
SHA1

3c2f1628b80b2abab57efd1cd4c78afade2e7e87
SHA256

2d069db98a21a63e56fc70ddca816a58693dc6da4026c6532627f3f5588a3df5
SHA512

4fe8a6deb0cab61c0c8d49cf135da5b3f18aa58d1af3d0d14fdc8dc5db34d0ee915649384154607224b043b59bf8e581c0503f0a8d7ef8887f558009400479b4
SSDEEP

6144:pZoAP3uokeOvHS1d1+CNs8wbiWQH9lvZJT3CqbMrhryf65NRPaCieMjAkvCJv1VI:joAP3uokeOvHS1d1+CNs8wbiWQH9lvZ7

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Executes dropped EXE 1 IoCs

pid	Process
2400	Client-built.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133714839005558924"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe
4776	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe
Token: SeShutdownPrivilege	4884	chrome.exe
Token: SeCreatePagefilePrivilege	4884	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe
4884	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 2252	4884	chrome.exe	90
PID 4884 wrote to memory of 2252	4884	chrome.exe	90
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 3320	4884	chrome.exe	91
PID 4884 wrote to memory of 2492	4884	chrome.exe	92
PID 4884 wrote to memory of 2492	4884	chrome.exe	92
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93
PID 4884 wrote to memory of 3348	4884	chrome.exe	93

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Roblox-Dumper-Remake
1⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa8015cc40,0x7ffa8015cc4c,0x7ffa8015cc58
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:3320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4632,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4704,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4564,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3240 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4916,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5040,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4908,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=864 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3400,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4776,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3340,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5080,i,15139441880991057854,13881293929854082229,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:3552

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4620

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1264

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3680

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4676

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2400

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:4776

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cd9ae7d060dfe77a6aef6366c4ad6191

SHA1
6af3933113e5b33b3283f1f4ac2a098bc9a75edd

SHA256
dae276631d56e936f64c4bbe6135be53ae5aa6b364fdf9cb1093ee9ea7712192

SHA512
794de24a5994491390b7642feb145c4a6926d099a8092a289c7cd01c3d4f694a9cd970346bb688ee9a7dab353332e7cd34b4ea8f4dabcfa482ea160be9d078d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
4841273f25744243d1dfcf5704ef7b17

SHA1
dcc949d27d57e03f9eac783c77f0c6607eb8707e

SHA256
555fe6dd55b5f42cace66f300e7c06e2ce43bab6897048120580d75d438ac644

SHA512
85b6eaa0652520dd48fe74a185e12f8dfbbd1ed628f02e8e7de356f36c183f0824e1ffa5dc3b84d4be51393b4bb8ddd5568bfb583618d5e024cb7557d3c60842

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0d38aad05abcc775bbad9c20fa4057f8

SHA1
19ecebe117a0c5901a7f6741743a6bd2b9dea714

SHA256
06b77fe1f906f00b953acca3945fa31085b18b7ce06ef4e3c796337d086f2eda

SHA512
d515fdd7921a55e81b982ff8022d5690c4718ea2823abb9003d4fa269b5dbda4d40937d41ecc88b0112aa3a9fbffa6a7bc4a65f9a7c737da8457b074976a1360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
090d2f290d228304ce677ab2442b6584

SHA1
477813ade2356852fb9b9d55e36950f5d4e39977

SHA256
72646487b31900fc34bb6ec50a500ec92281e39fb730e489b390f5097dcb39e9

SHA512
cc27e770c8aab3f06c3abaae487d03dfb14640ce887ed8bd7a4e5efa53d3de39408408ee1da2b06bcbd72124509abd03acc289a5752ba25a8f8f48dfc771f1b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
98aa6f60bdeda02a3483f69f933beda0

SHA1
aa0cfe21194adba045df7a8e2f5ce10f479b6133

SHA256
5450c539cb44a25c2bf84fd9731fe3281942f2a8ef012e69d77ae6630f9d015c

SHA512
7dc78cbfbd899818678410dbb9168b9c8d3b6b86f6fda72c585f28d1962459e5980412425a345fb11f7668c5a3d30f3a527141409a75b5efe135df6cd1e9f99b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
3fa8eee3a4835acd9ea2cac06e594a4c

