249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697

Analysis

max time kernel
162s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BetterDiscord-Windows.exe
Size

75.1MB
MD5

43327119366e52928b9aed0c1e734389
SHA1

3777d8387fba8528b6e433a8e763df5dcd542a48
SHA256

249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697
SHA512

bda75994e6dcf5bc9e5b45d025894d62d0138a9d39c47255cd3b6b6e32f60de973da54bf85de57e8f0ca8a253bf414697c4b06e887d45dded90485ce6832e7f4
SSDEEP

1572864:DMKQ/QO4cQ0dPUnqZUPsziv5IANK+4ZYPDHdH/I1z/dHazC:DzXr50lUnqEneWlWYj21zaC

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BetterDiscord.exeBetterDiscord.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	BetterDiscord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation	BetterDiscord.exe

Executes dropped EXE 5 IoCs

Processes:

BetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exe

pid process

4612 BetterDiscord.exe
1924 BetterDiscord.exe
2884 BetterDiscord.exe
4920 BetterDiscord.exe
3128 BetterDiscord.exe

pid	process
4612	BetterDiscord.exe
1924	BetterDiscord.exe
2884	BetterDiscord.exe
4920	BetterDiscord.exe
3128	BetterDiscord.exe

Loads dropped DLL 11 IoCs

Processes:

BetterDiscord-Windows.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exe

pid	process
3508	BetterDiscord-Windows.exe
3508	BetterDiscord-Windows.exe
3508	BetterDiscord-Windows.exe
4612	BetterDiscord.exe
1924	BetterDiscord.exe
2884	BetterDiscord.exe
1924	BetterDiscord.exe
1924	BetterDiscord.exe
4920	BetterDiscord.exe
1924	BetterDiscord.exe
3128	BetterDiscord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

BetterDiscord.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	BetterDiscord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BetterDiscord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BetterDiscord.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

BetterDiscord.exeBetterDiscord.exeBetterDiscord.exe

pid	process
2884	BetterDiscord.exe
2884	BetterDiscord.exe
4920	BetterDiscord.exe
4920	BetterDiscord.exe
3128	BetterDiscord.exe
3128	BetterDiscord.exe
3128	BetterDiscord.exe
3128	BetterDiscord.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

BetterDiscord-Windows.exeBetterDiscord.exe

description	pid	process	target process
PID 3508 wrote to memory of 4612	3508	BetterDiscord-Windows.exe	BetterDiscord.exe
PID 3508 wrote to memory of 4612	3508	BetterDiscord-Windows.exe	BetterDiscord.exe
PID 3508 wrote to memory of 4612	3508	BetterDiscord-Windows.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 1924	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 2884	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 2884	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 2884	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 4920	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 4920	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 4920	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 3128	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 3128	4612	BetterDiscord.exe	BetterDiscord.exe
PID 4612 wrote to memory of 3128	4612	BetterDiscord.exe	BetterDiscord.exe

C:\Users\Admin\AppData\Local\Temp\BetterDiscord-Windows.exe
"C:\Users\Admin\AppData\Local\Temp\BetterDiscord-Windows.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4612

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1668,10232548437653211320,16904434307207636789,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1600 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1668,10232548437653211320,16904434307207636789,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=renderer --field-trial-handle=1668,10232548437653211320,16904434307207636789,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2364 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1668,10232548437653211320,16904434307207636789,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1576 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
2.1MB

MD5
e776ef5a782b5e44f5d93080742076f3

SHA1
5f0a011d1df00452a614aec9f0b9a9f0a929a3b7

SHA256
f51cdc318077e7237814e22eb5f1cd1c65c1adee2262ce7fb4e060f21989931b

SHA512
650b5b6d174e32639bdcb478c91862ea02274de018dde66d5c8e6c99d5e14f906d1f3e16e1a8f7d1c9332ebf45cf0bf7a7f926bd625b442725578a8ba4fd5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
2.2MB

