discordrat | 8c9265a5ad80053fc88f3e08f2e86b59bc171386c4c67d680fd8987ba1507b96

Analysis

max time kernel
300s
max time network
293s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nytt textdokument.txt
Size

182B
MD5

89ee9eabd48c238e1269aeeaaa0bae2a
SHA1

543be116acafb378185c53071ce06004b1c26344
SHA256

8c9265a5ad80053fc88f3e08f2e86b59bc171386c4c67d680fd8987ba1507b96
SHA512

2f5027f14489629b4ac2fb952cda6aef593ab88dafdc30eaf5e76e8d74e9228380509f961ac966724b74421109b030b72313f75503f628639af1cc09266783fb

Score

10^/10

discordrat discovery persistence rat rootkit stealer

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat

Executes dropped EXE 7 IoCs

pid	Process
3276	builder.exe
4016	Client-built.exe
3444	Discord rat.exe
756	Discord rat.exe
2500	Discord rat.exe
884	Client-built.exe
3684	Client-built.exe

Loads dropped DLL 2 IoCs

pid	Process
3276	builder.exe
3276	builder.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767808006229741"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe
2388	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5096	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe
5096	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 4020	3952	chrome.exe	102
PID 3952 wrote to memory of 4020	3952	chrome.exe	102
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 224	3952	chrome.exe	103
PID 3952 wrote to memory of 1500	3952	chrome.exe	104
PID 3952 wrote to memory of 1500	3952	chrome.exe	104
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105
PID 3952 wrote to memory of 2008	3952	chrome.exe	105

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE "C:\Users\Admin\AppData\Local\Temp\Nytt textdokument.txt"
1⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc7fcbcc40,0x7ffc7fcbcc4c,0x7ffc7fcbcc58
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2196,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  PID:1500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3424,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4548,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4432,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4104,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5208,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3740 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5372,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4492,i,5734866510486947710,12666646507771761400,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4184

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:64

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\release\" -spe -an -ai#7zMap1947:76:7zEvent18698
1⤵
PID:4776

C:\Users\Admin\Downloads\release\builder.exe
"C:\Users\Admin\Downloads\release\builder.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3276

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
- Executes dropped EXE
PID:3444

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
- Executes dropped EXE
PID:756

C:\Users\Admin\Downloads\release\Release\Discord rat.exe
"C:\Users\Admin\Downloads\release\Release\Discord rat.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe"
1⤵
- Executes dropped EXE
PID:884

C:\Users\Admin\Downloads\release\Client-built.exe
"C:\Users\Admin\Downloads\release\Client-built.exe" C:\Users\Admin\Downloads\release\dnlib.dll
1⤵
- Executes dropped EXE
PID:3684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\569a2f15-123b-4bce-acc0-fa43da41159e.tmp

Filesize
15KB

MD5
74d6a361c8d7cf5ba8ce15817c9e3c98

SHA1
76131e028945eade3ec7591fa531c2ce71251916

SHA256
18d01020ad2af480718348a78f92420789b70eda634b1fffd5655232214761a5

SHA512
bbf7a05ca2943432ccf6fd28c02b1acfbc237fbd6d0baf76fe6d0787edc9794b79b67100cd3bc6c8da6bb9244f56f23e751e6c87286ab81017c6822936cdf8f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
48de78b1cb7fe2c49d6ffa4f95a78f0f

SHA1
8e95066489ccb2b6e5432494fe04e777d6973f4c

SHA256
daa920061b7f335016fc9bcb36b4ec85ae271fd58865d055c87c7f76a2ef247c

SHA512
7dc44793834c23ae1ec64d624a9ca998228916238c05973994323a1fa83d11dffe17974f57991b4464d91b83c7709fa143c1a080a6799980dc184f54c320f9fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a7fa31382694e4bef30dfb2cbe87b4af