SHA1
083765e231af07f6617fc55cf24c38ccdf382e7e

SHA256
10e08d550e221369796bd5a0ebea8ca2892ace305332cd8b2c8469f91008fed1

SHA512
6313c883e14d92ddb235faccf2b4b04d9edf3b1cc17de9e0ab80e4c9eb2885bf45dcd8efbb2fdc0984d87d0becdaf5dfc0a60172897a9fd18963c0d559880f2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
68fb1f6dfcbad5f3e72c441ed5db0392

SHA1
d5a89c88f4596ef4e273ed9f7faf65b97c8b5a33

SHA256
7586729115696a4d107012ab8d6d6f67a543d70982825a9f9d819a6ffc634217

SHA512
26037d052a2c56fd956611eebfcd25060df0183dbe465947a0dd7b252573c6ac140ca7e165b84c976c686eee29262372dc07593241fbb561e95caf767b2b8c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7371037aeb07ced520ae0a7a75052019

SHA1
f4c049c0c58f149f67e1172aaf9d21cda541b4f8

SHA256
95bb10ac71f1dad79c8b1141466bed7998e25e427b9d972022f3a69824b43e1c

SHA512
6704ba916f3ac539766bb393650d1448edcc0cadecac7b7ac2d3466757290fdbe7467138bea7ebedac44d86a72df3590616aa8ef1a1b4b771de9628256a4f37d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
45696ee88a249760839d644fc311779c

SHA1
0274daf5623bb3f176ba7b2e6aa96e7157791d0a

SHA256
c080ba2b6b995b7e40438abf2bb43115eab11b48b6032f8d907ff53f35ca8c9d

SHA512
805ba0e6ee527ca62173c0174025ea7ef9dffc051f32445ea4c815d54f8671e4700a2051c4ba6238066c36aec6e2705095796e1b59edfe688512cc5e46c734ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
da4e634fdd9c21387bcf95a30ca4b868

SHA1
b461360d6fb11bae00ccd68b751e67c9d99716be

SHA256
ff2573427135d840089ec75673e0556900aa43760b0c716256d5d5dd78850a2b

SHA512
803ab0333e10ea6e88043f0ae495ff48edf2d0acc4321a73965e30557a397dfed653de4fec68718784cfb699f098233cf5b77af604e6ad429c948a574c380112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b8c6dbf672c4765f43da8d574faa5279

SHA1
a563554285160783776a9a4af0e7e64f2f31d1c9

SHA256
131b8bb1b364e90582b0d79ed58680b023bee0175a7f10a40308c38b41a4e69c

SHA512
5e94195201b1d3f9471507f23d5992827cb01a5894f732f88e341dc15a2b2dd77baaed15b78cafc4a80b96fafdd279aa54e3bee405c5fe8b915b65e247ff67b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
22fd7617aea764d40f0aa8851fd6a2cb

SHA1
6f77285f17709d694015df03ee07757ab1a4da5b

SHA256
47339a2646217e34d23684f960e55ebedf5ad8287156ab06608cd22c087adc78

SHA512
69c03febbee4231f556596130cd03a98a4e10a314ec260e2d14f18c730296bb2cc7a4e7eb491f7559e08ffd4fa8daf8c50d4b53f025988e95eeba9f377d7557b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
04cb0dda05a47c741599f4e1998b9174

SHA1
91516f0a7f12e057cefcc0665248da841f10077b

SHA256
1f8d3dc76e69cb413a25b8571764c0b1b839242e91c578598fcb714e96fa4185

SHA512
e58c86105a34720a6704b7c95c92c9dcfad2a844ceac35e5d8501c1706c99fa0291cb199c9c55d1b6b93148223a7b7a0c8e0d11f59c43184b835d1163a2f5c6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
357d9befe4d796857c353298c1a63e5a

