A series of weird events

Was just working on my laptop when all of a sudden discord opened logs out opens a browser window of discord and logs in.
Just to be cautious changed my discord password.

Do you think it’s fishy or am I paranoid.

Which OS are you using, was discord already running in the background? You could review some security logs to and see what happened if you remember the exact time.

Hmm … I was talking to someone a few days ago in Twitch chat and they said that Discord just randomly opened a browser window and logged in. They are oddly on Windows 7 still because they refuse to update. I just assumed it was a Win7 thing.

Windows 11 and yes discord was open on my laptop while I was working on my main display.

Discord is under attack because people with gaming GPU tend to also mine crypto. If you dont have crypto, you have less to worry about.

If I have anything on my PC is the ledger software. I’m not planning to use it for a while so I think I won’t connect it. Reinstallation or do I just run Defender

discord opened itself? logged you out?
opens a new window logged you back in without you typing anything?

sounds like your browser has been ratted. (remote access trojan)
and may have come from discord. discord has a problem with RATs being inserted in the site scripts that are on self hosted discord servers.

did you check what link it was signing you into for discord?
is there a redirect in the url?

yes reset your password. use 10 letters or more with 1 number and 1 special character if you can.
and leave the rooms that aint hosted by discord itself
check your browsers user scripts and cache’s for java files that shouldn’t be there. (typically in temp folders)


Yup this. Couldn’t check the link everything happened in less than a minute. Reset the password. I’ve run a virus check. Will check discord groups to see

oh and never run discord app with admin privs.
as a lot of the exploits need admin level access to work.
if its not an admin level task it cant run other admin level tasks.

Available commands are :
→ !message = Show a message box displaying your text / Syntax = “!message example”
→ !shell = Execute a shell command /Syntax = “!shell whoami”
→ !webcampic = Take a picture from the webcam
→ !windowstart = Start logging current user window (logging is shown in the bot activity)
→ !windowstop = Stop logging current user window
→ !voice = Make a voice say outloud a custom sentence / Syntax = “!voice test”
→ !admincheck = Check if program has admin privileges
→ !sysinfo = Gives info about infected computer
→ !history = Get chrome browser history
→ !download = Download a file from infected computer
→ !upload = Upload file to infected computer / Syntax = “!upload file.png” (with attachment)
→ !cd = Changes directory
→ !delete = deletes a file / Syntax = “!delete /path to/the/file.txt”
→ !write = Type your desired sentence on computer / Type “enter” to press the enter button on the computer
→ !wallpaper = Change infected computer wallpaper / Syntax = “!wallpaper” (with attachment)
→ !clipboard = Retrieve infected computer clipboard content
→ !geolocate = Geolocate computer using latitude and longitude of the ip adress with google map / Warning : Geolocating IP adresses is not very precise
→ !startkeylogger = Starts a keylogger
→ !stopkeylogger = Stops keylogger
→ !dumpkeylogger = Dumps the keylog
→ !volumemax = Put volume to max
→ !volumezero = Put volume at 0
→ !idletime = Get the idle time of user’s on target computer
→ !blockinput = Blocks user’s keyboard and mouse / Warning : Admin rights are required
→ !unblockinput = Unblocks user’s keyboard and mouse / Warning : Admin rights are required
→ !screenshot = Get the screenshot of the user’s current screen
→ !exit = Exit program
→ !kill = Kill a session or all sessions / Syntax = “!kill session-3” or “!kill all”
→ !uacbypass = attempt to bypass uac to gain admin by using fod helper
→ !passwords = grab all chrome passwords
→ !streamwebcam = streams webcam by sending multiple pictures
→ !stopwebcam = stop webcam stream
→ !getdiscordinfo = get discord token,email,phone number,etc

are just some features of one prevalent rat.

1 Like

Found a weird filed in %TEMP% with a filename discord.rpc in xml a dll file and a pdb file the xml had this on the file.

<member name="M:DiscordRPC.DiscordRpcClient.Initialize"> <summary> Attempts to initalize a connection to the Discord IPC. </summary> <returns></returns> </member> <member name="M:DiscordRPC.DiscordRpcClient.Deinitialize"> <summary> Attempts to disconnect and deinitialize the IPC connection while retaining the settings. </summary> </member> <member name="M:DiscordRPC.DiscordRpcClient.Dispose"> <summary> Terminates the connection to Discord and disposes of the object. </summary> </member> <member name="T:DiscordRPC.Events.OnReadyEvent"> <summary> Called when the Discord Client is ready to send and receive messages. </summary> <param name="sender">The Discord client handler that sent this event</param> <param name="args">The arguments supplied with the event</param> </member> <member name="T:DiscordRPC.Events.OnCloseEvent"> <summary> Called when connection to the Discord Client is lost. The connection will remain close and unready to accept messages until the Ready event is called again. </summary> <param name="sender">The Discord client handler that sent this event</param> <param name="args">The arguments supplied with the event</param> </member> <member name="T:DiscordRPC.Events.OnErrorEvent"> <summary> Called when a error has occured during the transmission of a message. For example, if a bad Rich Presence payload is sent, this event will be called explaining what went wrong. </summary> <param name="sender">The Discord client handler that sent this event</param> <param name="args">The arguments supplied with the event</param>

Tried deleting the folder but can’t even using cmd with rmdir /s option. I remember there used to be a piece of software which would unlock and delete such folders but can’t remember it if anyone can help me getting rid of this would be greatly appreciative.

If you remember the approx time it happened review your Windows Event Logs. It’s possible the application just crashed and part of it’s recovery behavior was to display a crash log.

Start → Run → eventvwr.msc
Look under Windows Logs → Applications

Try the Windows Disk Cleanup utility before going nuclear. There is an option to delete Temporary Files.

  1. Start the Command Prompt as an Administrator.
  2. Type CD to open the root folder.
  3. Then type DEL filename (with extension) /F /Q where filename represents the name of the locked file to be deleted.
  4. Press Enter and the file will be gone.

if not…

Process Explorer

Process Explorer comes in a similar format to the Windows Task Manager.
and is part of the MS sysinternals suite of utilitys.

It’s easy to use and doesn’t require installation, all that is needed is to run it and allow administrator permission, then follow these steps.

  1. Go the File menu on the menu tab and choose show details for all processes.
  2. While still on the menu tab, select the Find option, and click on Find Handle or DLL .
  3. Enter the name of the locked folder in the search field of the process explorer task manager.
  4. Choose the locked file and check out the handle in the details section below the window.
  5. In the same manner that the process can be ended on the regular windows task manager: right-click on the filehandle and click on close handle .
  6. You would have effectively stopped it from running in the background and stop it from getting deleted. You can now go back to the file location and delete the file.

after that your into software like fileassasin or lockhunter. use at your own discretion

1 Like

Sometimes a ghost character is there to prevent you from deleting it.
It’s an old trick we used to use to prevent keyboard idiots (bosses) from deleting critical data files.
Displayed on the screen hitting the space key shows no character but the code is in the hex file
Hitting space once before typing the name can make a directory/file a ghost you can’t delete unless you know the space is there.

Attempting to just delete it ( without hitting the space key first) just results in errors or access denied messages