MD5
92447828741ac50fbe8b6d40649a3811

SHA1
b5668c5e2a183b222114588220d87a82b4149e88

SHA256
8f392a7a8cee5827096851502bb22e51c18464631be44da130c9dec3acad021f

SHA512
da349a45b65c564ac08137e5bef60279e48ffed3fc30f6a898818bd34334d8216c7901c85f0ffedf2226a274e6090f35169a08803a088851cb204dfc6f3de666

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
1.4MB

MD5
61ab33082a3d3e4ac354bed704b57a25

SHA1
3a15419339091a96c8eb9543663aaf5b723a15c7

SHA256
bdce17c62882a446f610812e863d8acd2710871c62014e60964c308300ce675e

SHA512
c8033d81650f217fa1b37b370de12aac98fae7758aa835edaf186fae2ee3048943e7cbe2c688193167b0500cf9ce63faffafee9be0f564b2eaa7ced89af1392b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
192KB

MD5
abde0bf1c44f00474bfb6fde5bb23580

SHA1
80780d5a96b127cbc231a8382a848e28f190f425

SHA256
a16c812a38b2ba0768da3de74e7c607e3385e095f65f0b96a705686e542c8bdf

SHA512
a40e5ba1b4192284d6af1a85114b25fe9d1be5f4c39c96693bd0cbbb484dbea99016f4f6441b4149929f07da20423d9e4281b9d1c4726290235b9096caeee5a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
3.1MB

MD5
5db212962543c3e1feebbfd987db6b91

SHA1
2a957e144d88aada322fc8207fdae547bd4ec221

SHA256
d16e4e16cdcec923356221ddc5f8b8c61e49c865b30c569aa096a303d8f54b79

SHA512
2a03b4e6531d247cacc0f870c2a6e90e6e22bb228048c13c6320a9737778f7c4c4d71d76082eae211ddeedcd596d4ae439fd0e18d26366ca613cb35f0c3ebb4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
2.3MB

MD5
f11db23369432dde4885cbb81ed02868

SHA1
2e723a467112a871d342de7f9301d99f701cfd1a

SHA256
e09274b0cc1eb88f68a674775e4c1205d06fb7811715aa1aded496996c0b0f53

SHA512
1ee6f8dc0894e690ae107f6571a6c1817cce7e8f35faca6e56e6dfebb986f84817c9a7201198fab3af1c0bc3a14eaab44c997067323090e7e2454caea00cc314

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\chrome_100_percent.pak

Filesize
138KB

MD5
03aaa4f8525ba4b3e30d2a02cb40ab7a

SHA1
dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

SHA256
c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

SHA512
c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\chrome_200_percent.pak

Filesize
202KB

MD5
7d4f330a5443eadf32e041c63e7e70ad

SHA1
26ce6fb98c0f28f508d7b88cf94a442b81e80c88

SHA256
b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

SHA512
f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\d3dcompiler_47.dll

Filesize
512KB

MD5
12afb7ba9d6d6a9d8608d2d125816cce

SHA1
89785cafd77d8b05fb9ba7958438677582635f92

SHA256
22e28d89f50e5105ed566a65384b15c5f40b2acca0fedaf0137fd0b3edc72cb0

SHA512
f561160a2d763ec0f9069a8265db67c0399d6218415cadff7d66f68d38219da0b75fe7795581704dd21e23b9dcf5732a2d206aaecb7b46e52fab6692346d49a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
2.5MB

MD5
d2cc6fc3a7b6c5bcca5fae428fe799e0

SHA1
89cba6e9195cf95a7aa993d7aaadb331392b3bda

SHA256
0d4ebdd32f016c6eb203aef4c70ad2f93fa68e5b9e92087a862b21f8133c7319

SHA512
34f7e6c49ff2a230abc7c5aeeebc5ec628f07170c4638b3bfc5897a645fa5f167c54230373a39021548e0aceba50c35ef730e4ecb454bb4d882df2d699c86736

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
2.1MB

MD5
26c8389bd67194062b7a0e5ab2341345

SHA1
3e8572880fddd3ec3593a2cd94cb54703d4fe9a3

SHA256
c37dea91d60b6dfb1d5035a22203af057bfa45b8b36cdcc550493d0d2001f37e

SHA512
aa481640785d1b9ccc6c5ece8b60d9b6edd1bc09b3e4417152f22626f9eee856412beb6c2aef6cbc11da40b6a2f612027bd7c23cd5e0c8bc44bb3defa2431423