SHA1
3b2a542388f37d86ebebf1d8b93815d5fc36db41

SHA256
93c7e8edffd948ee3d6ada1d9e3649015a89064b5078348950a4b27ddbf72b73

SHA512
c5a1e9cc5ab4ca298d80099c3070d10e1939f5fabb890bc7700134f8deae78512a21928c64737b0db48eb35a4228cf619586e8a3e6633a9fdbb07596646d5dd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
83d88d3ddb8fee9e1c24b2b9fa6592c7

SHA1
3f65e90bbcca43c871de9abc6947cfbb64f59e5e

SHA256
fe3b60bed0b6d961eb4aec6a546fec9a850c0c80764397d6b14e77db02c79ce1

SHA512
df26c66cbdf5910cf2f47f1935de3881f49c1a10d10c7bd66cedbdbed537b0e1062d522d52a6166b187d5f44bd583e051e90065b2e7446a1a7a036163c8d32a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9fc8f0386ff2d413c6415187f9878120

SHA1
766ee8d16e982e0bcdf7d8f4841d8d3609708ab9

SHA256
c5247bc83fd434ded475d965349c0fcc7415225dc1618388f86637538d0d6753

SHA512
32f971246a60dde31f2938ce902ac10378baa18428ac21824669b10470baab560987e5eff9a6ed5112f95e766c0f80e982c46d5e7c36ccc2298c90710935910b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
900c4d86f62b34f9b02133b7dba6359c

SHA1
c020e0ef2973dba8bec162beecbaf1e0ad06c1f2

SHA256
4c6cc719d0521f48b19559f7c2d80a59ee5e7e6dd5da89db49571fc7255fc086

SHA512
5eca16e70ed6ee8d9bc6143636f828fb6e4ef09ac57ce9d27dc9dea2a510f7aed045f5766c41695cb2112b347a6e530553ca0060b88c33cd76150f42dfa761d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
aa09d856bb8a8b178bfb45a2ee608ed1

SHA1
947e29d37728667c4f0a24b8445cc2da7dd1f470

SHA256
48faa2a51d1270d9497f4d7e4ade3eb7cecd4e1305c10829d46198855364d33d

SHA512
59847a08a7ba8b591cdbf2e3988795aa6bf095360baa8d9120c6366498f50c110a32cca070da23dffd189e7f0cf5e0d828cb438260df5103720b2423ba5b0b98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
04b9d05dfaf1f621a8f53aacf4d766d8

SHA1
a9b1fd5a5dde634ab1263f2c76063e255eb07d92

SHA256
9a2e07d8078556a954930092f7bfe19a38c6b5cd11db1629b7f7e09aa9c1ab89

SHA512
dfa3b0405cea2df030e3f9f828abb3a78e7688d1fc599611ad9c7de905868217e1f607457bed57626da82c646cc300f0c648ea2243e22b8b90314962c9a07490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff8edc76fa5fc532ad68e0acb7385c3f

SHA1
82ba63a6d5c1a9cd462ded23c067af07c6673bf1

SHA256
12a5f00c8767f3918436113fa6f0215517e88242b8fd0343cbd1444c334b6837

SHA512
b24c2c853998a6b026b0680367f46f07685d6006179bf2f88e85bb6a81af423802f47137a7fa455d85917506d9157d1e1a328268c5c69fb4562ad16ea0090129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
031557dedcf4d18cebda2e056de0432d

SHA1
ff7cacfe2f203d9cfdd36917def35d72488ce60d

SHA256
a8e0d666803bf396e43a7f654d8bd3dc0c66116b084f2f5c060193883c70ab27

SHA512
39830ba203ccea130176ab0eb0e6fc4f1de5f21993edd722f1d96d211c874b2acd1eec0e52c40c2633412458400aff39c70316618b1cc2b0cf604a8676e133eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8f883227fd09851e61413e202505eaa