SHA1
85b5eec535d5a42b0b9f91c4f58d9705bae52392

SHA256
1028bc1e7b13103e4630c3cf6a75dee2fd9d01e7f755143a9288ed6e339103e4

SHA512
dc1ce18e19813a9d3b73d196c1010197d1856f1cb6e00ab3e600c7d286436405f1e62e3c76f20f70ca9a26504de027b46c0419099934894368033b626548bd14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
13c2750e541c9712c8aedb741094f57c

SHA1
dbb7e6aa8c743b41ff5bbde90f5801e2b5830e4b

SHA256
638253e702dc5e530e5e140ad7dc0a082e7615111e57adfebc4eff469f6c445b

SHA512
89fa8cbd83e28c2b68aed0d28af99db509e71da047db83908cc6917f4129949dad2d412d7073b4edd7c34ac873307f881cd7eb763d3e8f84f08ea19f75bc0e45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
fbd51b014212f299a1bbf1200741d852

SHA1
d4e96d6cd5c24f7857c1878d1a98c9854a40316b

SHA256
a43347535524da48bb64840a35609f613e851e66e09c70fb50c54046ba0a16df

SHA512
798d29d18425cb32f6149f82c1287c91931515590f26676699cc1a9a3019b378985c5d87b6f886d3b2ca3d7944ec0da38e837b9ea5458ead1720a1ed959929c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c17d241ffd8e8da1bc6aa7730485cea

SHA1
ea68fdf979c6bb2a83bacc5f70b9308063a2b175

SHA256
87cf5f474df9bc77d9c7c8516dd3592cdf88fc042e8e37659335d22068d63c9f

SHA512
6c231827fc68ffcf301e70cebaf4e3eaf49fa77749fad13c47d00d3044dacd01dada83a54f5f2e72d513749e3f9b9817c10a328b71ad3d86911c22bbaf02c3b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bcc0b2f63867198e4c24dde1cfacbb19

SHA1
96b32e08290491e6326cf04aeec6bef3c908758d

SHA256
83546443840d798c3d322704e9b7890d6fb9cfecf2e6056af6456ee647ad25ee

SHA512
10dc0f9c568f0826c97ae2a5a499726a1c73eeba084e7618c6647e8af38b1aa5427dd8ed9bf420f314e5053589eb6cb1bd62bfad68cf3cd79933dfcfe8522a93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
11d64a5eb49f89c8253007291d2232d6

SHA1
660629201eb157cb762a7bc9c045176141a7e85f

SHA256
e60d0d1f0685c0fe6564ecd7e30db91c4c654a7149b9d5f78777ef45e875e4ac

SHA512
4ec80f227e68304da702c4ff9aed20f2c07bb99f330fd040437adc51561bac5e7d40df2d38b1407b5f60b4ac4c2ade25f6374e0e02a13a7f240f5f922e3f3851

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0057d725dc4017282486621b829f6d1e

SHA1
f770a1bb6417aeb6fb8a5e80d577fa10222803a2

SHA256
cfc1381965eb2ee5ff31f314b36189f30d010027fdf94e44428d43f749dc7ec6

SHA512
fa6c96297140031081ec3361a9815eaa83cbe09a8fa51b0afd41b2008f236bcf68b8a4ff89d0d58d52f1deb518216d6190586da8dd3c8a0c9554da8b56da91a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
33de2c56a0259b9c32dc446ec40cc89b

SHA1
66cf290c2e279e7f66c981d724138721f5e68176

SHA256
9d666b148b620825952d8687296d30080993e486b6f264a84375d279f804d059

SHA512
d03d280e21da2060bb0f1c42f7812879da658768693ed88cfa67a0be23ef23ad730e92e8d797d6d00d309898d0c912bb1b95afd9213bbceb777bc9a17b88adf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6054250e8c9fdfdf24334ed71ad256ef

SHA1
86dad841699f01afb885a9b9bb4b25538257c840

SHA256
c4dad8de33e4ad99191905a4b777ef2ac3efd5bfcc73205600337b5534524892

SHA512
8897383115177a0cfdc47a1ee1ec4d379ca40af282b213524ea9b91e7cf014bd811e87ea3818b707f9d86c0bf534a46bfd98c0d726f75351cb0cdf0b85f810b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d2d237237fd84d206b98e53d74a4dfb8

SHA1
12ab36ae053ce3ab671bc43c837fcced0b43786e

SHA256
e886239edaf2c0e0d7f9aeac6aa011c9d67f51177ef2d760335a67c8369d0a0a

SHA512
29dca66b08e96f7d0773efdeadb0ba55feece8e4151f6f1e2033bf87fa1ba325266e9944d668fb484fc1938da46aaa5ba023ddc387f1bf565770fe4cb42c4091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
752c27b6ca76b373d2727edce6dca7e1

SHA1
07f3139b28dabde6acdda3b97e287ae80d31cfbf

SHA256
cc666e17c239101082ac811b3d5e7e7425cbb90812fc32d839632937891c941e

SHA512
e428457212d4ee2faabab7c3371429cd6b14b0ba43c6aab2a171b9c49920d680a9bc77de361650ce4aad487fcce22bb0c86f5bb2d1551981624b33924965db80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9dc79eccb21806dbe47909f94af8cdfd

SHA1
5d11178609c7ef3ba19503efe0cb06b675c9a854

SHA256
fb5303f1dcc8a95dd7b22ee8df41247098a51041682f89aaee307851e3af8e83

SHA512
9235c0ffc6957f587e3b90d4120c1ef357f684687deafc6f10f94a2afd4b69fd6cf6972e91c37502d37baa90a20c10c67efe18dcf5dd5c0733342d689ba2df87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
730b21f45b834aa7ee46cab5b83da6c7

SHA1
c157f8da9520cf5f9694ea1bdbdddb2837a1276c

SHA256
8e677c3e67bf2759f30ebe3952a5a1398d64f70c7def5d59fc8482dc2c0f17ee

SHA512
394ce9a60c68e965047bc05a49bea84b0b9811d7bb7449717f187b56c79e26743d289235f7721707301fe5f0d22c0769ea9ed1857f7f79ab96b4789a2d6f6c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4ac949e2eb128e860da648fc4bebdcd7

SHA1
c0f933682d48448d7aa230fae4b293b9fc606529

SHA256
fe2d03421ac09da268bda14c575164313961349a0b948140d59acb88e7642e9d

SHA512
7d723f677b8bf88e440d72b2d91b1cd9648841d95ec261ad0a06fb6c64d70913d51423d5eac4e44d8f2ae242b9771859ccc3b30ddc5dda01f7863655ae972f93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5cf2f36fb19df71e0383eca0ed0dd178

SHA1
a7a6b32688a690f5476d1ab73448de3bfce72684

SHA256
93b4f89788420c6930f383e4f00df55e74a7048aa99123fdebb054d69e103c15

SHA512
6781691f8cb41ba682e3e7ea187c7d24d14b6b00614838f66e59e9934b49fe4f4a43c3135310334000807a0bd868a864c92241d2c63cb625c64585425c55355e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f92ba634d87d6d396f9d499285678dd2

SHA1
ce7b1565f6e987fc226467859a0d64f2b1814ec6

SHA256
0f1deb44f1e1a47ef0cec707b093f6d4d780ba49b30b673d27bb34171f232cd4

SHA512
76a5b8ded75562e3f5a72a0cc2d1ff17e5a3dc71e07f1574e245006247f5439d138ee204bdf8b6292c63b05d9644f256fdb8456f8087c5776859735358f1a3ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c78f688478b488981fef982d7243ce8d

SHA1
3ad36b3a29156c9086f9758e0b639b3fcd266c76

SHA256
775cc26bbe01a4d9fb4a622d8d03c1f1b5feeaa10d4e6bc6ca6331584ca7afa2

SHA512
6d52dea1e1d43442be04e1d6c808a3f86ca38e57aad77beb6eda161055c71aa0dae61fda68cd33f8c82efc72b82b49de3045d2b700bbadc7b7aed41cd7957cda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
89a7f7c9026af1a4ca88fbc98b8acc02

SHA1
ca958507cd05546bd7cf027514e7de5ee8eb8228

SHA256
a19797416b348b35b4c3c73b0e593f2160271ea690dd615435202c1ef03d66f9

SHA512
8e7fdc01a62ec2d2f0ce09ec732d826e6ea4f3b2ee5ccdbcc6aee7eea51753a64562879f9ccb1dc5532c05e2071994c72fb0f01bae5ffa716466fbd8e8a89c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0d10e40a2ec25bc898c12f0d0065cf60

SHA1
fdff10e9489bd98eb0bef543bfff6e9db1fe1e08

SHA256
c39e73b08528068afa42f9c36dc8845bcccbf9f370c868a7b784388a88d82842

SHA512
94738b805dc191de7deb369114802a742fb809e47d2eebc1fdec89a4d22de4d1b70e2271a542035df687a8b501250fafa0017cb5605463f2b62991bbe016b95f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
db64f1ab2a9f04c909cbb298d7342b9d

SHA1
e83d7b327cdf8d0c6d250aa46321dc15b3d39bd4

SHA256
920b6c8b556ec0d8b20ca8690e4dfd783cec4c871886381b26b5a038e9249883

SHA512
de5d2ffcb44d077b3aaaa740f0103b025dbfef5abcbe6db1fe134174472aedf904b1c6aac50d43f6dbec1791bffd60a75b9fece598c9e01d281d92cd984947ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47e7b6d8e6069164bed67adcca955a95

SHA1
c8ad48d335296f48a667c3683025f4276c8c8599

SHA256
db8af7442e6b9fb382def6bcc014b711acd49cd54ebfc1fe984d8169037fa949

SHA512
32540dd8c544c23758274f6265a3b2568128e24704dfe0e3530ddf388589768c6ff432960577c1ec6990aed21b33605d111f6c75765c761def33f88264beff21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b04088792a4e41ef8f3de54a4bdcbbab

SHA1
6d6c9e68e3dfac2f4f3b5143f7b93ff404ab8288

SHA256
470bd0bb4c21ccc58360c77b2a24118d4adae10ecb43824bdd81da42b38ab0de

SHA512
ceb41a3547b6eb8dc92670333be77fbb57b6f1dff0e08e410c8ac6e8bfebf5e6ca45449a8c434aa5f143fcf85be0466f6628903d699daf701c60d3c3ce5d0d4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a3077355-3526-470a-a2e7-9d0684a4d6b9.tmp

Filesize
10KB

MD5
9f061d2d186407a0c5286e0ea4e3556a

SHA1
fc86a5f36bab8f9a8746cc4e5348738776e73569

SHA256
8117d9c8d7c25f960db632d63037bceff432cce14b5832d55fe12a5ce7c4fba0

SHA512
ae0cbb0590405f38eda32e2414b8b667052eacf87cb27bd351bcc571f56ff1d62f9e3fefd6840bfd1e12395dfe034da55aa028194dd2c0947eca1adb829faba9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
f6d813bd7da228bfc218a3836dc76fe9

SHA1
34a867cb7ee83504db6979589cf20a9787bb058f

SHA256
ed505bbc365b96f6ef370dde117f824c77acdefa26d48efd604597e1bce38bb2

SHA512
b97e61b27c40e3dfeb76f6135962c7d63b794474629fa6ccd011fa5b6aac668adb286a4b1dae3de26c05f111fa414912d3076396e8177fed904750e90d59448b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
99ea26658932da8b5d2261b44fd7fa6d