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
256KB

MD5
0155044b36e7d85cef10529813ca0403

SHA1
c196cf374bd34665eb402407425fa431d5f5c3f8

SHA256
f9a3cd7a6c2dedee5a4151221984d9ecf412292f53fd366684c95b281ea5172f

SHA512
ad38dd727b0bab8718b9a76a47c058c88b71e768e155c71ca200b28b9960f4622514a1a9ee23e62a2ee4eb64e88bb08ccd8990d631cbbc14d197c245af44af05

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
2.2MB

MD5
057c123e04084ccdfb0cd9618e0e9f8d

SHA1
fc3ec38f8d8b8ca23132a8203cd54d5682352186

SHA256
b79cd0662e698b562bac498f6be5f4b14450ecb255b082499468275ee8415179

SHA512
bad3911b4554024198e5f4420968a0f54373207afa1ccde2473191fb354a23c6fc161c91c3efbdac87baf67a12128d6c25b4ca73b15be13da4191f430e6aeb48

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
2.4MB

MD5
9b8611dfc1dc19271d5997d49082448d

SHA1
36e5af088b51a4e2236c1125a5c00002df412ac4

SHA256
dcec33c1196f75732e15fc40f49ce1b2a54613f705f18052ef5a50d7607fd6b1

SHA512
777064c0948d6ad57a7d8c209ee7904380aae98e19e1b097cb372a1b6321a3b5d2c02b60ff140151f345da66cd26f68421706f693669876c27aa8b42c61cfc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\icudtl.dat

Filesize
1.6MB

MD5
84fa97630a999718d26de27e7ce17c3d

SHA1
28f92cbdad515597488cc2e87482c9b6656e3563

SHA256
90f42b7b95d1766f61049248cb15c3f32f6113eaa62e52667383e54d66201ac4

SHA512
599f96f054ac26e539d90f65fe3ee956f1250346a4f2b1f86c38510d362080a8846aec37924319323af7200c27f9069ed8378e3acfdb9e313a3ea0d769ea668d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libEGL.dll

Filesize
256KB

MD5
d502d6990ab4dcab85e23350aa2c6d97

SHA1
eca535da749da437ae99a5cc7b9f67e0185ff3b4

SHA256
ac198f3c585c8bf9cf9358013067860eb9b03d0ba17fe0b8868ae15ff0ca5d40

SHA512
adcb2d7a85dbe3ff4f9998718623499dc89d23dcc570b0a9bb562483d0986b96529d8c074c20b2d4ae05fb807bcc19eed1f18875b844e8d8b8a244a2b4f37b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libGLESv2.dll

Filesize
256KB

MD5
9063708c6bc46e82f3424b2d860d9393

SHA1
dd0bc6fcd5cb3f0a37941071efdc4d5957a23dcf

SHA256
e400eae04761d6084cfd4ee46ee896dd1cb7aac24f0df7f52d605e58934b8397

SHA512
fad1276039b88f6b9c4b35d88626591be6dae554033e495b8973155e8e28e33cbe371702101e73685063dabecaa2e12596cc75cd820e1d85ecc487cee2628d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libegl.dll

Filesize
241KB

MD5
f5d3772fc445d68d2a56a0b237b30496

SHA1
3c16a20cfaf79cafe42b5360fc1c3566f731ceb0

SHA256
cc3e9604a7188ef11a979cd45d2a44f5719448a05fb44677ccc6a5f7ec666050

SHA512
6dff4daa2c5edff8af77ff80a824d7f069e3f15bb105d1c231f579dcedb384c6a7877caa09970c1d2a910d03173d0cb53d1cac550fd9fe50a6757d693dfb1b97

