c6bd3da755f382466610ed96d363e701cf044819b925684896af26b797abaa6d

Target

DiscordSetup.exe
Size

79.1MB
MD5

3d99554cc8bdd96ab58483a21d821740
SHA1

85389db7e48c563d77cbef27e2f5724cbef4a151
SHA256

c6bd3da755f382466610ed96d363e701cf044819b925684896af26b797abaa6d
SHA512

be063484581b219ae27f6f515901bde14d03fa76adfe1bd33b9174a5551c719e09946548cd5acae0b5204dd21e6e349707cb06225a6d640a542eb15ec8aae183

Score

8^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 16 IoCs

Processes:

Update.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exe

pid	process
3140	Update.exe
2936	Discord.exe
1168	Discord.exe
2588	Update.exe
924	Discord.exe
2192	Discord.exe
3976	Update.exe
2836	Discord.exe
2124	Discord.exe
3192	Discord.exe
2284	Discord.exe
1316	Discord.exe
3764	Discord.exe
3872	Discord.exe
3680	Discord.exe
4992	Discord.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Discord.exeDiscord.exeDiscord.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	Discord.exe

Loads dropped DLL 32 IoCs

Processes:

Discord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exe

pid	process
2936	Discord.exe
1168	Discord.exe
924	Discord.exe
924	Discord.exe
924	Discord.exe
924	Discord.exe
2192	Discord.exe
2836	Discord.exe
2124	Discord.exe
2836	Discord.exe
3192	Discord.exe
2284	Discord.exe
3192	Discord.exe
3192	Discord.exe
3192	Discord.exe
1316	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3872	Discord.exe
3680	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
4992	Discord.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe --processStart Discord.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe --processStart Discord.exe"	reg.exe

Drops file in Windows directory 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exereg.exereg.exereg.exereg.exeMicrosoftEdgeCP.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ca4ec009abdad701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9003\\Discord.exe\",-1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\discord.com\NumberOfSubdom = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Discord	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000b2421bfaac1ea217a4366d258fea9c3612db4aca80e5b914413272d30708e971bb5295a8970e8ea814071beec3afca4eda2cad57cc7f13bd41bc0c27	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{8F6C731F-1149-4DC7-B67F-3B03F476C7FF} = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "t8comuk"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9003\\Discord.exe\" --url -- \"%1\""	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000036ec286720320c6ee4cdb589a3b96e12debd125f374dea1625cb88df19cded18c552dd47bf1ea02a1ba761f00e49aee1d1ae9466599a242b5b84048252c1cb71711638de97f3e956b1c64628b5092c68c70c230f34a014148512634ee53603e68c56dcab1c52e74ff94be96d9b9bacfef2f74438edfe1481fc956151cfccc7fc56349d07c1d9334880557077439e921bfa8f4df2d5563edb2d2e2f799023796fdfce2d4b672a2ab63304668fddb12c3831f58fd8f847d93dbffbe7b05bdc0dcb51467dd5bce31d522778fcd4f576e2c14b47c039e37114faf91d0b4c76959034dfba82d9bba541a59ad088517e8cc41c53a64d0f8d74e3b01cb508c66fef6e2d764cbe0161112628a02e6f3f979227b76a32aac54ff018f64be1cbcae08a8d6fd01aaedca0c589f10fb17d0ce82aec2a4f0ba4d72e858589cdc27a96dc06aed9b946ad200c63a4f3437911a452f3fb6e4951d33211d3641d8678639f9403856528efbabad6898bcbb5a5cc01a08c3d1c57245573487ab2a84e2485947d22e037e534beaf74d91e20a357e213fe971fc038a48fea1b1ac554d7a648cd527338cf7a5028e95a95	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe

Modifies registry key 1 TTPs 11 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1484 reg.exe
3192 reg.exe
2188 reg.exe
4792 reg.exe
4844 reg.exe
1932 reg.exe
2076 reg.exe
3220 reg.exe
4048 reg.exe
604 reg.exe
4052 reg.exe

pid	process
1484	reg.exe
3192	reg.exe
2188	reg.exe
4792	reg.exe
4844	reg.exe
1932	reg.exe
2076	reg.exe
3220	reg.exe
4048	reg.exe
604	reg.exe
4052	reg.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Discord.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Discord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Discord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Discord.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Discord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Discord.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Discord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exe

pid	process
2936	Discord.exe
2936	Discord.exe
2936	Discord.exe
2936	Discord.exe
2936	Discord.exe
2936	Discord.exe
2936	Discord.exe
2936	Discord.exe
2192	Discord.exe
2192	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2284	Discord.exe
2284	Discord.exe
1316	Discord.exe
1316	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3680	Discord.exe
3680	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
3764	Discord.exe
4992	Discord.exe
4992	Discord.exe
4992	Discord.exe
4992	Discord.exe
3764	Discord.exe
3764	Discord.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Discord.exe

pid process

3764 Discord.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4420 MicrosoftEdgeCP.exe
4420 MicrosoftEdgeCP.exe

pid	process
3764	Discord.exe

pid	process
4420	MicrosoftEdgeCP.exe
4420	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

AUDIODG.EXEMicrosoftEdge.exeMicrosoftEdgeCP.exeAUDIODG.EXEAUDIODG.EXE

description	pid	process
Token: 33	968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	968	AUDIODG.EXE
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: SeDebugPrivilege	4488	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4488	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4488	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4488	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4144	MicrosoftEdge.exe
Token: 33	4172	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4172	AUDIODG.EXE
Token: 33	2160	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2160	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 13 IoCs

Processes:

Update.exeDiscord.exeDiscord.exe

pid	process
3140	Update.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
3764	Discord.exe
3764	Discord.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

Discord.exeDiscord.exe

pid process

2836 Discord.exe
2836 Discord.exe
2836 Discord.exe
2836 Discord.exe
2836 Discord.exe
2836 Discord.exe
3764 Discord.exe
3764 Discord.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4144 MicrosoftEdge.exe
4420 MicrosoftEdgeCP.exe
4420 MicrosoftEdgeCP.exe

pid	process
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
2836	Discord.exe
3764	Discord.exe
3764	Discord.exe

pid	process
4144	MicrosoftEdge.exe
4420	MicrosoftEdgeCP.exe
4420	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DiscordSetup.exeUpdate.exeDiscord.exe

description	pid	process	target process
PID 3984 wrote to memory of 3140	3984	DiscordSetup.exe	Update.exe
PID 3984 wrote to memory of 3140	3984	DiscordSetup.exe	Update.exe
PID 3984 wrote to memory of 3140	3984	DiscordSetup.exe	Update.exe
PID 3140 wrote to memory of 2936	3140	Update.exe	Discord.exe
PID 3140 wrote to memory of 2936	3140	Update.exe	Discord.exe
PID 3140 wrote to memory of 2936	3140	Update.exe	Discord.exe
PID 2936 wrote to memory of 1168	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 1168	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 1168	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 2588	2936	Discord.exe	Update.exe
PID 2936 wrote to memory of 2588	2936	Discord.exe	Update.exe
PID 2936 wrote to memory of 2588	2936	Discord.exe	Update.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 924	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 2192	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 2192	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 2192	2936	Discord.exe	Discord.exe
PID 2936 wrote to memory of 1484	2936	Discord.exe	reg.exe
PID 2936 wrote to memory of 1484	2936	Discord.exe	reg.exe
PID 2936 wrote to memory of 1484	2936	Discord.exe	reg.exe
PID 2936 wrote to memory of 3192	2936	Discord.exe	reg.exe
PID 2936 wrote to memory of 3192	2936	Discord.exe	reg.exe
PID 2936 wrote to memory of 3192	2936	Discord.exe	reg.exe
PID 2936 wrote to memory of 1932	2936	Discord.exe	reg.exe
PID 2936 wrote to memory of 1932	2936	Discord.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3140

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --squirrel-install 1.0.9003
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2936

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9003 --annotation=prod=Electron --annotation=ver=13.4.0 --initial-client-data=0x44c,0x450,0x454,0x448,0x458,0x7e78820,0x7e78830,0x7e7883c
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
4⤵
- Executes dropped EXE
PID:2588

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=gpu-process --field-trial-handle=1320,7194646145808296705,8828809692567994266,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1612 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:924