SHA1
47fc8fc9515d2d1b06872dbff0bfed31c534d87c

SHA256
859b81b7a306caa245181834b43961d288827d06a88bedd9a9068cfe2aa4fac1

SHA512
b69ad61d701bab15a9604feb02785dbfe71f344d6a241f6c77381aa0799756dc7da716b3bd4d689f21a0a28360e1eb0c5f3b0ca52fdaff6750121e7e1c607f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f4bac0a4cd28a10eeb44fcfbfeba7342

SHA1
5c77928215043ae35ee76ed801b1c4b43bbb3ec3

SHA256
ac6b05f6d7c7772acd6c65082c6bd3c48bdf29e332e60b8554ec7f395623db20

SHA512
5a04d00f7aa9d8f4fcc17e28746bcdbd8f11839f727231c9b30d817e761fb580ac0e97d808734e0245fa111e0a3ff5db0144c21d07789a02ab74b270ee423339

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
aa47002abab8237e2aa451fffc769528

SHA1
0460913403415a8d9a67da81a3c6c1cd9facf7cc

SHA256
ab374de3712cb6b96cf8a4f1cb883bcfed26ac32aae949d75ac466c0fb1ad1e5

SHA512
26f6887b013b63e6c472c4fc65b84d4a7649543701da95c7d0eea67537091085406fb9b47956a609cbfcf6e7faf590472a3938fdcab1ca8fed2400e9d8816264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
f4d58f667b588b0929c5506b531af8df

SHA1
4fd929162d42e75980fe4a90a2a8d56d6a47be0c

SHA256
d46197fad3e39adacd6aa084b86a34b9045ebeca86e68af288555abe5ef71082

SHA512
d16e5040f1b12124cf0c024b64472cdf376c1bdc54c0dcdeda95f4006d3a3d5865176ee79c1d0b87ecbf324cd3a2226669c0ce24e212b60327d08242bf407805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
faed69138a4b6db604974feb4f28534f

SHA1
304cce88d1e26f006e26a2817a73e351fb2a2470

SHA256
04b0cd2f58dc3495f9d92b1837919e8aff6627da13b9bb9eb130ec279f8873cd

SHA512
6d0d6feeb3d3e28703791664bfd79be5a557ea942edfd2d52863656c7fb0a713b5137f838ac7292d3f0971e35d0372163fe1a4d0b86ce657cdc831aea9cdf5ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\builder.exe.log

Filesize
1KB

MD5
7ebe314bf617dc3e48b995a6c352740c

SHA1
538f643b7b30f9231a3035c448607f767527a870

SHA256
48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8

SHA512
0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
5fa78b19ae158350ead3ef50feb6a7a2

SHA1
57d57ca525968fd9d5a9ee38e783e288896caa01

SHA256
1d4914ee768fbaf1b82a860ace972a01338c12a05ff7dbdde42bfab43b21a4d5

SHA512
c0d0803b5ceaa4c3013132ead8d8a95faae4a01933c41cb4c998572c2a31c971faab5bb2c488aee8d73a16a0037a78e09130e1ecd2804c40f0665399c404c00e

Download Submit
memory/2400-730-0x00000254BFA30000-0x00000254BFF58000-memory.dmp

Filesize
5.2MB

Download
memory/2400-729-0x00000254BF230000-0x00000254BF3F2000-memory.dmp

Filesize
1.8MB

Download
memory/2400-728-0x00000254A4C50000-0x00000254A4C68000-memory.dmp

Filesize
96KB

Download
memory/3680-709-0x0000000005280000-0x0000000005312000-memory.dmp

Filesize
584KB

Download
memory/3680-713-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3680-711-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/3680-710-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3680-706-0x00000000753AE000-0x00000000753AF000-memory.dmp

Filesize
4KB

Download
memory/3680-708-0x0000000005750000-0x0000000005CF4000-memory.dmp

Filesize
5.6MB

Download
memory/3680-707-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/4676-715-0x0000000005F80000-0x00000000060A2000-memory.dmp

Filesize
1.1MB

Download
memory/4776-731-0x0000023140D50000-0x0000023140D68000-memory.dmp

Filesize
96KB

Download