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libglesv2.dll

Filesize
640KB

MD5
93bafdce19c424c165bc541b4181d317

SHA1
dff870f27ffddb18de550c1924210cc05652987b

SHA256
f872aaa379c26d90163b45cce9d046aacdd036938fc9548020a8b30eb5f1eb53

SHA512
576dc4853355db5c069875c6091d9bd4c009133fa102b58031e333cbf139e1fd8015d5782de3dd44593c0e33b2aec85eb577d7fba79291c3a15f5f0f9228b62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\locales\en-US.pak

Filesize
88KB

MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources.pak

Filesize
2.3MB

MD5
c3b63fca585f164105163125ec72fe00

SHA1
a0763ed5a6f5396a6bd6b6192f50584fbc30eae5

SHA256
48bd19afb1e54e4d267959da5434267daecefe5892970a8e646c1ea7ea4c62f2

SHA512
b8b4ca665cd558f10b3b12ce2599d468203e3d94e37db6439addca20bcb68e823bb393ce38285aeef3dfe7ad9eaa6463c244c70f68aa3e2ba43eef1e25a27ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\app.asar

Filesize
153KB

MD5
be12ac7aef84eac5632efcefe79fe3ac

SHA1
ea24f73ccb440d664eafed8b7d31b1d01769b1d7

SHA256
09e7ee3b9d6af3d312facea5c1a1614fb3319814ded52a0eec8d888cc1032f75

SHA512
3c60fda9aed7388c386287c971a8bffce59b02ecd5e23010359a1056e46cafc2deed32fda0c97a5eb1b11055f949eb5ce4b67244541b28d71c5f6320380836d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\assets\images\background.png

Filesize
297B

MD5
32338b60ff8368fd431b32109eae89d2

SHA1
7a3a844f2e6371c8f3a08a142e2e792a6e77105a

SHA256
1d370406c3b0c6bfe109feb76229fd4a0fe1d4171ae2a77655a0fd3264558d2f

SHA512
be71b3dcc24cea203d59e08d8a4082dcf253eb02a971e67034f8cc0930f6af72830b1e35430cc861c08341082156585adcedcbfc788a83ec35fbd78107e20f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\assets\license.txt

Filesize
2KB

MD5
f31549cdc3abfa48981759862a07519e

SHA1
1168fdb04883a65057168eaccb75e153aa3fe438

SHA256
267c8e6f5387fa5d54290044d30a5da427be3597fa7815c32689a533eaee8886

SHA512
f084f518eafc6a58c377c3f80d8a186d9a1d55473afc931bb913adb1fa6fd0bbbc2ba09a30ea39283cd5327079278ae7babea6a74b93a7f2d7cb48bfbba95795

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\v8_context_snapshot.bin

Filesize
161KB

MD5
d88d23551a4d7230f98fe0cbd363695b

SHA1
8e28eb4153e00aa5345bdb539b925a777588a26b

SHA256
72c3c123f10eb6e24c83ee40727a3a632cf7a8b062a3b7c7b41db4bfeda52ce4

SHA512
ea757e91c7cfc766b35da226263e82646f5b1153b8800c5cd69321d98b6d424413dcd7a02413a6a0e2f34905daf84bd21302b7ad58f2ebd814a7ac0a92b9d284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45BF.tmp\BgImage.dll

Filesize
7KB

MD5
487368e6fce9ab9c5ea053af0990c5ef

SHA1
b538e37c87d4b9a7645dcbbd9e93025a31849702

SHA256
e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04

SHA512
bb3ed4c0d17a11365b72653112b48c8c63ab10590dda3dfd90aa453f0d64203000e4571c73998063352240e1671d14da5ee394439899aaa31054fa2e9b722ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45BF.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk45BF.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Network Persistent State

Filesize
175B

MD5
2b7e4377653e6e07536efe7fc1bd78a7

SHA1
cdd9c03b91e368bc14c4ac0ff7204ee698fa285d

SHA256
bd367325bb3c469e1aa6dcff50b6296b9b8d5bf5bed538f01f36c29b0603511a

SHA512
5dae5ba1af5ae6e52a39092bc5b4ebb454906c919735ab5b7f7a4c84a487e26376f68aee9c86265142e03c0f163cc0623094fa4f2936bff17504c2059ba112dc

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Network Persistent State~RFe5983ad.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit