File name:

release.zip

Full analysis: https://app.any.run/tasks/598c4526-3fc4-4bd8-8b84-aa73862e7048
Verdict: Malicious activity
Threats:

Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.

Malware Trends Tracker     >>>
Analysis date: May 17, 2025, 08:56:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
rat
discordrat
arch-exec
arch-doc
discord
websocket
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:

CE48A276FA4E02DDFF35609EAFA51E01

SHA1:

EFCFD4A34EBCF3D23C99C123ACC9DE1A703B79F2

SHA256:

FD56376E8825B6D2FD5D13286096390DC15B8CFE51219C7B6149A54312424507

SSDEEP:

24576:d0abylEmzpJzwspcoDRftlmWZVc2Q/XwhCeoiY:dNbylEmzpJzwspckRftlmyVc2Q/Xwhvs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 1812)

    • DISCORDRAT has been detected (YARA)

      • builder.exe (PID: 5608)

  • SUSPICIOUS

    • Executes application which crashes

      • Discord rat.exe (PID: 920)

  • INFO

    • Manual execution by a user

      • Discord rat.exe (PID: 920)
      • builder.exe (PID: 5608)
      • notepad.exe (PID: 5736)

    • Checks supported languages

      • builder.exe (PID: 5608)
      • Discord rat.exe (PID: 920)

    • Reads the computer name

      • Discord rat.exe (PID: 920)
      • builder.exe (PID: 5608)

    • Reads the machine GUID from the registry

      • Discord rat.exe (PID: 920)
      • builder.exe (PID: 5608)

    • Reads Environment values

      • Discord rat.exe (PID: 920)

    • Disables trace logs

      • Discord rat.exe (PID: 920)

    • Checks proxy server information

      • Discord rat.exe (PID: 920)
      • slui.exe (PID: 3332)

    • Reads the software policy settings

      • Discord rat.exe (PID: 920)
      • slui.exe (PID: 3332)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 5736)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5056)

    • Attempting to use instant messaging service

      • Discord rat.exe (PID: 920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2022:04:09 10:41:20
ZipCRC: 0xa22ab3da
ZipCompressedSize: 422007
ZipUncompressedSize: 1162752
ZipFileName: dnlib.dll
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs discord rat.exe #DISCORDRAT builder.exe no specs notepad.exe no specs werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
920"C:\Users\admin\Desktop\Discord rat.exe" C:\Users\admin\Desktop\Discord rat.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Discord rat
Exit code:
3762504530
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\discord rat.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1812"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\release.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
3332C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5056C:\WINDOWS\system32\WerFault.exe -u -p 920 -s 2272C:\Windows\System32\WerFault.exeDiscord rat.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
5608"C:\Users\admin\Desktop\builder.exe" C:\Users\admin\Desktop\builder.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
builder
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\builder.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5736"C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\sss.txtC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\user32.dll
Total events
10 337
Read events
10 315
Write events
22
Delete events
0

Modification events

(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\release.zip
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1812) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(920) Discord rat.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Discord rat_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(920) Discord rat.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Discord rat_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
Executable files
0
Suspicious files
2
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5056WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Discord rat.exe_2995986a7992bd501e11561cb61f6312d8dc556_697fe698_50e6a13a-0dc2-4f81-a4a8-b89fb571c838\Report.wer
MD5:
SHA256:
5056WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\Discord rat.exe.920.dmp
MD5:
SHA256:
5056WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE09E.tmp.dmpbinary
MD5:7C46E965273FB40EC902D996F800D67B
SHA256:5E1DCA8CA85202AFA9ED7C659BB520E256CFE701FA084398C7406D943D0E40D2
5056WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE301.tmp.xmlxml
MD5:0A63C72C138674768E15FA43D62E5F27
SHA256:AD13355A21427B4067D160CCACFC75417F0452C0082E264AB74A4D96518041B4
5056WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERE2D1.tmp.WERInternalMetadata.xmlbinary
MD5:2F07776F4530D545FB346871141695CF
SHA256:C5959FE555FBDDF7355140A5F268DFB642179294A7A3F864CF25F69D36AB39B7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
43
DNS requests
14
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5384
SIHClient.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5384
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5384
SIHClient.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5384
SIHClient.exe
GET
200
23.216.77.36:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5384
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5384
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5384
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5384
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
920
Discord rat.exe
162.159.134.234:443
gateway.discord.gg
CLOUDFLARENET
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
5384
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5384
SIHClient.exe
23.216.77.36:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.78
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.2
  • 20.190.159.130
  • 40.126.31.0
  • 20.190.159.4
  • 20.190.159.128
  • 40.126.31.73
  • 20.190.159.2
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
gateway.discord.gg
  • 162.159.134.234
  • 162.159.130.234
  • 162.159.133.234
  • 162.159.136.234
  • 162.159.135.234
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
crl.microsoft.com
  • 23.216.77.36
  • 23.216.77.29
  • 23.216.77.19
  • 23.216.77.39
  • 23.216.77.21
  • 23.216.77.25
  • 23.216.77.20
  • 23.216.77.28
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (gateway .discord .gg)
920
Discord rat.exe
Misc activity
ET INFO Observed Discord Service Domain (gateway .discord .gg) in TLS SNI
Not Suspicious Traffic
INFO [ANY.RUN] Websocket Upgrade Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
release.zip