Edit tour

Windows Analysis Report
Discord2.exe

Overview

General Information

Sample name:Discord2.exe
Analysis ID:1575592
MD5:3e7ca285ef320886e388dc9097e1bf92
SHA1:c2aaa30acb4c03e041aa5cca350c0095fa6d00f0
SHA256:e9727d97d2b5f5953a05eaf69a1bdab54cc757955fbab97476d94a5af5920b97
Tags:AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • Discord2.exe (PID: 7052 cmdline: "C:\Users\user\Desktop\Discord2.exe" MD5: 3E7CA285EF320886E388DC9097E1BF92)
    • cmd.exe (PID: 3924 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 6380 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 6164 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3854.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 6464 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • Discord.exe (PID: 6616 cmdline: "C:\Users\user\AppData\Roaming\Discord.exe" MD5: 3E7CA285EF320886E388DC9097E1BF92)
  • Discord.exe (PID: 6528 cmdline: C:\Users\user\AppData\Roaming\Discord.exe MD5: 3E7CA285EF320886E388DC9097E1BF92)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
{
  "External_config_on_Pastebin": "null",
  "Server": "18.ip.gl.ply.gg",
  "Ports": "6606,7707,8808,9028",
  "Version": "0.5.8",
  "Autorun": "true",
  "Install_Folder": "Discord.exe",
  "Install_File": "SEd3RjFxeGl0TDd6ZDJUZmp3eHUwOXpEQWNoUTFZSXc="
}
SourceRuleDescriptionAuthorStrings
Discord2.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    Discord2.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      Discord2.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xa2c3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xb638:$a2: Stub.exe
      • 0xb6c8:$a2: Stub.exe
      • 0x6e87:$a3: get_ActivatePong
      • 0xa4db:$a4: vmware
      • 0xa353:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x7c93:$a6: get_SslClient
      Discord2.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xa355:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\Discord.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\Users\user\AppData\Roaming\Discord.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\Discord.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0xa2c3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0xb638:$a2: Stub.exe
          • 0xb6c8:$a2: Stub.exe
          • 0x6e87:$a3: get_ActivatePong
          • 0xa4db:$a4: vmware
          • 0xa353:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0x7c93:$a6: get_SslClient
          C:\Users\user\AppData\Roaming\Discord.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0xa355:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          SourceRuleDescriptionAuthorStrings
          00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0x1c3be:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
              • 0xa0c3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
              • 0xc238:$a2: Stub.exe
              • 0xc2c8:$a2: Stub.exe
              • 0x6c87:$a3: get_ActivatePong
              • 0xa2db:$a4: vmware
              • 0xa153:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
              • 0x7a93:$a6: get_SslClient
              00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
              • 0xa155:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
              Click to see the 8 entries
              SourceRuleDescriptionAuthorStrings
              0.0.Discord2.exe.7e0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                0.0.Discord2.exe.7e0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  0.0.Discord2.exe.7e0000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                  • 0xa2c3:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                  • 0xb638:$a2: Stub.exe
                  • 0xb6c8:$a2: Stub.exe
                  • 0x6e87:$a3: get_ActivatePong
                  • 0xa4db:$a4: vmware
                  • 0xa353:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                  • 0x7c93:$a6: get_SslClient
                  0.0.Discord2.exe.7e0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                  • 0xa355:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                  0.2.Discord2.exe.2d35cfc.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    Click to see the 5 entries

                    System Summary

                    barindex
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Discord2.exe", ParentImage: C:\Users\user\Desktop\Discord2.exe, ParentProcessId: 7052, ParentProcessName: Discord2.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, ProcessId: 3924, ProcessName: cmd.exe
                    Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Discord2.exe", ParentImage: C:\Users\user\Desktop\Discord2.exe, ParentProcessId: 7052, ParentProcessName: Discord2.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, ProcessId: 3924, ProcessName: cmd.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3924, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' , ProcessId: 6380, ProcessName: schtasks.exe
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: Discord2.exeAvira: detected
                    Source: 18.ip.gl.ply.ggAvira URL Cloud: Label: malware
                    Source: C:\Users\user\AppData\Roaming\Discord.exeAvira: detection malicious, Label: TR/Dropper.Gen
                    Source: Discord2.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "18.ip.gl.ply.gg", "Ports": "6606,7707,8808,9028", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "Discord.exe", "Install_File": "SEd3RjFxeGl0TDd6ZDJUZmp3eHUwOXpEQWNoUTFZSXc="}
                    Source: C:\Users\user\AppData\Roaming\Discord.exeReversingLabs: Detection: 89%
                    Source: Discord2.exeReversingLabs: Detection: 89%
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Source: C:\Users\user\AppData\Roaming\Discord.exeJoe Sandbox ML: detected
                    Source: Discord2.exeJoe Sandbox ML: detected
                    Source: Discord2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Discord2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Source: Malware configuration extractorURLs: 18.ip.gl.ply.gg
                    Source: Yara matchFile source: Discord2.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED
                    Source: global trafficTCP traffic: 192.168.2.12:49711 -> 147.185.221.18:7707
                    Source: Joe Sandbox ViewIP Address: 147.185.221.18 147.185.221.18
                    Source: Joe Sandbox ViewASN Name: SALSGIVERUS SALSGIVERUS
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: 18.ip.gl.ply.gg
                    Source: Discord2.exe, 00000000.00000002.2591229075.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, Discord.exe, 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: Yara matchFile source: Discord2.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Discord2.exe PID: 7052, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Discord.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED

                    Operating System Destruction

                    barindex
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: 00 00 00 00 Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: 01 00 00 00 Jump to behavior

                    System Summary

                    barindex
                    Source: Discord2.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: Discord2.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: Process Memory Space: Discord2.exe PID: 7052, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: Process Memory Space: Discord.exe PID: 6616, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                    Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                    Source: C:\Users\user\Desktop\Discord2.exeCode function: 0_2_011849580_2_01184958
                    Source: C:\Users\user\Desktop\Discord2.exeCode function: 0_2_011840880_2_01184088
                    Source: C:\Users\user\Desktop\Discord2.exeCode function: 0_2_01185B200_2_01185B20
                    Source: C:\Users\user\Desktop\Discord2.exeCode function: 0_2_01183D400_2_01183D40
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 9_2_012349589_2_01234958
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 9_2_012340889_2_01234088
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 9_2_01235B209_2_01235B20
                    Source: C:\Users\user\AppData\Roaming\Discord.exeCode function: 9_2_01233D409_2_01233D40
                    Source: Discord2.exe, 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs Discord2.exe
                    Source: Discord2.exe, 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs Discord2.exe
                    Source: Discord2.exeBinary or memory string: OriginalFilenameStub.exe" vs Discord2.exe
                    Source: Discord2.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Discord2.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: Discord2.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: Process Memory Space: Discord2.exe PID: 7052, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: Process Memory Space: Discord.exe PID: 6616, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                    Source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                    Source: Discord2.exe, PkcmICdlQczU.csBase64 encoded string: 'GIQWb4/e8brlVmYfCea6BatiTMNbTbBNlzqc11/n+aFOb++xJyXRP+xcGVuLdYIQoqDOuBePVWg4+F3Ub861ww==', 'TuaPgwqthujGKYY+pawP+5b49pqEPet2TJCOsOvjDysQkRuAMP1oEt3Uf5/qa/HYjdzkA/zD4dkX7kfDEzT1zumxj6SjIEMxSsHKe7qrjVofRPj6jK/JfkcTx0Y+CSmNUjXktXQ7dSR1E1IdS3ocnJOJ2o5x/BAuPzYELr3TppeHXGcoipd0fgaE9w3+jHKs5Mfn5++uZS4zZ1e9NOyUfi7YAEDVQj32VLedjg+L9qOCXq3Zu7Nut0D9VbLz+O1W7r/9pRkvDehVztU3RPk4vOn71diZNrNAxCGvO2wFk0dcsr42yJZsfFQmOh1zj7c7xiWKIWQMGMpe+kc0CWRjzslRNeItn1sdbaVuJd5xY7jZCh6NF76IQj+TXvyRtRLbspCk7yIsv++rCpXTmgalgJ5A59ia0aYp30rO7UN5vv8M6Kh3R9L8vgaoOkV73Cttsj/rfRerB7EQfUqXdoFF7LWpaUXIbMUmo5cTi1neywQ9Ie5JDityp+fWMrdy9SN521FHNE9VKHLrQBjbL8UlEJCgcTtEYHMsIN/vINTGU0Cfgwq9XbxjBgG2WcDJGTtSW8NlCw5gTTST50kwKZzVAE0J2eSOco9u9tbOOOwsunF++KvCWe5e+LODpPfju0Y1naihLT+WRrzCbujrwCL6qG1cRtWxB2j52m52xuSrmUxk6VWO5XxT0YSBcySWvsApJHb+536zDEclqyHB0hmbW3lP7+GwT/E3AvtKsENtwHR5qSltsmVjI6qlS0zEa0zbURtnAnWACRyVIhgnQ0C1pD7ZJ/0JPpthEGjtSvRzNGCkLSpfqJcHm4W6bNYcSylciiCMbNrSLuJm9Rb2nunVxdTLbH0YS6NR2j7whtc2WJvu4XXLWdaO8HhERN5Pe1f5zJju5QfU/+lEBJaemdZshlAalSMtN+hG8WFxLWTP2NrRKFeDW/J/EKMfBoXliRMf3GlgK6qv1zn0Gtd64J6GeQ==', 'q4sM6xVsYzKU+VfaBSojVrqwQ7AbZRMAIeDeH64hrYUt3Fc9ZUqx6iz7jdlYowobNH7+vIbUkU1Vr4pREaT0Kg==', '+T+TWPv9wjyrapMho0bgClReltnUvqFP/iK2nwZxhzfBtCFfceDvS6WO66o895gwVmIMQlJIB0uJpBMBG08Kww=='
                    Source: Discord.exe.0.dr, PkcmICdlQczU.csBase64 encoded string: 'GIQWb4/e8brlVmYfCea6BatiTMNbTbBNlzqc11/n+aFOb++xJyXRP+xcGVuLdYIQoqDOuBePVWg4+F3Ub861ww==', 'TuaPgwqthujGKYY+pawP+5b49pqEPet2TJCOsOvjDysQkRuAMP1oEt3Uf5/qa/HYjdzkA/zD4dkX7kfDEzT1zumxj6SjIEMxSsHKe7qrjVofRPj6jK/JfkcTx0Y+CSmNUjXktXQ7dSR1E1IdS3ocnJOJ2o5x/BAuPzYELr3TppeHXGcoipd0fgaE9w3+jHKs5Mfn5++uZS4zZ1e9NOyUfi7YAEDVQj32VLedjg+L9qOCXq3Zu7Nut0D9VbLz+O1W7r/9pRkvDehVztU3RPk4vOn71diZNrNAxCGvO2wFk0dcsr42yJZsfFQmOh1zj7c7xiWKIWQMGMpe+kc0CWRjzslRNeItn1sdbaVuJd5xY7jZCh6NF76IQj+TXvyRtRLbspCk7yIsv++rCpXTmgalgJ5A59ia0aYp30rO7UN5vv8M6Kh3R9L8vgaoOkV73Cttsj/rfRerB7EQfUqXdoFF7LWpaUXIbMUmo5cTi1neywQ9Ie5JDityp+fWMrdy9SN521FHNE9VKHLrQBjbL8UlEJCgcTtEYHMsIN/vINTGU0Cfgwq9XbxjBgG2WcDJGTtSW8NlCw5gTTST50kwKZzVAE0J2eSOco9u9tbOOOwsunF++KvCWe5e+LODpPfju0Y1naihLT+WRrzCbujrwCL6qG1cRtWxB2j52m52xuSrmUxk6VWO5XxT0YSBcySWvsApJHb+536zDEclqyHB0hmbW3lP7+GwT/E3AvtKsENtwHR5qSltsmVjI6qlS0zEa0zbURtnAnWACRyVIhgnQ0C1pD7ZJ/0JPpthEGjtSvRzNGCkLSpfqJcHm4W6bNYcSylciiCMbNrSLuJm9Rb2nunVxdTLbH0YS6NR2j7whtc2WJvu4XXLWdaO8HhERN5Pe1f5zJju5QfU/+lEBJaemdZshlAalSMtN+hG8WFxLWTP2NrRKFeDW/J/EKMfBoXliRMf3GlgK6qv1zn0Gtd64J6GeQ==', 'q4sM6xVsYzKU+VfaBSojVrqwQ7AbZRMAIeDeH64hrYUt3Fc9ZUqx6iz7jdlYowobNH7+vIbUkU1Vr4pREaT0Kg==', '+T+TWPv9wjyrapMho0bgClReltnUvqFP/iK2nwZxhzfBtCFfceDvS6WO66o895gwVmIMQlJIB0uJpBMBG08Kww=='
                    Source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, PkcmICdlQczU.csBase64 encoded string: 'GIQWb4/e8brlVmYfCea6BatiTMNbTbBNlzqc11/n+aFOb++xJyXRP+xcGVuLdYIQoqDOuBePVWg4+F3Ub861ww==', 'TuaPgwqthujGKYY+pawP+5b49pqEPet2TJCOsOvjDysQkRuAMP1oEt3Uf5/qa/HYjdzkA/zD4dkX7kfDEzT1zumxj6SjIEMxSsHKe7qrjVofRPj6jK/JfkcTx0Y+CSmNUjXktXQ7dSR1E1IdS3ocnJOJ2o5x/BAuPzYELr3TppeHXGcoipd0fgaE9w3+jHKs5Mfn5++uZS4zZ1e9NOyUfi7YAEDVQj32VLedjg+L9qOCXq3Zu7Nut0D9VbLz+O1W7r/9pRkvDehVztU3RPk4vOn71diZNrNAxCGvO2wFk0dcsr42yJZsfFQmOh1zj7c7xiWKIWQMGMpe+kc0CWRjzslRNeItn1sdbaVuJd5xY7jZCh6NF76IQj+TXvyRtRLbspCk7yIsv++rCpXTmgalgJ5A59ia0aYp30rO7UN5vv8M6Kh3R9L8vgaoOkV73Cttsj/rfRerB7EQfUqXdoFF7LWpaUXIbMUmo5cTi1neywQ9Ie5JDityp+fWMrdy9SN521FHNE9VKHLrQBjbL8UlEJCgcTtEYHMsIN/vINTGU0Cfgwq9XbxjBgG2WcDJGTtSW8NlCw5gTTST50kwKZzVAE0J2eSOco9u9tbOOOwsunF++KvCWe5e+LODpPfju0Y1naihLT+WRrzCbujrwCL6qG1cRtWxB2j52m52xuSrmUxk6VWO5XxT0YSBcySWvsApJHb+536zDEclqyHB0hmbW3lP7+GwT/E3AvtKsENtwHR5qSltsmVjI6qlS0zEa0zbURtnAnWACRyVIhgnQ0C1pD7ZJ/0JPpthEGjtSvRzNGCkLSpfqJcHm4W6bNYcSylciiCMbNrSLuJm9Rb2nunVxdTLbH0YS6NR2j7whtc2WJvu4XXLWdaO8HhERN5Pe1f5zJju5QfU/+lEBJaemdZshlAalSMtN+hG8WFxLWTP2NrRKFeDW/J/EKMfBoXliRMf3GlgK6qv1zn0Gtd64J6GeQ==', 'q4sM6xVsYzKU+VfaBSojVrqwQ7AbZRMAIeDeH64hrYUt3Fc9ZUqx6iz7jdlYowobNH7+vIbUkU1Vr4pREaT0Kg==', '+T+TWPv9wjyrapMho0bgClReltnUvqFP/iK2nwZxhzfBtCFfceDvS6WO66o895gwVmIMQlJIB0uJpBMBG08Kww=='
                    Source: Discord.exe.0.dr, coFJpQsXMP.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Discord.exe.0.dr, coFJpQsXMP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, coFJpQsXMP.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, coFJpQsXMP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: Discord2.exe, coFJpQsXMP.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: Discord2.exe, coFJpQsXMP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.evad.winEXE@15/3@1/1
                    Source: C:\Users\user\Desktop\Discord2.exeFile created: C:\Users\user\AppData\Roaming\Discord.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMutant created: NULL
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMutant created: \Sessions\1\BaseNamedObjects\HyFTucy74RnH
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6264:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03
                    Source: C:\Users\user\Desktop\Discord2.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3854.tmpJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3854.tmp.bat""
                    Source: Discord2.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Discord2.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\Discord2.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Discord2.exeReversingLabs: Detection: 89%
                    Source: C:\Users\user\Desktop\Discord2.exeFile read: C:\Users\user\Desktop\Discord2.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Discord2.exe "C:\Users\user\Desktop\Discord2.exe"
                    Source: C:\Users\user\Desktop\Discord2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit
                    Source: C:\Users\user\Desktop\Discord2.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3854.tmp.bat""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\Discord.exe C:\Users\user\AppData\Roaming\Discord.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe"
                    Source: C:\Users\user\Desktop\Discord2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3854.tmp.bat""Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: Discord2.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Discord2.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Discord2.exe, cciiSaHbDP.csHigh entropy of concatenated method names: 'PfTUFanAKb', 'FXdjZPJCoFYG', 'qnBJdaktPxov', 'cuQTtclsWgdxWy', 'PcNOeZmcoZyEM', 'pfebMBahWaFBb', 'YXTuyAFQLly', 'pbSCVlFGtvDYo', 'tttIOsPoVCe', 'ErDUziVlViOMxVi'
                    Source: Discord.exe.0.dr, cciiSaHbDP.csHigh entropy of concatenated method names: 'PfTUFanAKb', 'FXdjZPJCoFYG', 'qnBJdaktPxov', 'cuQTtclsWgdxWy', 'PcNOeZmcoZyEM', 'pfebMBahWaFBb', 'YXTuyAFQLly', 'pbSCVlFGtvDYo', 'tttIOsPoVCe', 'ErDUziVlViOMxVi'
                    Source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, cciiSaHbDP.csHigh entropy of concatenated method names: 'PfTUFanAKb', 'FXdjZPJCoFYG', 'qnBJdaktPxov', 'cuQTtclsWgdxWy', 'PcNOeZmcoZyEM', 'pfebMBahWaFBb', 'YXTuyAFQLly', 'pbSCVlFGtvDYo', 'tttIOsPoVCe', 'ErDUziVlViOMxVi'
                    Source: C:\Users\user\Desktop\Discord2.exeFile created: C:\Users\user\AppData\Roaming\Discord.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: Yara matchFile source: Discord2.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Discord2.exe PID: 7052, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Discord.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Discord2.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Discord2.exe PID: 7052, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Discord.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED
                    Source: Discord2.exe, Discord.exe.0.drBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\Discord2.exeMemory allocated: 1180000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 1570000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 1230000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeMemory allocated: 2C70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeWindow / User API: threadDelayed 861Jump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exe TID: 7072Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exe TID: 6620Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Roaming\Discord.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Discord2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: Discord.exe.0.drBinary or memory string: vmware
                    Source: Discord.exe, 00000009.00000002.3796191419.00000000051B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Discord2.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Source: C:\Users\user\Desktop\Discord2.exeCode function: 0_2_01182D4C CheckRemoteDebuggerPresent,0_2_01182D4C
                    Source: C:\Users\user\Desktop\Discord2.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeMemory allocated: page read and write | page guardJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exitJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3854.tmp.bat""Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\Discord.exe "C:\Users\user\AppData\Roaming\Discord.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeQueries volume information: C:\Users\user\Desktop\Discord2.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Users\user\AppData\Roaming\Discord.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\Discord.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Discord2.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Lowering of HIPS / PFW / Operating System Security Settings