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1320,7194646145808296705,8828809692567994266,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 /prefetch:8
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:1484

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
4⤵
- Modifies registry class
- Modifies registry key
PID:3192

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
4⤵
- Modifies registry class
- Modifies registry key
PID:1932

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe\",-1" /f
4⤵
- Modifies registry key
PID:2076

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe\" --url -- \"%1\"" /f
4⤵
- Modifies registry class
- Modifies registry key
PID:3220

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
PID:3976

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2836

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9003 --annotation=prod=Electron --annotation=ver=13.4.0 --initial-client-data=0x444,0x448,0x44c,0x440,0x450,0x7e78820,0x7e78830,0x7e7883c
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=gpu-process --field-trial-handle=1580,561454713117208888,2815779892587479996,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1588 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3192

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1580,561454713117208888,2815779892587479996,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2284

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1580,561454713117208888,2815779892587479996,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1316

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
3⤵
- Modifies registry key
PID:2188

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
3⤵
- Modifies registry class
- Modifies registry key
PID:4048

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe\",-1" /f
3⤵
- Modifies registry class
- Modifies registry key
PID:604

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe\" --url -- \"%1\"" /f
3⤵
- Modifies registry key
PID:4052

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1580,561454713117208888,2815779892587479996,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-compositing --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1 --enable-node-leakage-in-renderers
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /q /d /s /c "C:\Program^ Files\NVIDIA^ Corporation\NVSMI\nvidia-smi.exe"
4⤵
PID:3812

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1580,561454713117208888,2815779892587479996,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3816 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3872

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1580,561454713117208888,2815779892587479996,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3164 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3680

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord
3⤵
- Modifies registry key
PID:4792

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\Admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4844

C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe" --type=gpu-process --field-trial-handle=1580,561454713117208888,2815779892587479996,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=816 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x434
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Discord\SquirrelSetup.log
MD5
aa27b922d66377f894b2293112e6260e

SHA1
7b81e9dbf1fc44555a917cd468eb8c77a6cadf51

SHA256
4e810aaaf0320462d19d45fd150dc61dc95b3dc6601f40d426c2669775265870

SHA512
6c2616c6c258c9cb029c29bf6126e6d38c6ebf83712e05a1ac4e814732d0d342b684d87eebf6c7efa6a5b0ec7bcdc61318e30430e7ef3ed8221053bd9cbad9f5

Download Submit
C:\Users\Admin\AppData\Local\Discord\Update.exe
MD5
e039f56dc6315942bc3e3d9ad4d586e7

SHA1
5158b6bf1f2b278e9524d48fab8d9bfdcdf0ed50

SHA256
e510ae1a59dd629d0c03425bcc4457e68926fe7b204154d9eebce9d2985925a1

SHA512
2b20a423f7d54c1c3009a30f47ee7774e0b6170c03c3fbb63804551e43751d31bfa16762fb63dae0349a7e93e8009c98e9cec56bf6acc6151e283f7774619a60

Download Submit
C:\Users\Admin\AppData\Local\Discord\Update.exe
MD5
e039f56dc6315942bc3e3d9ad4d586e7

SHA1
5158b6bf1f2b278e9524d48fab8d9bfdcdf0ed50

SHA256
e510ae1a59dd629d0c03425bcc4457e68926fe7b204154d9eebce9d2985925a1

SHA512
2b20a423f7d54c1c3009a30f47ee7774e0b6170c03c3fbb63804551e43751d31bfa16762fb63dae0349a7e93e8009c98e9cec56bf6acc6151e283f7774619a60

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\D3DCompiler_47.dll
MD5
cd8a3be4d5871171fd0b107132d97be8

SHA1
415258c10477a49d0c046a12123ff7abe957612e

SHA256
4a62063a3c7efcf0faa3800a93fcd26728ef753d3b83bc919c12cebfb582f0f0

SHA512
4acb09bf0c4c8e704fa6e2a20d98c5ff17ef77fc30b8c86b975f5aff8d6448c6e521588106b7810a2c0ab4c5af63519821da590830b37cf2faec380c8ae9e2af

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\Discord.exe
MD5
1c13935aeff94d2473978482644cc599

SHA1
cbc38180cd5c659b0e48d95676b730b70f3de77f

SHA256
688709b3754c5446702062dff138369df87b5c21c865d40430628890b95f66db

SHA512
17b6b5e0dae4e3f1c50d0830fb17d1d8cc95715a79e0c73c8ba6a7be72d72c59800bf6dc0c273319c1e16aa9cc97384b634ce718b48d9193c9cf8108cdb5e144

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\app.ico
MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\chrome_100_percent.pak
MD5
da26775fd7a54d4e8755fd667b5f70db

SHA1
6ff37c107fed247d3717c855287d5de3142a9531

SHA256
43b28df6f3428378a0a630492a3405e613bc816cd2a390c56e44cd6b49dbe5b4

SHA512
b16ccad1fc8c7dfc08d0d8877c05d41c494b1546836399e06bd04354b3e387c155d9d74812cf01e20dde946fdb2e547549599d8907d828ab1cebffa584d8db15

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\chrome_200_percent.pak
MD5
d4bd33dcff9d6361b6c985d958953373

SHA1
38f866b35cd642d4acb4f7efadc6d9f899b55d30

SHA256
abb69e43745fbd63be2933204ed98c387ae703487283509c65415867e3c867ab

SHA512
78a687ffac48b7d422bb33f43bbb8b7511879b287f20484c6fd591343428cff1d2cc07521b982eb4cba5a22324ee7f4dab031fdeff05462ca43b81a528c878f7

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\icudtl.dat
MD5
80a7528515595d8b0bf99a477a7eff0d

SHA1
fde9a195fc5a6a23ec82b8594f958cfcf3159437

SHA256
6e0b6b0d9e14c905f2278dbf25b7bb58cc0622b7680e3b6ff617a1d42348736b

SHA512
c8df47a00f7b2472d272a26b3600b7e82be7ca22526d6453901ff06370b3abb66328655868db9d4e0a11dcba02e3788cc4883261fd9a7d3e521577dde1b88459

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\installer.db
MD5
07cdc0b21b7cdf66368b835ab883a294

SHA1
23c0b1a607c183e99ecb98978ab75ebeddb8e4b5

SHA256
574316b78ddacc5b38123b3a9bee9bd9cdfde2854e1e8850f633eefb44528463

SHA512
88d3d98de0ec3a95eb54b8e7d71239cdba9d15b9115b896c42dbfbedb887dc0e2b19f947162f914213f3696585ef6ef00879fcccb62718207a09ca13665ac08f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\locales\en-US.pak
MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\resources.pak
MD5
272ebe38583668306068b8279ad20419

SHA1
e098918867c2aa0020bc7bf70466c2a1ac69b650

SHA256
987d662cf3c669c89c2e88216478cf317ab0ea99c1074ad711ba7d94f87439c6

SHA512
acc901974fa6b253ec5da72e46fe316194c64e0a5f20fdda3321b88af7de1b4fe07d3322306d1bf06422f247c7175db8752b7a6330a959f3a1198063dd0aca87

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\resources\app.asar
MD5
a6ef068d647227ef5ed00cedd647ac65

SHA1
a49f14b97341e10419ff8fde777a55bb4fc6701e

SHA256
24f9c1efd70c682715b61a6876911dbac70c1def99933ed8854285481fac7605

SHA512
36f222b8a5417482ff74e216591ff95b4838d34ca2607e0d7006c2d29390f05cb4d961b344ed36b910d6cc7dce2b810a5d83c69c9c7dccb8be9af0c2b4172c61

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\resources\build_info.json
MD5
e2bc5394ef2535b89f0a843bde4f386a

SHA1
33957d4aad2ae5fa3df8939c8aaeab791d86022b

SHA256
3455a01355c9ed76dcc6ba193943147b508c1463520c0ef71992d78c9d447ae7

SHA512
1ccb4bb5103fa551638e7f51ddf5a38818d09f8673575897544bf0ab6ebc80d8e65628caf187edbad8afbd83ab053084c2db051ecb072464596c91e2ad85a95b

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\swiftshader\libegl.dll
MD5
e2f0b2265c6cc828424c9f681c308b83