SHA1
76e8d0260379f2198b9f9627756dac99356303ad

SHA256
570e1a81ad8b1ab0be08653d5188817c0b04e3e1ef8e77e7599324d1b8b7c44d

SHA512
8b7962fc0f134f00229a911d8417189c9cc0786af7e45a63a6484abf57d3962395e0773986c6abed61bfcef0c882ed05f412528d1e54fda54a9011b56d89b373

Download Submit
C:\Users\Admin\Downloads\release.zip.crdownload

Filesize
445KB

MD5
06a4fcd5eb3a39d7f50a0709de9900db

SHA1
50d089e915f69313a5187569cda4e6dec2d55ca7

SHA256
c13a0cd7c2c2fd577703bff026b72ed81b51266afa047328c8ff1c4a4d965c97

SHA512
75e5f637fd3282d088b1c0c1efd0de8a128f681e4ac66d6303d205471fe68b4fbf0356a21d803aff2cca6def455abad8619fedc8c7d51e574640eda0df561f9b

Download Submit
C:\Users\Admin\Downloads\release\Client-built.exe

Filesize
78KB

MD5
749511cb29e1256964991b848ed3706a

SHA1
a317f3453da83dcff4e89e74519a190f14774873

SHA256
92865c252e36778bafbfa07629ae796dd15a4c0390db6984282cec69a805d684

SHA512
b021c67cf09e8b00182be77a53eb5fc6a141c3bab7fbf12ef0b18472b0812ad80b12699fe5be33e6bbcd73546e5b9eddcec3215992ce74cd64ab520e88f7b380

Download Submit
C:\Users\Admin\Downloads\release\Release\Discord rat.exe

Filesize
79KB

MD5
d13905e018eb965ded2e28ba0ab257b5

SHA1
6d7fe69566fddc69b33d698591c9a2c70d834858

SHA256
2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

SHA512
b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb

Download Submit
C:\Users\Admin\Downloads\release\builder.exe

Filesize
10KB

MD5
4f04f0e1ff050abf6f1696be1e8bb039

SHA1
bebf3088fff4595bfb53aea6af11741946bbd9ce

SHA256
ded51c306ee7e59fa15c42798c80f988f6310ea77ab77de3d12dc01233757cfa

SHA512
94713824b81de323e368fde18679ef8b8f2883378bffd2b7bd2b4e4bd5d48b35c6e71c9f8e9b058ba497db1bd0781807e5b7cecfd540dad611da0986c72b9f12

Download Submit
C:\Users\Admin\Downloads\release\dnlib.dll

Filesize
1.1MB

MD5
508ccde8bc7003696f32af7054ca3d97

SHA1
1f6a0303c5ae5dc95853ec92fd8b979683c3f356

SHA256
4758c7c39522e17bf93b3993ada4a1f7dd42bb63331bac0dcd729885e1ba062a

SHA512
92a59a2e1f6bf0ce512d21cf4148fe027b3a98ed6da46925169a4d0d9835a7a4b1374ba0be84e576d9a8d4e45cb9c2336e1f5bd1ea53e39f0d8553db264e746d

Download Submit
memory/3276-304-0x0000000008DC0000-0x0000000008EE2000-memory.dmp

Filesize
1.1MB

Download
memory/3276-286-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/3276-285-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/3276-284-0x0000000005DD0000-0x0000000006374000-memory.dmp

Filesize
5.6MB

Download
memory/3276-283-0x0000000000FD0000-0x0000000000FD8000-memory.dmp

Filesize
32KB

Download
memory/3444-351-0x00000297C5760000-0x00000297C5778000-memory.dmp

Filesize
96KB

Download
memory/4016-312-0x00000221C7CF0000-0x00000221C8218000-memory.dmp

Filesize
5.2MB

Download
memory/4016-310-0x00000221ACE70000-0x00000221ACE88000-memory.dmp

Filesize
96KB

Download
memory/4016-311-0x00000221C74F0000-0x00000221C76B2000-memory.dmp

Filesize
1.8MB

Download