                    barindex
                    Source: Yara matchFile source: Discord2.exe, type: SAMPLE
                    Source: Yara matchFile source: 0.0.Discord2.exe.7e0000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Discord2.exe.2d35cfc.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Discord2.exe PID: 7052, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Discord.exe PID: 6616, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Discord.exe, type: DROPPED
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information1
                    Scripting
                    Valid Accounts1
                    Windows Management Instrumentation
                    2
                    Scheduled Task/Job
                    11
                    Process Injection
                    1
                    Masquerading
                    OS Credential Dumping321
                    Security Software Discovery
                    Remote Services1
                    Archive Collected Data
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts2
                    Scheduled Task/Job
                    1
                    Scripting
                    2
                    Scheduled Task/Job
                    1
                    Disable or Modify Tools
                    LSASS Memory1
                    Process Discovery
                    Remote Desktop ProtocolData from Removable Media1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    DLL Side-Loading
                    1
                    DLL Side-Loading
                    51
                    Virtualization/Sandbox Evasion
                    Security Account Manager51
                    Virtualization/Sandbox Evasion
                    SMB/Windows Admin SharesData from Network Shared Drive1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Process Injection
                    NTDS1
                    Application Window Discovery
                    Distributed Component Object ModelInput Capture11
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                    Obfuscated Files or Information
                    LSA Secrets1
                    File and Directory Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading
                    Cached Domain Credentials23
                    System Information Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1575592 Sample: Discord2.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 100 33 18.ip.gl.ply.gg 2->33 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 10 other signatures 2->45 8 Discord2.exe 6 2->8         started        12 Discord.exe 2 2->12         started        signatures3 process4 file5 31 C:\Users\user\AppData\Roaming\Discord.exe, PE32 8->31 dropped 49 Protects its processes via BreakOnTermination flag 8->49 51 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->51 14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        53 Antivirus detection for dropped file 12->53 55 Multi AV Scanner detection for dropped file 12->55 57 Machine Learning detection for dropped file 12->57 signatures6 process7 signatures8 19 Discord.exe 2 14->19         started        23 conhost.exe 14->23         started        25 timeout.exe 1 14->25         started        37 Uses schtasks.exe or at.exe to add and modify task schedules 16->37 27 conhost.exe 16->27         started        29 schtasks.exe 1 16->29         started        process9 dnsIp10 35 18.ip.gl.ply.gg 147.185.221.18, 49711, 49717, 49720 SALSGIVERUS United States 19->35 47 Protects its processes via BreakOnTermination flag 19->47 signatures11

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    Discord2.exe89%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                    Discord2.exe100%AviraTR/Dropper.Gen
                    Discord2.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\Discord.exe100%AviraTR/Dropper.Gen
                    C:\Users\user\AppData\Roaming\Discord.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\Discord.exe89%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    18.ip.gl.ply.gg100%Avira URL Cloudmalware

                    Download Network PCAP: filteredfull

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    18.ip.gl.ply.gg
                    147.185.221.18
                    truetrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      18.ip.gl.ply.ggtrue
                      • Avira URL Cloud: malware
                      unknown
                      NameSourceMaliciousAntivirus DetectionReputation
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDiscord2.exe, 00000000.00000002.2591229075.0000000002D2F000.00000004.00000800.00020000.00000000.sdmp, Discord.exe, 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs
                        IPDomainCountryFlagASNASN NameMalicious
                        147.185.221.18
                        18.ip.gl.ply.ggUnited States
                        12087SALSGIVERUStrue
                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1575592
                        Start date and time:2024-12-16 06:17:30 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 5m 35s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:12
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:Discord2.exe
                        Detection:MAL
                        Classification:mal100.troj.evad.winEXE@15/3@1/1
                        EGA Information:
                        • Successful, ratio: 66.7%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 28
                        • Number of non-executed functions: 1
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Execution Graph export aborted for target Discord.exe, PID 6528 because it is empty
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: Discord2.exe
                        TimeTypeDescription
                        06:19:00Task SchedulerRun new task: Discord path: "C:\Users\user\AppData\Roaming\Discord.exe"
                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        147.185.221.187laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                          Discord.exeGet hashmaliciousAsyncRATBrowse
                            r8k29DBraE.exeGet hashmaliciousXWormBrowse
                              Lr87y2w72r.exeGet hashmaliciousXWormBrowse
                                7LwVrYH7sy.exeGet hashmaliciousXWormBrowse
                                  1c8DbXc5r0.exeGet hashmaliciousXWormBrowse
                                    6Mt223MA25.exeGet hashmaliciousArrowRATBrowse
                                      b34J4bxnmN.exeGet hashmaliciousNjratBrowse
                                        01koiHnedL.exeGet hashmaliciousNjratBrowse
                                          i231IEP3oh.exeGet hashmaliciousAsyncRATBrowse
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            18.ip.gl.ply.ggDiscord.exeGet hashmaliciousAsyncRATBrowse
                                            • 147.185.221.18
                                            Crbq30Oxg6.exeGet hashmaliciousCyberGateBrowse
                                            • 147.185.221.18
                                            bwPgQVKx29.exeGet hashmaliciousNjratBrowse
                                            • 147.185.221.18
                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            SALSGIVERUSLoader.exeGet hashmaliciousAsyncRATBrowse
                                            • 147.185.221.20
                                            72OWK7wBVH.exeGet hashmaliciousXWormBrowse
                                            • 147.185.221.24
                                            aZDwfEKorn.exeGet hashmaliciousXWormBrowse
                                            • 147.185.221.24
                                            HdTSntLSMB.exeGet hashmaliciousXWormBrowse
                                            • 147.185.221.24
                                            7laJ4zKd8O.exeGet hashmaliciousXWormBrowse
                                            • 147.185.221.18
                                            file.exeGet hashmaliciousXWormBrowse
                                            • 147.185.221.24
                                            testingg.exeGet hashmaliciousNjratBrowse
                                            • 147.185.221.19
                                            Bloxflip Predictor.exeGet hashmaliciousNjratBrowse
                                            • 147.185.221.224
                                            system404.exeGet hashmaliciousMetasploitBrowse
                                            • 147.185.221.19
                                            Discord.exeGet hashmaliciousAsyncRATBrowse
                                            • 147.185.221.18
                                            No context
                                            No context
                                            Process:C:\Users\user\Desktop\Discord2.exe
                                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):151
                                            Entropy (8bit):5.081583937874725
                                            Encrypted:false
                                            SSDEEP:3:mKDDCMNqTtvL5oaa4EaKC5dodASmqRDaa4E2J5xAInTRI8dyIRVZPy:hWKqTtT6vaZ5LSmq1v23fTdJRVk
                                            MD5:CFEEFAF3CDCC9340B20F92784BA826FB
                                            SHA1:827B26862C2F27EDC10E5994A6E5983AF87F29BD
                                            SHA-256:F6F0F74FE943AFA874999C0F08F05E34D12191D074946038625E752BDF33E320
                                            SHA-512:D8ECAFA44BE5209DF6E70993056F71D264C29C5CD39B5A67C5BB670E16CC14CAA03560E7223CAC01966841CC7752184D70B41B05025AE1A315CA4046374F8371
                                            Malicious:false
                                            Reputation:low
                                            Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\Discord.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp3854.tmp.bat" /f /q..
                                            Process:C:\Users\user\Desktop\Discord2.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):48640
                                            Entropy (8bit):5.56684636882615
                                            Encrypted:false
                                            SSDEEP:768:cuyJNTAoZjRWUJd9bmo2qLZYPILhlH2PVFf2PIR84WnZQe4bg24mQG76nRqw6zse:cuyJNTAGL2g32Pzf/R83QFbg2bH6RqJX
                                            MD5:3E7CA285EF320886E388DC9097E1BF92
                                            SHA1:C2AAA30ACB4C03E041AA5CCA350C0095FA6D00F0
                                            SHA-256:E9727D97D2B5F5953A05EAF69A1BDAB54CC757955FBAB97476D94A5AF5920B97
                                            SHA-512:34266FB5685485010F076D0FEC19AE538F27A9DA1CCCAF3454117480B7EBE83A612A52B44D651FA35897B237409CABF098AE69C9572F9932ADF022F9EB894006
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: ditekSHen
                                            Antivirus:
                                            • Antivirus: Avira, Detection: 100%
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 89%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e................................. ........@.. ....................... ............@.................................\...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..hv.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vrv%.p~....(o....#...*.s...
                                            Process:C:\Windows\SysWOW64\timeout.exe
                                            File Type:ASCII text, with CRLF line terminators, with overstriking
                                            Category:dropped
                                            Size (bytes):60
                                            Entropy (8bit):4.41440934524794
                                            Encrypted:false
                                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..
                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Entropy (8bit):5.56684636882615
                                            TrID:
                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                            • DOS Executable Generic (2002/1) 0.01%
                                            File name:Discord2.exe
                                            File size:48'640 bytes
                                            MD5:3e7ca285ef320886e388dc9097e1bf92
                                            SHA1:c2aaa30acb4c03e041aa5cca350c0095fa6d00f0
                                            SHA256:e9727d97d2b5f5953a05eaf69a1bdab54cc757955fbab97476d94a5af5920b97
                                            SHA512:34266fb5685485010f076d0fec19ae538f27a9da1cccaf3454117480b7ebe83a612a52b44d651fa35897b237409cabf098ae69c9572f9932adf022f9eb894006
                                            SSDEEP:768:cuyJNTAoZjRWUJd9bmo2qLZYPILhlH2PVFf2PIR84WnZQe4bg24mQG76nRqw6zse:cuyJNTAGL2g32Pzf/R83QFbg2bH6RqJX
                                            TLSH:14232B0037E9822AF27E4F7469F22245867AF2672603D65E1CC441DB5B13FC28A526FE
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e................................. ........@.. ....................... ............@................................
                                            Icon Hash:00928e8e8686b000
                                            Entrypoint:0x40d0ae
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                            Instruction
                                            jmp dword ptr [00402000h]
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            add byte ptr [eax], al
                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xd05c0x4f.text
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x7ff.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x20000xb0b40xb200f6037bdc3bb84e700336703f7797cfdbFalse0.5423542837078652data5.624015101014523IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rsrc0xe0000x7ff0x8000f68ce4dd77ed0bb9c1e6b31f6995d94False0.41748046875data4.88506844918463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .reloc0x100000xc0x200e58fd12d1b53873afe54bb7ef6c1a465False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_VERSION0xe0a00x2ccdata0.43575418994413406
                                            RT_MANIFEST0xe36c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277
                                            DLLImport
                                            mscoree.dll_CorExeMain

                                            Download Network PCAP: filteredfull

                                            • Total Packets: 24
                                            • 8808 undefined
                                            • 7707 undefined
                                            • 6606 undefined
                                            • 53 (DNS)
                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 16, 2024 06:19:07.830809116 CET497117707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:07.950589895 CET770749711147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:19:07.950675964 CET497117707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:07.967267036 CET497117707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:08.086916924 CET770749711147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:19:29.855501890 CET770749711147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:19:29.855591059 CET497117707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:34.886106968 CET497117707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:34.886864901 CET497176606192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:35.005847931 CET770749711147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:19:35.006558895 CET660649717147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:19:35.006758928 CET497176606192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:35.007023096 CET497176606192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:19:35.126754045 CET660649717147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:19:56.902919054 CET660649717147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:19:56.902980089 CET497176606192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:01.942693949 CET497176606192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:01.968808889 CET497207707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:02.062374115 CET660649717147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:02.088556051 CET770749720147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:02.088644981 CET497207707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:02.088984966 CET497207707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:02.208712101 CET770749720147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:23.997128963 CET770749720147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:23.997205019 CET497207707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:28.998394966 CET497207707192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:28.999424934 CET497328808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:29.117980957 CET770749720147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:29.119081020 CET880849732147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:29.119148970 CET497328808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:29.119508982 CET497328808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:29.239173889 CET880849732147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:51.029292107 CET880849732147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:51.029479980 CET497328808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:56.061029911 CET497328808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:56.062206984 CET497988808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:56.180856943 CET880849732147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:56.182075024 CET880849798147.185.221.18192.168.2.12
                                            Dec 16, 2024 06:20:56.182152987 CET497988808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:56.182496071 CET497988808192.168.2.12147.185.221.18
                                            Dec 16, 2024 06:20:56.302181005 CET880849798147.185.221.18192.168.2.12
                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 16, 2024 06:19:07.689672947 CET5859453192.168.2.121.1.1.1
                                            Dec 16, 2024 06:19:07.828087091 CET53585941.1.1.1192.168.2.12
                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Dec 16, 2024 06:19:07.689672947 CET192.168.2.121.1.1.10xd46dStandard query (0)18.ip.gl.ply.ggA (IP address)IN (0x0001)false
                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Dec 16, 2024 06:19:07.828087091 CET1.1.1.1192.168.2.120xd46dNo error (0)18.ip.gl.ply.gg147.185.221.18A (IP address)IN (0x0001)false

                                            Click to jump to process

                                            Click to jump to process

                                            • File
                                            • Registry
                                            • Network

                                            Click to dive into process behavior distribution

                                            Target ID:0
                                            Start time:00:18:53
                                            Start date:16/12/2024
                                            Path:C:\Users\user\Desktop\Discord2.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Discord2.exe"
                                            Imagebase:0x7e0000
                                            File size:48'640 bytes
                                            MD5 hash:3E7CA285EF320886E388DC9097E1BF92
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2543607511.00000000007E2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.2591229075.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.2591229075.0000000002D35000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:true
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Target ID:2
                                            Start time:00:18:58
                                            Start date:16/12/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"' & exit
                                            Imagebase:0x1f0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:3
                                            Start time:00:18:58
                                            Start date:16/12/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3854.tmp.bat""
                                            Imagebase:0x1f0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:4
                                            Start time:00:18:58
                                            Start date:16/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff704000000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:5
                                            Start time:00:18:58
                                            Start date:16/12/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff704000000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:6
                                            Start time:00:18:58
                                            Start date:16/12/2024
                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                            Wow64 process (32bit):true
                                            Commandline:schtasks /create /f /sc onlogon /rl highest /tn "Discord" /tr '"C:\Users\user\AppData\Roaming\Discord.exe"'
                                            Imagebase:0xd90000
                                            File size:187'904 bytes
                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:7
                                            Start time:00:18:58
                                            Start date:16/12/2024
                                            Path:C:\Windows\SysWOW64\timeout.exe
                                            Wow64 process (32bit):true
                                            Commandline:timeout 3
                                            Imagebase:0x270000
                                            File size:25'088 bytes
                                            MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Target ID:8
                                            Start time:00:19:00
                                            Start date:16/12/2024
                                            Path:C:\Users\user\AppData\Roaming\Discord.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\Discord.exe
                                            Imagebase:0xd00000
                                            File size:48'640 bytes
                                            MD5 hash:3E7CA285EF320886E388DC9097E1BF92
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: Joe Security
                                            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Discord.exe, Author: ditekSHen
                                            Antivirus matches:
                                            • Detection: 100%, Avira
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 89%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            Target ID:9
                                            Start time:00:19:01
                                            Start date:16/12/2024
                                            Path:C:\Users\user\AppData\Roaming\Discord.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Roaming\Discord.exe"
                                            Imagebase:0x9d0000
                                            File size:48'640 bytes
                                            MD5 hash:3E7CA285EF320886E388DC9097E1BF92
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000009.00000002.3793725820.0000000002D7C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:false
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                            There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                            Execution Graph

                                            Execution Coverage

                                            Dynamic/Packed Code Coverage

                                            Signature Coverage

                                            Execution Coverage:14.9%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:16.7%
                                            Total number of Nodes:18
                                            Total number of Limit Nodes:0
                                            Show Legend
                                            Hide Nodes/Edges
                                            execution_graph 4103 11809a8 4104 11809ca 4103->4104 4105 1180a27 4104->4105 4107 11815b8 4104->4107 4111 11815d1 4107->4111 4108 11815db 4108->4105 4111->4108 4112 1185258 4111->4112 4116 1185204 4111->4116 4113 1185277 4112->4113 4120 1182d4c 4113->4120 4117 1185277 4116->4117 4118 1182d4c CheckRemoteDebuggerPresent 4117->4118 4119 118528a 4118->4119 4119->4108 4121 11852b8 CheckRemoteDebuggerPresent 4120->4121 4123 118528a 4121->4123 4123->4108 4124 1186a20 4125 1186a63 RtlSetProcessIsCritical 4124->4125 4126 1186a94 4125->4126

                                            Executed Functions

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 1182d4c-118533c CheckRemoteDebuggerPresent 3 118533e-1185344 0->3 4 1185345-1185380 0->4 3->4
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0118532F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 1d2ce48e92266f0c04ebd306c1abbf0430cf555129eefaca1571d7eac7d0b93b
                                            • Instruction ID: 23a764e87220cd1d4d3485fa4cfb42776de763d8cb869f8c09257a46c34ad6eb
                                            • Opcode Fuzzy Hash: 1d2ce48e92266f0c04ebd306c1abbf0430cf555129eefaca1571d7eac7d0b93b
                                            • Instruction Fuzzy Hash: 4D215571800209CFCB04DF9AD484BEEBBF5EF49310F14842AE819A7350D778A944CFA1

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 23 1184088-11840ee 25 1184138-118413a 23->25 26 11840f0-11840fb 23->26 27 118413c-1184155 25->27 26->25 28 11840fd-1184109 26->28 35 11841a1-11841a3 27->35 36 1184157-1184163 27->36 29 118410b-1184115 28->29 30 118412c-1184136 28->30 31 1184119-1184128 29->31 32 1184117 29->32 30->27 31->31 34 118412a 31->34 32->31 34->30 38 11841a5-11841fd 35->38 36->35 37 1184165-1184171 36->37 39 1184173-118417d 37->39 40 1184194-118419f 37->40 47 11841ff-118420a 38->47 48 1184247-1184249 38->48 42 118417f 39->42 43 1184181-1184190 39->43 40->38 42->43 43->43 44 1184192 43->44 44->40 47->48 49 118420c-1184218 47->49 50 118424b-1184263 48->50 51 118421a-1184224 49->51 52 118423b-1184245 49->52 56 11842ad-11842af 50->56 57 1184265-1184270 50->57 53 1184228-1184237 51->53 54 1184226 51->54 52->50 53->53 58 1184239 53->58 54->53 60 11842b1-1184302 56->60 57->56 59 1184272-118427e 57->59 58->52 61 1184280-118428a 59->61 62 11842a1-11842ab 59->62 68 1184308-1184316 60->68 63 118428c 61->63 64 118428e-118429d 61->64 62->60 63->64 64->64 66 118429f 64->66 66->62 69 1184318-118431e 68->69 70 118431f-118437f 68->70 69->70 77 118438f-1184393 70->77 78 1184381-1184385 70->78 80 11843a3-11843a7 77->80 81 1184395-1184399 77->81 78->77 79 1184387 78->79 79->77 83 11843a9-11843ad 80->83 84 11843b7-11843bb 80->84 81->80 82 118439b 81->82 82->80 83->84 85 11843af-11843b2 call 1180418 83->85 86 11843cb-11843cf 84->86 87 11843bd-11843c1 84->87 85->84 90 11843df-11843e3 86->90 91 11843d1-11843d5 86->91 87->86 89 11843c3-11843c6 call 1180418 87->89 89->86 94 11843f3-11843f7 90->94 95 11843e5-11843e9 90->95 91->90 93 11843d7-11843da call 1180418 91->93 93->90 97 11843f9-11843fd 94->97 98 1184407 94->98 95->94 96 11843eb 95->96 96->94 97->98 100 11843ff 97->100 101 1184408 98->101 100->98 101->101
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VWn
                                            • API String ID: 0-2539567816
                                            • Opcode ID: 73ef11ccb40327be89ade49ed497f8ef4517e453d7800213af36fd103fa8ac86
                                            • Instruction ID: 101c7a20d95fcc4688fd05bd4c2d64a78c99aaa8686294fa9dd02cd71199436f
                                            • Opcode Fuzzy Hash: 73ef11ccb40327be89ade49ed497f8ef4517e453d7800213af36fd103fa8ac86
                                            • Instruction Fuzzy Hash: 07B16D70E0421ACFEB18DFA9D8857EEBBF2AF88304F14C129D815A7694DB749845CF91

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 277 1185b20-1185b32 278 1185b34-1185b73 call 1185928 call 11806dc 277->278 279 1185b96-1185b9d 277->279 288 1185b9e-1185c05 278->288 289 1185b75-1185b87 278->289 299 1185c0e-1185c1e 288->299 300 1185c07-1185c09 288->300 295 1185b8e 289->295 295->279 302 1185c20 299->302 303 1185c25-1185c35 299->303 301 1185ead-1185eb4 300->301 302->301 305 1185c3b-1185c49 303->305 306 1185e94-1185ea2 303->306 309 1185c4f 305->309 310 1185eb5-1185f2e 305->310 306->310 311 1185ea4-1185ea8 call 1184f38 306->311 309->310 312 1185e19-1185e45 309->312 313 1185cba-1185cdb 309->313 314 1185d7f-1185da7 309->314 315 1185d52-1185d7a 309->315 316 1185c93-1185cb5 309->316 317 1185c56-1185c68 309->317 318 1185e88-1185e92 309->318 319 1185d2c-1185d4d 309->319 320 1185dac-1185de9 309->320 321 1185c6d-1185c8e 309->321 322 1185dee-1185e14 309->322 323 1185ce0-1185d01 309->323 324 1185e64-1185e86 309->324 325 1185d06-1185d27 309->325 326 1185e47-1185e62 call 11801c0 309->326 311->301 312->301 313->301 314->301 315->301 316->301 317->301 318->301 319->301 320->301 321->301 322->301 323->301 324->301 325->301 326->301
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6964ec67ebe5d9ff3b564ec9e1639e0b18e7dab2d70d09e503855e57adb8dc47
                                            • Instruction ID: 71c525656fa445bbe5c860fb4298edeb1e90910bf87464b31dea9282bea374a1
                                            • Opcode Fuzzy Hash: 6964ec67ebe5d9ff3b564ec9e1639e0b18e7dab2d70d09e503855e57adb8dc47
                                            • Instruction Fuzzy Hash: 29B18234B002148BDB5DEB79985467EBBB7AFC8741B15C86EE416EB388DF348C058B52

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 478 1184958-11849be 480 1184a08-1184a0a 478->480 481 11849c0-11849cb 478->481 483 1184a0c-1184a25 480->483 481->480 482 11849cd-11849d9 481->482 484 11849db-11849e5 482->484 485 11849fc-1184a06 482->485 490 1184a71-1184a73 483->490 491 1184a27-1184a33 483->491 486 11849e9-11849f8 484->486 487 11849e7 484->487 485->483 486->486 489 11849fa 486->489 487->486 489->485 492 1184a75-1184a8d 490->492 491->490 493 1184a35-1184a41 491->493 500 1184a8f-1184a9a 492->500 501 1184ad7-1184ad9 492->501 494 1184a43-1184a4d 493->494 495 1184a64-1184a6f 493->495 496 1184a4f 494->496 497 1184a51-1184a60 494->497 495->492 496->497 497->497 499 1184a62 497->499 499->495 500->501 503 1184a9c-1184aa8 500->503 502 1184adb-1184af3 501->502 509 1184b3d-1184b3f 502->509 510 1184af5-1184b00 502->510 504 1184aaa-1184ab4 503->504 505 1184acb-1184ad5 503->505 507 1184ab8-1184ac7 504->507 508 1184ab6 504->508 505->502 507->507 511 1184ac9 507->511 508->507 513 1184b41-1184bb4 509->513 510->509 512 1184b02-1184b0e 510->512 511->505 514 1184b10-1184b1a 512->514 515 1184b31-1184b3b 512->515 522 1184bba-1184bc8 513->522 516 1184b1c 514->516 517 1184b1e-1184b2d 514->517 515->513 516->517 517->517 519 1184b2f 517->519 519->515 523 1184bca-1184bd0 522->523 524 1184bd1-1184c31 522->524 523->524 531 1184c41-1184c45 524->531 532 1184c33-1184c37 524->532 534 1184c55-1184c59 531->534 535 1184c47-1184c4b 531->535 532->531 533 1184c39 532->533 533->531 537 1184c69-1184c6d 534->537 538 1184c5b-1184c5f 534->538 535->534 536 1184c4d 535->536 536->534 540 1184c7d-1184c81 537->540 541 1184c6f-1184c73 537->541 538->537 539 1184c61 538->539 539->537 542 1184c91-1184c95 540->542 543 1184c83-1184c87 540->543 541->540 544 1184c75 541->544 546 1184ca5 542->546 547 1184c97-1184c9b 542->547 543->542 545 1184c89-1184c8c call 1180418 543->545 544->540 545->542 551 1184ca6 546->551 547->546 549 1184c9d-1184ca0 call 1180418 547->549 549->546 551->551
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd100c542ade6cde3b2045f2744ba2c9ca139efbfc20fd2e59b79335ac816bf0
                                            • Instruction ID: a6c0385f6fdf86b339b69d38cb269040d3dc0fc9983c2f348885e1fd53ee040b
                                            • Opcode Fuzzy Hash: dd100c542ade6cde3b2045f2744ba2c9ca139efbfc20fd2e59b79335ac816bf0
                                            • Instruction Fuzzy Hash: 86B15C70E0020A8FDB18DFA9C8857EDBBF2BF88714F14C129D815AB694DB749845CF95

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 7 11852b0-118533c CheckRemoteDebuggerPresent 9 118533e-1185344 7->9 10 1185345-1185380 7->10 9->10
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0118532F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: 899dbd24d060e50f2696d50dfd5d81b37a7eae2940922b9eb1a53504c98f5fd0
                                            • Instruction ID: deae7dc00400be4e95816e1e769f522bf938a90fae00813514aa145b17facf49
                                            • Opcode Fuzzy Hash: 899dbd24d060e50f2696d50dfd5d81b37a7eae2940922b9eb1a53504c98f5fd0
                                            • Instruction Fuzzy Hash: 672148B1801259CFDB04CFAAD484BEEBBF4EF59310F14846AE459A7350D378A945CF61

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 13 1186a19-1186a5b 14 1186a63-1186a92 RtlSetProcessIsCritical 13->14 15 1186a99-1186ab2 14->15 16 1186a94 14->16 16->15
                                            APIs
                                            • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01186A85
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: 20340205415caa1fbd150bc9e8b3efe33e65059ad35a8d776cf2c2edab02a105
                                            • Instruction ID: b6a38d9f8668b92001933ebbd882c4a9d4640c180eca1c8c507845a82414d1c6
                                            • Opcode Fuzzy Hash: 20340205415caa1fbd150bc9e8b3efe33e65059ad35a8d776cf2c2edab02a105
                                            • Instruction Fuzzy Hash: 9B1110B58042498FDB20DF9AC884BDEBFF4EF98314F24801AD519A7750D379A944CFA1

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 18 1186a20-1186a92 RtlSetProcessIsCritical 20 1186a99-1186ab2 18->20 21 1186a94 18->21 21->20
                                            APIs
                                            • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01186A85
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: 7f232a857deec9c54c63bca9025650891fa026f72bbe7d6349bbc3c240c123bd
                                            • Instruction ID: b6b59cadb99c41ac0351ff15e5aca5843ad30210f18d8081d699e06168570dee
                                            • Opcode Fuzzy Hash: 7f232a857deec9c54c63bca9025650891fa026f72bbe7d6349bbc3c240c123bd
                                            • Instruction Fuzzy Hash: 8411F2B58006498FDB20DF9AC484BDEFBF4EF88314F248419D619A7650C379A944CFA5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590435920.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_eed000_Discord2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e4b1ec1a4aa10b59522ba218642502fd6d72063a0544c98fb09061b5eca6192
                                            • Instruction ID: e2f3059867a8cf72f6fc5f4abeee1a4ec1eb2ca5157033c1f1642534c5877c0c
                                            • Opcode Fuzzy Hash: 7e4b1ec1a4aa10b59522ba218642502fd6d72063a0544c98fb09061b5eca6192
                                            • Instruction Fuzzy Hash: 30213671508288DFDB01DF14D9C0F16BF61FB98328F208569D9061A256C336D859CBA1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590435920.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_eed000_Discord2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7328aad906307f87a639ae946db57a35503b58b28594a988dc7ce012466a0042
                                            • Instruction ID: 2f752e2d603d695774c22913c7d3a3b69f75c08b0d72dddc198c4a5180574b2e
                                            • Opcode Fuzzy Hash: 7328aad906307f87a639ae946db57a35503b58b28594a988dc7ce012466a0042
                                            • Instruction Fuzzy Hash: FD11D376508284CFCB16CF14D9C4B16BF71FB84328F24C5A9D9090B256C33AD85ACBA2

                                            Non-executed Functions

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2590966798.0000000001180000.00000040.00000800.00020000.00000000.sdmp, Offset: 01180000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_1180000_Discord2.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \VWn
                                            • API String ID: 0-2539567816
                                            • Opcode ID: 1837ee3fd5e44f583137efb705a87dcca6932b9f8eca592f46f0b1658db26b1c
                                            • Instruction ID: b90bb358a31a5643b2ee3fa9f41d1db8108c74883a6986ea0f4aacafdaea8e23
                                            • Opcode Fuzzy Hash: 1837ee3fd5e44f583137efb705a87dcca6932b9f8eca592f46f0b1658db26b1c
                                            • Instruction Fuzzy Hash: 8A916D70E102198FDB18DFA9C8857DEBBF2BF88704F18C129E415A7294DB749845CF92

                                            Executed Functions

                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d!t
                                            • API String ID: 0-3212231244
                                            • Opcode ID: 0676c3098884fcdb6bb004a897ff5d0be5fd3311869161f02bbe22de49c94087
                                            • Instruction ID: f29657bb5b6eeb336d4b45db676428df1ddea8a226eeb8402955ad3587983009
                                            • Opcode Fuzzy Hash: 0676c3098884fcdb6bb004a897ff5d0be5fd3311869161f02bbe22de49c94087
                                            • Instruction Fuzzy Hash: CA51AF34B101049FDB54DF79D498AADBBF6FF89700F2580A9E806DB3A5DA719C01CB91
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cbd1e94d32054d9a0a009b1fefa776a1e59c830d81f92f39fa7515171ab8942e
                                            • Instruction ID: 099cb95e0da69d1e2080606c557d22c6e87cd1cbcb32b2caa59b6abab25fa2fa
                                            • Opcode Fuzzy Hash: cbd1e94d32054d9a0a009b1fefa776a1e59c830d81f92f39fa7515171ab8942e
                                            • Instruction Fuzzy Hash: E241BE317002059FDB15DF79C498BAEBBF6FF89211F1444A9E105EB3A1CA759C05CB91
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4da188c6e2dc92275fce079698a74c18d4cd88214e0fa0024ba376fe81f4972
                                            • Instruction ID: 81ece1a1e97d5bd4c527dd10b88cceb2813377cf8c49d66ef9d7ad7317056c88
                                            • Opcode Fuzzy Hash: b4da188c6e2dc92275fce079698a74c18d4cd88214e0fa0024ba376fe81f4972
                                            • Instruction Fuzzy Hash: 85310034B022469FCB04DB7DE8A49BEBBF6FF85211B14056DD506DB391EE348C018B90
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ceb75b78434deb5595f76f45fc4a18a3bc31d14070ef0c2250a59baf00e8fc10
                                            • Instruction ID: 0e71825f98cf16f58848a09d95375a64f3780ddb1f4d5703717212e2873c3f48
                                            • Opcode Fuzzy Hash: ceb75b78434deb5595f76f45fc4a18a3bc31d14070ef0c2250a59baf00e8fc10
                                            • Instruction Fuzzy Hash: 44513D3450120ADFC71AEF36F48895A7777FB993057504668D8118B368EF399E86CF80
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19dfba3c7b0663e7e6cf42aac34fba803f61df40a4e97f3a7fe55aef899d3898
                                            • Instruction ID: 60ad30c7b50a25d333c258f7e5937dc7ee3413cba3bb98b5bdecf741e8ce4284
                                            • Opcode Fuzzy Hash: 19dfba3c7b0663e7e6cf42aac34fba803f61df40a4e97f3a7fe55aef899d3898
                                            • Instruction Fuzzy Hash: 8541B2B0A01209AFCB44DBBAC4946AEFBFAFF89300F208569D549D7345DA349D418B90
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c68d7c5f0ac1492a116e36423dbde89e105e3912958d6613f9d71515ecec7db7
                                            • Instruction ID: b81183528c7de1ef042a1e1b963934fee24c848c298804a63ecf45b54e5c35d4
                                            • Opcode Fuzzy Hash: c68d7c5f0ac1492a116e36423dbde89e105e3912958d6613f9d71515ecec7db7
                                            • Instruction Fuzzy Hash: E7316B71A00205DFDB15DF69C498BAEBBF6BF88301F148569E502AB3A1CB75ED04CB90
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bfb6951b64da18cfa9ef32339df26e133ea19ff8e31c2e719f5d9bb0921e52fd
                                            • Instruction ID: e302fe0f1a3dfb95983311e87de08b33c298707f149ef0aa9bb264a1f9069574
                                            • Opcode Fuzzy Hash: bfb6951b64da18cfa9ef32339df26e133ea19ff8e31c2e719f5d9bb0921e52fd
                                            • Instruction Fuzzy Hash: 272171316102068FDB699F79E4992BF7BB4FF56201B0049A9F806CA2D5EFB4D940CB61
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ddd181a1a8d1c271d21c92044c0a8416482bc97ff105d4176b2ed1281c42e2d4
                                            • Instruction ID: bd621631f4906d12d185ce925ea83469c2ceb206a1e702719ca298a456d0fb3c
                                            • Opcode Fuzzy Hash: ddd181a1a8d1c271d21c92044c0a8416482bc97ff105d4176b2ed1281c42e2d4
                                            • Instruction Fuzzy Hash: C3215730B002068FDB65EFB9E5992BF7AB5BF55201B004979F907DA1C5EFB4C9408B61
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 741197adac1f197c5b639ab34f12647463dcdcd61631dd02ac4e2005a86eaefb
                                            • Instruction ID: 46d282588fb140a8e3fbd9ff24826b073a6efd6c72e74b0c7d33e60f0a5a98b7
                                            • Opcode Fuzzy Hash: 741197adac1f197c5b639ab34f12647463dcdcd61631dd02ac4e2005a86eaefb
                                            • Instruction Fuzzy Hash: 85119A70A02205DFCB85DB79D4989AA7BF6EF8921A72008B9D405CB350EA35DD42CB94
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e593ce637a7156138cf526bdcb5524bad7b9fe4b7392f9562667fb479aa8071c
                                            • Instruction ID: 53115fd6c6e57eb2be81359b9346cb044e83138beaddfd3036f6b2281e8299c0
                                            • Opcode Fuzzy Hash: e593ce637a7156138cf526bdcb5524bad7b9fe4b7392f9562667fb479aa8071c
                                            • Instruction Fuzzy Hash: A5118B30B026099FCB84DB7AD8949AA7BEAEF882057204479D409DB350EE38DD42CB94
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2677051957.00000000015B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015B0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_15b0000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3a190db62fb2235b0e176c1ff18f2e21acce90c428e6aa17b8afaa3745d7ea6a
                                            • Instruction ID: cdfc027ed65388f6f44de229a3507a246872a467cf671425429a74df1e4ac6b9
                                            • Opcode Fuzzy Hash: 3a190db62fb2235b0e176c1ff18f2e21acce90c428e6aa17b8afaa3745d7ea6a
                                            • Instruction Fuzzy Hash: F8F022313153515FC34AEB7D981486E3BEBEFCA12272540FAE109CB3A6DE258C0683A1

                                            Execution Graph

                                            Execution Coverage

                                            Dynamic/Packed Code Coverage

                                            Signature Coverage

                                            Execution Coverage:13.5%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:20
                                            Total number of Limit Nodes:0
                                            Show Legend
                                            Hide Nodes/Edges
                                            execution_graph 4953 12309a8 4954 12309ca 4953->4954 4955 1230a27 4954->4955 4959 12315b8 4954->4959 4956 1230a6b 4955->4956 4964 12369c0 4955->4964 4960 12315d1 4959->4960 4961 12315db 4960->4961 4969 1235248 4960->4969 4973 1235258 4960->4973 4961->4955 4965 12369c6 RtlSetProcessIsCritical 4964->4965 4968 123697a 4964->4968 4967 1236a3c 4965->4967 4967->4956 4968->4956 4970 1235277 4969->4970 4977 1232d4c 4970->4977 4974 1235277 4973->4974 4975 1232d4c CheckRemoteDebuggerPresent 4974->4975 4976 123528a 4975->4976 4976->4961 4978 12352b8 CheckRemoteDebuggerPresent 4977->4978 4980 123528a 4978->4980 4980->4961

                                            Executed Functions

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 134 1232d4c-123533c CheckRemoteDebuggerPresent 137 1235345-1235380 134->137 138 123533e-1235344 134->138 138->137
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0123532F
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793539753.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1230000_Discord.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: dd4a0f9a9f3eab2eb250bd32f0bba394e9eef049d20d9374c2cf678aa753a5ec
                                            • Instruction ID: b247a2267a84cf61e5160a2fbe93f94e84ac16f3c64f2544bba88e56d6a72508
                                            • Opcode Fuzzy Hash: dd4a0f9a9f3eab2eb250bd32f0bba394e9eef049d20d9374c2cf678aa753a5ec
                                            • Instruction Fuzzy Hash: 7A2136B18016598FDB10CFAAD484BEEBBF4EF89210F14845AE959B3250D778A944CF60

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 141 12352b0-123533c CheckRemoteDebuggerPresent 144 1235345-1235380 141->144 145 123533e-1235344 141->145 145->144
                                            APIs
                                            • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 0123532F
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793539753.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1230000_Discord.jbxd
                                            Similarity
                                            • API ID: CheckDebuggerPresentRemote
                                            • String ID:
                                            • API String ID: 3662101638-0
                                            • Opcode ID: fbb8675342588dd05d2f1dc951cceff1902e1009302e03aff75f906602b32e3b
                                            • Instruction ID: 6250457b35e9ce792d261e57005d7affa5965a729cd786155d3af0b0cefe0210
                                            • Opcode Fuzzy Hash: fbb8675342588dd05d2f1dc951cceff1902e1009302e03aff75f906602b32e3b
                                            • Instruction Fuzzy Hash: 882148B2800259CFDB14CFAAD484BEEFBF4EF88310F14846AE558A3250D778A944CF60

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 148 12369c0-12369c4 149 12369c6-1236a3a RtlSetProcessIsCritical 148->149 150 123697a-12369a3 call 1236514 148->150 153 1236a41-1236a5a 149->153 154 1236a3c 149->154 157 12369a8-12369b2 150->157 154->153
                                            APIs
                                            • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01236A2D
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793539753.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1230000_Discord.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: e04c4bf13043340535175156412005209ed2a125b2173cbee88e1b8c20a332c0
                                            • Instruction ID: b33f09f22ca59abfa00abae79bc1280f4b175838516d7316f4ed6b5c528194f2
                                            • Opcode Fuzzy Hash: e04c4bf13043340535175156412005209ed2a125b2173cbee88e1b8c20a332c0
                                            • Instruction Fuzzy Hash: 70219AB19103099FDB14DFAAD845BEEBFF4EF88310F10805AD619A7250C77A9941CFA1

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 160 12369c8-1236a03 161 1236a0b-1236a3a RtlSetProcessIsCritical 160->161 162 1236a41-1236a5a 161->162 163 1236a3c 161->163 163->162
                                            APIs
                                            • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 01236A2D
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793539753.0000000001230000.00000040.00000800.00020000.00000000.sdmp, Offset: 01230000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_1230000_Discord.jbxd
                                            Similarity
                                            • API ID: CriticalProcess
                                            • String ID:
                                            • API String ID: 2695349919-0
                                            • Opcode ID: f29934e66095868eeb0417865e68980bd6c99e38d84cc44b1f99d150634f1ea0
                                            • Instruction ID: 2fca70e419722bebbeacf9424584dc8811276e5f99eb70d05df2ce466af6a7ab
                                            • Opcode Fuzzy Hash: f29934e66095868eeb0417865e68980bd6c99e38d84cc44b1f99d150634f1ea0
                                            • Instruction Fuzzy Hash: 2811F2B59106499FDB10DF9AD884BDEBFF4EF88310F208419D618A7250C775A944CFA5
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793009044.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_fdd000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 582b590fd79676437e3aab21714e77835c90a9083af9519a72472d947cc0bb54
                                            • Instruction ID: 1acce48850fda8c1b079b2526409ae71264a2527999c35e320060c16716c3758
                                            • Opcode Fuzzy Hash: 582b590fd79676437e3aab21714e77835c90a9083af9519a72472d947cc0bb54
                                            • Instruction Fuzzy Hash: 99210672904204DFDB15DF14E9C0F16BF66FB98324F28816AD9050A356C336D855EBA2
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793404219.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_11ed000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 99e76ee7481a27aafb159de56e97b83958252e19233180667335d290e2e46adf
                                            • Instruction ID: 77cccaf65beedd499400f9cab09648bdd24e19e9e4522c75df625b1152564e26
                                            • Opcode Fuzzy Hash: 99e76ee7481a27aafb159de56e97b83958252e19233180667335d290e2e46adf
                                            • Instruction Fuzzy Hash: 2521F575504704EFDF09DFA4E988B16BBE5FB84314F24C56DD9094B252C33AD446CBA2
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793009044.0000000000FDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FDD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_fdd000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7328aad906307f87a639ae946db57a35503b58b28594a988dc7ce012466a0042
                                            • Instruction ID: 0792128022dcc0de917d14fddb1e4817cd57712762354a8511dfddce0782f0b6
                                            • Opcode Fuzzy Hash: 7328aad906307f87a639ae946db57a35503b58b28594a988dc7ce012466a0042
                                            • Instruction Fuzzy Hash: E511D376904244DFCB16CF14D9C4B16BF72FB84324F28C5AAD9090B356C33AD856DBA2
                                            Memory Dump Source
                                            • Source File: 00000009.00000002.3793404219.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_9_2_11ed000_Discord.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 86be40d80b11aa192e1afe2ff6094ee2e32317234be2ff14b811ac5c620ac923
                                            • Instruction ID: e76a551cf1a81790628863eb6e2bdc0b296fd1f65856424fdc32e79d2b236473
                                            • Opcode Fuzzy Hash: 86be40d80b11aa192e1afe2ff6094ee2e32317234be2ff14b811ac5c620ac923
                                            • Instruction Fuzzy Hash: 6E11BE75504640DFDB0ACF54D9C4B15BFA1FB44214F24C6A9D8094B256C33AD40ACBA1