SHA1
ab0b2cc60ab5d1f04e13903eccdddde636aa04b6

SHA256
61f517bb5ac698a92beea73d2962b3252f11b63468053973a3d0817e162bd803

SHA512
6acbbb4f52633a225074e54e2bbfec4d631d86b849f2f098d4ae48ae4f6b705c874a72dea6211080a2fb60c5d02ef4f56ad85395966256b3768ed75ca0df0081

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\swiftshader\libglesv2.dll
MD5
ade2fe4065e8f0ebc6898f2835b0d96c

SHA1
e1b624cfd76267bc39b2afa2869cbb87b742c2d2

SHA256
251069a067131fdd4cc6f4237c93c3de087882fabea0dbcda49df28c6ad4b3a7

SHA512
d5462f84b9fa493cc73b18b32921b26077c1eded9758852571db1f311b2a504c4cd4d44c14c2f10108030908cbee59907093ae967031a5435912103280240d58

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\updater.node
MD5
840328c4430f4594df456f3d635265b8

SHA1
d8033a713be2f9df79e4ff01116c2220aa807cc6

SHA256
db9427191fd986ea05c9a11cf0afb6033deb1a034493f30861754406fe3c5038

SHA512
026b05c06eb0c33a70ef498282375b9de1fded1735811df9d21848836b6d68f33cb4c06a7e981e0300cc25971483b114be697cb2f0387bad69f1f5e108b3eb6e

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9003\v8_context_snapshot.bin
MD5
55996dd167b35c9c8348478ab602d4ba

SHA1
3a1f119ef7f65c7525f556599e1011c4a24c3cdb

SHA256
59a39e3608b76475950ccd44e8b6fa554e315b8844b650b66ca2f454b939a1ac

SHA512
05233744549f6a9a67ddccc6b522f11c7ffbe7ef98cf9de1818709b506b0f186f5c53178c9db47c44b2b9b22ba5e91396e1780d37d492c3fdac7d7ede495be34

Download Submit
C:\Users\Admin\AppData\Local\Discord\app.ico
MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Discord\packages\Discord-1.0.9003-full.nupkg
MD5
24e50576eff5f4e60fe8c8ebab1796c8

SHA1
3a92638a0471f7dc9c12298d3b3fc71c84b6f4d9

SHA256
b5eb40bfdc4fcbac224e5acad0e46f188a71061edf36ea65e4e7e3817a3d8724

SHA512
2bb6dd433d2b093b7f751d0ffb3c0f6ed3f0d38bb5ede62987d300aa9f458f85124ca6677054fce93a616d646b03ca98413ad0e60e883fb447d5c07ce0e9862e

Download Submit
C:\Users\Admin\AppData\Local\Discord\packages\RELEASES
MD5
867e283b0f115cf51f1e3f917820a060

SHA1
bef3948d11f745dbbff3881636178a95cda9c65a

SHA256
fb83cde18197b12c25b69334903ec4b9ba5a2b64ad5a74f33fb6abe61bd7c58b

SHA512
75a0a64ce15f26b7d2ca61a00c885f3c54168525b6c5be4f4a4369a367f8d93f61aebc7d14f64aa65edd26b73b424e7c6f483ed85e4cbc7f5fe588a07aca71b9

Download Submit
C:\Users\Admin\AppData\Local\Discord\update.exe
MD5
e039f56dc6315942bc3e3d9ad4d586e7

SHA1
5158b6bf1f2b278e9524d48fab8d9bfdcdf0ed50

SHA256
e510ae1a59dd629d0c03425bcc4457e68926fe7b204154d9eebce9d2985925a1

SHA512
2b20a423f7d54c1c3009a30f47ee7774e0b6170c03c3fbb63804551e43751d31bfa16762fb63dae0349a7e93e8009c98e9cec56bf6acc6151e283f7774619a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log
MD5
2244dc0b3273589a6f523d1132743c50

SHA1
aa3b1e074e6db473c5b29c613f96bdb1e055224f

SHA256
95360f53262f25f870960255268efe6213d026715336c1366db1a58b2b5e0f3f

SHA512
951c1be44dad2f68c35bbdc2a971316bc348298d91a1be97cc90eeb1e1082263473affc1117fd35ebff3744a70e19eb6c20cb587a059281ba1e24ee5636ea5d0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Discord-1.0.9003-full.nupkg
MD5
24e50576eff5f4e60fe8c8ebab1796c8

SHA1
3a92638a0471f7dc9c12298d3b3fc71c84b6f4d9

SHA256
b5eb40bfdc4fcbac224e5acad0e46f188a71061edf36ea65e4e7e3817a3d8724

SHA512
2bb6dd433d2b093b7f751d0ffb3c0f6ed3f0d38bb5ede62987d300aa9f458f85124ca6677054fce93a616d646b03ca98413ad0e60e883fb447d5c07ce0e9862e

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES
MD5
867e283b0f115cf51f1e3f917820a060

SHA1
bef3948d11f745dbbff3881636178a95cda9c65a

SHA256
fb83cde18197b12c25b69334903ec4b9ba5a2b64ad5a74f33fb6abe61bd7c58b

SHA512
75a0a64ce15f26b7d2ca61a00c885f3c54168525b6c5be4f4a4369a367f8d93f61aebc7d14f64aa65edd26b73b424e7c6f483ed85e4cbc7f5fe588a07aca71b9

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
MD5
e039f56dc6315942bc3e3d9ad4d586e7

SHA1
5158b6bf1f2b278e9524d48fab8d9bfdcdf0ed50

SHA256
e510ae1a59dd629d0c03425bcc4457e68926fe7b204154d9eebce9d2985925a1

SHA512
2b20a423f7d54c1c3009a30f47ee7774e0b6170c03c3fbb63804551e43751d31bfa16762fb63dae0349a7e93e8009c98e9cec56bf6acc6151e283f7774619a60

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
MD5
e039f56dc6315942bc3e3d9ad4d586e7

SHA1
5158b6bf1f2b278e9524d48fab8d9bfdcdf0ed50

SHA256
e510ae1a59dd629d0c03425bcc4457e68926fe7b204154d9eebce9d2985925a1

SHA512
2b20a423f7d54c1c3009a30f47ee7774e0b6170c03c3fbb63804551e43751d31bfa16762fb63dae0349a7e93e8009c98e9cec56bf6acc6151e283f7774619a60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Discord Inc\Discord.lnk
MD5
8dd54da267fea3052611b980db803943

SHA1
cd5b95222702a1b241c5a95b9dd2fd544684394e

SHA256
7402edeee4b020511a58807dafc2ff9e328c7c9d087069d90d7454667eb9c86b

SHA512
6650af683541714452833192a70c143580c7985a328ab7c27957eca8b3e51afde0c3a3cf09fad9deeb660a9002cb0091038ac13c8d1f7d81bbf2e67523808195

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Crashpad\settings.dat
MD5
5f2531d18ee4a76b373928a99d6cd492

SHA1
1c04da979bda6716a1475add5722f9202cc73674

SHA256
2a20bde1e1089edb96d2842d39f272e7e45966124c3d3e1cec9c5ee0d8f22720

SHA512
bafacfba0c02dca19c3763bd278bee43569666a6dc2064974d2d7db1131b52678e97eb84eaa12a77d59c657829e3bf8ff1ef2e30d0bd5984716cf0d3ad45f55a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Crashpad\settings.dat
MD5
5f2531d18ee4a76b373928a99d6cd492

SHA1
1c04da979bda6716a1475add5722f9202cc73674

SHA256
2a20bde1e1089edb96d2842d39f272e7e45966124c3d3e1cec9c5ee0d8f22720

SHA512
bafacfba0c02dca19c3763bd278bee43569666a6dc2064974d2d7db1131b52678e97eb84eaa12a77d59c657829e3bf8ff1ef2e30d0bd5984716cf0d3ad45f55a

Download Submit
C:\Users\Admin\Desktop\Discord.lnk
MD5
1aca363b49cec6046a00aebcfe5d227d

SHA1
0afe5bcbd66670a474756467025b3f34cb0cea03

SHA256
fdb5416197d83478ade1037b8566dcc93e9ed2ee8bc0b4ff79c7b84c5cc7ee6f

SHA512
3f45ff71102ee8cd53325ab9d0aca6a3999612df671f160c3626f18470a2138b1a7a3fd6888e3cc55d69b4f9a79e236663c4996d56bd2e404487916b878d6b94

Download Submit
\??\pipe\crashpad_2836_UFFLKPTIQYHLIOXJ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_2936_EXLLXDYLSPIWPPZM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\d3dcompiler_47.dll
MD5
cd8a3be4d5871171fd0b107132d97be8

SHA1
415258c10477a49d0c046a12123ff7abe957612e

SHA256
4a62063a3c7efcf0faa3800a93fcd26728ef753d3b83bc919c12cebfb582f0f0

SHA512
4acb09bf0c4c8e704fa6e2a20d98c5ff17ef77fc30b8c86b975f5aff8d6448c6e521588106b7810a2c0ab4c5af63519821da590830b37cf2faec380c8ae9e2af

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\d3dcompiler_47.dll
MD5
cd8a3be4d5871171fd0b107132d97be8

SHA1
415258c10477a49d0c046a12123ff7abe957612e

SHA256
4a62063a3c7efcf0faa3800a93fcd26728ef753d3b83bc919c12cebfb582f0f0

SHA512
4acb09bf0c4c8e704fa6e2a20d98c5ff17ef77fc30b8c86b975f5aff8d6448c6e521588106b7810a2c0ab4c5af63519821da590830b37cf2faec380c8ae9e2af

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\ffmpeg.dll
MD5
407ba824c9b7d2b78fcae3ec432edc95

SHA1
3de02857254717947d8eef639eab977ee3f68106

SHA256
70b31e0f5e3b088fff6346f990ec43e358984ddd2546e803a4d16f9febf49b37

SHA512
bda82d039054d66d59087cd36670a8c98537be4b198518722ee69ee8c4ec2d621aa63549f4965dc2abd215f5ee3947d6b7df024c52d4fae972d3d8342731ff19

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\swiftshader\libEGL.dll
MD5
e2f0b2265c6cc828424c9f681c308b83

SHA1
ab0b2cc60ab5d1f04e13903eccdddde636aa04b6

SHA256
61f517bb5ac698a92beea73d2962b3252f11b63468053973a3d0817e162bd803

SHA512
6acbbb4f52633a225074e54e2bbfec4d631d86b849f2f098d4ae48ae4f6b705c874a72dea6211080a2fb60c5d02ef4f56ad85395966256b3768ed75ca0df0081

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\swiftshader\libEGL.dll
MD5
e2f0b2265c6cc828424c9f681c308b83

SHA1
ab0b2cc60ab5d1f04e13903eccdddde636aa04b6

SHA256
61f517bb5ac698a92beea73d2962b3252f11b63468053973a3d0817e162bd803

SHA512
6acbbb4f52633a225074e54e2bbfec4d631d86b849f2f098d4ae48ae4f6b705c874a72dea6211080a2fb60c5d02ef4f56ad85395966256b3768ed75ca0df0081

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\swiftshader\libGLESv2.dll
MD5
ade2fe4065e8f0ebc6898f2835b0d96c

SHA1
e1b624cfd76267bc39b2afa2869cbb87b742c2d2

SHA256
251069a067131fdd4cc6f4237c93c3de087882fabea0dbcda49df28c6ad4b3a7

SHA512
d5462f84b9fa493cc73b18b32921b26077c1eded9758852571db1f311b2a504c4cd4d44c14c2f10108030908cbee59907093ae967031a5435912103280240d58

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\swiftshader\libGLESv2.dll
MD5
ade2fe4065e8f0ebc6898f2835b0d96c

SHA1
e1b624cfd76267bc39b2afa2869cbb87b742c2d2

SHA256
251069a067131fdd4cc6f4237c93c3de087882fabea0dbcda49df28c6ad4b3a7

SHA512
d5462f84b9fa493cc73b18b32921b26077c1eded9758852571db1f311b2a504c4cd4d44c14c2f10108030908cbee59907093ae967031a5435912103280240d58

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9003\updater.node
MD5
840328c4430f4594df456f3d635265b8

SHA1
d8033a713be2f9df79e4ff01116c2220aa807cc6

SHA256
db9427191fd986ea05c9a11cf0afb6033deb1a034493f30861754406fe3c5038

SHA512
026b05c06eb0c33a70ef498282375b9de1fded1735811df9d21848836b6d68f33cb4c06a7e981e0300cc25971483b114be697cb2f0387bad69f1f5e108b3eb6e

Download Submit
memory/604-228-0x0000000000000000-mapping.dmp

Download
memory/924-161-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/924-159-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/924-160-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/924-156-0x0000000000000000-mapping.dmp

Download
memory/924-154-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/924-155-0x0000000000CFA000-0x0000000000CFB000-memory.dmp

Filesize
4KB

Download
memory/968-252-0x000001A2A1650000-0x000001A2A1652000-memory.dmp

Filesize
8KB

Download
memory/968-235-0x000001A2A1650000-0x000001A2A1652000-memory.dmp

Filesize
8KB

Download
memory/968-236-0x000001A2A1650000-0x000001A2A1652000-memory.dmp

Filesize
8KB

Download
memory/1168-136-0x0000000000000000-mapping.dmp

Download
memory/1168-139-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1168-138-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download
memory/1316-223-0x0000000000000000-mapping.dmp

Download
memory/1316-225-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1316-226-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/1484-176-0x0000000000000000-mapping.dmp

Download
memory/1932-178-0x0000000000000000-mapping.dmp

Download
memory/2076-179-0x0000000000000000-mapping.dmp

Download
memory/2124-195-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2124-193-0x0000000000000000-mapping.dmp

Download
memory/2124-196-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2160-258-0x0000020F4DAB0000-0x0000020F4DAB2000-memory.dmp

Filesize
8KB

Download
memory/2160-257-0x0000020F4DAB0000-0x0000020F4DAB2000-memory.dmp

Filesize
8KB

Download
memory/2160-256-0x0000020F4DAB0000-0x0000020F4DAB2000-memory.dmp

Filesize
8KB

Download
memory/2188-222-0x0000000000000000-mapping.dmp

Download
memory/2192-173-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2192-172-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/2192-170-0x0000000000000000-mapping.dmp

Download
memory/2284-214-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2284-211-0x0000000000000000-mapping.dmp

Download
memory/2284-215-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2588-143-0x0000000000000000-mapping.dmp

Download
memory/2588-151-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2588-157-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2836-188-0x0000000000000000-mapping.dmp

Download
memory/2836-190-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2836-191-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/2936-125-0x0000000000000000-mapping.dmp

Download
memory/2936-127-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2936-128-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/3140-124-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/3140-115-0x0000000000000000-mapping.dmp

Download
memory/3140-123-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/3140-120-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/3140-118-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/3192-210-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3192-205-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/3192-207-0x0000000000000000-mapping.dmp

Download
memory/3192-212-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/3192-177-0x0000000000000000-mapping.dmp

Download
memory/3192-206-0x0000000000ACA000-0x0000000000ACB000-memory.dmp

Filesize
4KB

Download
memory/3220-180-0x0000000000000000-mapping.dmp

Download
memory/3680-245-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3680-240-0x0000000000000000-mapping.dmp

Download
memory/3680-243-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download
memory/3764-230-0x0000000000000000-mapping.dmp

Download
memory/3764-232-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3764-233-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download
memory/3812-246-0x0000000000000000-mapping.dmp

Download
memory/3872-244-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3872-242-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3872-238-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3872-237-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/3872-239-0x0000000000000000-mapping.dmp

Download
memory/3976-187-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/4048-204-0x0000000000000000-mapping.dmp

Download
memory/4052-229-0x0000000000000000-mapping.dmp

Download
memory/4172-254-0x0000025CDDE90000-0x0000025CDDE92000-memory.dmp

Filesize
8KB

Download
memory/4172-255-0x0000025CDDE90000-0x0000025CDDE92000-memory.dmp

Filesize
8KB

Download
memory/4172-253-0x0000025CDDE90000-0x0000025CDDE92000-memory.dmp

Filesize
8KB

Download
memory/4792-247-0x0000000000000000-mapping.dmp

Download
memory/4844-248-0x0000000000000000-mapping.dmp

Download
memory/4992-250-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4992-251-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/4992-249-0x0000000000000000-mapping.dmp

Download