249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697

Analysis

max time kernel
158s
max time network
174s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-02-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BetterDiscord-Windows.exe
Size

75.1MB
MD5

43327119366e52928b9aed0c1e734389
SHA1

3777d8387fba8528b6e433a8e763df5dcd542a48
SHA256

249bdaa4332b3e1a3a2148d4fd587a42bd48615af556d1c72da51c55bb2ca697
SHA512

bda75994e6dcf5bc9e5b45d025894d62d0138a9d39c47255cd3b6b6e32f60de973da54bf85de57e8f0ca8a253bf414697c4b06e887d45dded90485ce6832e7f4
SSDEEP

1572864:DMKQ/QO4cQ0dPUnqZUPsziv5IANK+4ZYPDHdH/I1z/dHazC:DzXr50lUnqEneWlWYj21zaC

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

BetterDiscord.exeBetterDiscord.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	BetterDiscord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	BetterDiscord.exe

Executes dropped EXE 5 IoCs

Processes:

BetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exe

pid process

4588 BetterDiscord.exe
1840 BetterDiscord.exe
3448 BetterDiscord.exe
4540 BetterDiscord.exe
5020 BetterDiscord.exe

pid	process
4588	BetterDiscord.exe
1840	BetterDiscord.exe
3448	BetterDiscord.exe
4540	BetterDiscord.exe
5020	BetterDiscord.exe

Loads dropped DLL 11 IoCs

Processes:

BetterDiscord-Windows.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exeBetterDiscord.exe

pid	process
868	BetterDiscord-Windows.exe
868	BetterDiscord-Windows.exe
868	BetterDiscord-Windows.exe
4588	BetterDiscord.exe
1840	BetterDiscord.exe
3448	BetterDiscord.exe
1840	BetterDiscord.exe
4540	BetterDiscord.exe
1840	BetterDiscord.exe
1840	BetterDiscord.exe
5020	BetterDiscord.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

BetterDiscord.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	BetterDiscord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BetterDiscord.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	BetterDiscord.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

BetterDiscord.exeBetterDiscord.exeBetterDiscord.exe

pid	process
3448	BetterDiscord.exe
3448	BetterDiscord.exe
4540	BetterDiscord.exe
4540	BetterDiscord.exe
5020	BetterDiscord.exe
5020	BetterDiscord.exe
5020	BetterDiscord.exe
5020	BetterDiscord.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

BetterDiscord-Windows.exeBetterDiscord.exe

description	pid	process	target process
PID 868 wrote to memory of 4588	868	BetterDiscord-Windows.exe	BetterDiscord.exe
PID 868 wrote to memory of 4588	868	BetterDiscord-Windows.exe	BetterDiscord.exe
PID 868 wrote to memory of 4588	868	BetterDiscord-Windows.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 1840	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 3448	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 3448	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 3448	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 4540	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 4540	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 4540	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 5020	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 5020	4588	BetterDiscord.exe	BetterDiscord.exe
PID 4588 wrote to memory of 5020	4588	BetterDiscord.exe	BetterDiscord.exe

C:\Users\Admin\AppData\Local\Temp\BetterDiscord-Windows.exe
"C:\Users\Admin\AppData\Local\Temp\BetterDiscord-Windows.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4588

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1608,5850999982062268880,7709916918379497912,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1628 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1608,5850999982062268880,7709916918379497912,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3448

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=renderer --field-trial-handle=1608,5850999982062268880,7709916918379497912,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2388 /prefetch:1
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4540

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe
"C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe" --type=gpu-process --field-trial-handle=1608,5850999982062268880,7709916918379497912,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3708 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4080 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:8
1⤵
PID:4060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
269KB

MD5
e378bac90ba1eaff7aa9956f46c6124c

SHA1
bbe12a811563a3a3098acf2e80ef2f3180653763

SHA256
229dcb7e85541ee7f90e35238fc4f62f17db4546a6eef9e944b6442946b36aa5

SHA512
0e62364837e143f9eea104c5715f4d98bfc1a9e5dc567ac7dde43b85230e271b08987c918476e9ac233bc62af061ff634b1bd2a4d42f0858dceb494e45d89322

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
57KB

MD5
d4bc8954283b0680499c30de52f87496

SHA1
92742d9b1fcdf82f2290887d004862432bb3ff9d

SHA256
e0134ca665be0c31a462c7ffb5caa24d6c59066b9517d258daf894b08aa1d666

SHA512
386f9a3a7b2ac028a1c1c5d535a0dc1cb20dbf3139a4e5e2abe36d98c48be220b91bfee619607968b3c1525d8243c9fa3e4d205d670fe4f3d7964d4bdd29faf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
475KB

MD5
7c150e07627f0322bfb4c44aaa406b5e

SHA1
b8d4eeda4eaa90b432983096cd0b008f9f68071f

SHA256
9be0f5284187e6ad109a3e9671373ec5691b54f97e0cc609c9bd207ce1d98520

SHA512
4db4b72167a75467f33d08e785ebc950336776229b333f94b6f8c092a26efd2f6a3e14fed9862c6e37f0623ff150aa0a0f4277ad6ae4901172eae3b5a86b0509

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
524KB

MD5
71af2215584b2635b5831ff134ca2dfc

SHA1
91f535798cf8ed4c2eb890c9dafcaf79654f4152

SHA256
f06c86e0bd55332d55f5fe9704235d9bff24064fa371edacd7b5227175cafd3e

SHA512
57e8e87642a539ad27dc0365d543876735b5f73746923fa506b21bab811901c082a57ca33bfdda8878068fe99dda762996ada49f6390f427f6676b2da42549b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
1.6MB

MD5
9174b338dcba36ce2e0046a149e33333

SHA1
45821e10ae28cf26e65a3e20c46fc7c047c96a84

SHA256
d1ba21701c20f61d66bf7df49e1fddfa6464b1b5121555c116e9bf89459e9191

SHA512
955c5cd1519a4b01c47f3c3fb702e80697e824c371a2f22aa9072bbe61095962e04f42a2a7d0f344703b71333ae4f80353a1ab787a467d321cf21aa16f2bff4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\BetterDiscord.exe

Filesize
2.4MB

MD5
851d4660cf2f06a1e692400235626a4f

SHA1
88161c66fb2bfc8f7642b50350693de31d56bde7

SHA256
0f3fccd7e77ff516080b4d6f634837aff2cda279c1c6802a789a13eee8f60a0c

SHA512
cc414856a57e9cea56341f3c7d16b028397991d9a6989632befaa7c6a3de3b084ef4d50cb9b23f86fab9a3573161efbe0529e45f591ef58ebdfa897d8350a8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\D3DCompiler_47.dll

Filesize
886KB

MD5
cb28f915e783f6b608771e7b9693d67c

SHA1
08fd65349d23b013e063b8aec71eda108c774fe5

SHA256
7d240d1e8e4b4fc23e9e1d49fd236315878e7e0467e10753e654f9baa177e4ae

SHA512
3508797762f0c87c3786f96cdce90efccf0ac7377ff5e68219da7782074ba3b8f1c7a396169a69f215bd145bfd62975d389229cac7a28bf5b4bf4401289f561f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\chrome_100_percent.pak

Filesize
138KB

MD5
03aaa4f8525ba4b3e30d2a02cb40ab7a

SHA1
dd9ae5f8b56d317c71d0a0a738f5d4a320a02085

SHA256
c3f131faeefab4f506bf61c4b7752a6481f320429731d758ef5413a2f71441f7

SHA512
c89a1b89b669602ba7c8bf2c004755cac7320189603fecb4f4c5cf7a36db72da651c7b613607146f0c6da9eec5df412c7fba75475352192351c02aebdaa7d9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\chrome_200_percent.pak

Filesize
202KB

MD5
7d4f330a5443eadf32e041c63e7e70ad

SHA1
26ce6fb98c0f28f508d7b88cf94a442b81e80c88

SHA256
b8704be578e7396ee3f2188d0c87d0ede5c5702e9bb8c841b5f8d458abf1356d

SHA512
f1b9b0dd7396863aa0feca06175b7f9ea0be4122351ecf0a0549ee4c34f85ac8c63cc927d7409a40b6e19fa91d2cb00a145616ba19f47045b2345bfbc2d4802d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\d3dcompiler_47.dll

Filesize
561KB

MD5
acd40aa433077967580667f16a3fbc1f

SHA1
ae80bfdba95ecca279847c1a16f3095fa1fb343d

SHA256
83d022f2af71c448748ef9c4dac3bc182e8405c9892cb0f8cbc7a1af72baa07d

SHA512
2c59bd6dc89ede40c290c5ba6465443595ed4429f86383dd6384ba7ae24afcff80046af834bf61cbb244eb26161baa00f3e3ec0ed334dd18aba5d4d61e62be63

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
114KB

MD5
c64c1aa84c7c688488f76d6ade204a97

SHA1
a205eb7131fd7f3dcd7efdb2caf8ec91da8dc205

SHA256
9d7aeb54d95e8940d8ea47cb22532ec5acce3a425c5fa7f75a4547e5d4346891

SHA512
1a9ccc655d55ac18c18819b6974b293ab704ede3b3bb3f35081a1eea33b5479380296944cc230216e44c865a5050e427a061d6d48c98590e6896586b306ec7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
128KB

MD5
3bdda1579863477f36559e51d129494a

SHA1
464874d806829a7749b1ae0d369f2bc948ad074f

SHA256
7a73c396fe5d72cc46ba86fec080e97756fb7347cc953e3c486c82178662a2cd

SHA512
7690d7098cf08ce446771e621f36ba897d444ad3937b9ad7d8f15f9f821bfa28a01b576eb81f1de87ec9b0d7f64341f73c874bc921f21b9cecc4c43e5db2b1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
923KB

MD5
9376947edb13cc30a03f4134726a20c0

SHA1
52c654b09c30fd8a5b353f54826fc21649945849

SHA256
ce13cd8dae7fad98d4c4b146052b422c7d21d741786ae44d1be24b709b37ef6f

SHA512
8f5a8aafc380988fbfccc499dc19877ad437b70d9881b9041069c3bf6d26aa215dff0855181e5b407cf9d20c6be041d4e7e723cc0457e1853fcffec644436ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
589KB

MD5
a69f6aeb8141c00073adb5e7f3481c05

SHA1
b107deac53cc584e386a47cd150d1afec24af6fb

SHA256
a7514cf01ddb983582dfe27ef827ed636ea4810f8c78435f821a752efd04494e

SHA512
34bbc5880c38f2955c61ee475c724e22c01d934d93ba170bce00e09c7c7ecc0f5914c781e8c88f47950355cde2dd76885acff63bd19538d17dbb6cb29698f9d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
2.2MB

MD5
ab37c85bcd6232fe028c82eaffdb8038

SHA1
5b72f0eff713595f010c708387453140f68bc8f8

SHA256
0bc2682348a2ba4027982b03c4ca5a02fc04339eae5ebe225547b7d5b2f36b17

SHA512
e2d670c8d8f9a4dc1fcccb7dd263b7e255e91ebaf16def80566f0080000d1c62a9559f3d85933b7300b87ae6354816c71fa431b8731328626635aa410887696a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\ffmpeg.dll

Filesize
2.0MB

MD5
8cd6dbfaa8ed2a35f5ef4e1f88720dfd

SHA1
91a95fd76a65206c6c3e316d875ee9a383860d80

SHA256
67cd481ba484305ab2698f89729071adf178d1d42fc0937cfa4d49bc53a56075

SHA512
fc5b7d244706fd326cfb1b085bb78c9a8c5353a56ca831fae84ad0ab766a62779d101fd8d0cef4be40f69cc668f3a81610690b724879cf3b8c6863abdb4fd8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\icudtl.dat

Filesize
1.6MB

MD5
b8f4669c217a3e4a3873d980f92f9e99

SHA1
31630a417dffdcfff45926a7dcd843b5d5ddf78f

SHA256
6ff2dc7aad8fe14beab6d92b140c4cd4cce357f5617cbd2a342f168c81d26bce

SHA512
23ef784299143c70deac2f9fe897b6e353f2874027baf01206a49406eb0d65653f74813f67f8e287bc1fa2b18a03197688c3aeb64ad2985adac7b493d40cc0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libEGL.dll

Filesize
228KB

MD5
4e67db7db9d6328df298a4b480c05575

SHA1
7672f252ac7e7a1a3b760b5892c8ffeff4a097bf

SHA256
78b87526ad4eb799458b721b2fa3f3ddfea9a9058e3f2db7e5590508a3e800e6

SHA512
a1c85806fe43e17e4b69d00dfd06e74ad3468490043321d5489ba568c9bbd81607fefe9b46c87009e0b1f462cd997db68fef68dbcfc9a2ddd79010c1f9fa5699

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libGLESv2.dll

Filesize
199KB

MD5
919a37104824d1d028a06226c5d8a22d

SHA1
3ccc2680ecaa642d58c386d0d09d5dbcc92e22ee

SHA256
9d35fb7a1f0f0f57b5c57812a25ecb6134a0eac25e4688d5b8a25b1ecf6e00f9

SHA512
22d500c2a0cb29d64b7c814928d39cb289239737a297f9ec5814768ae5622b6f09a8d0bcc8ee7bc0f1aceb558de639b0b935c81c2ba6af3b0fba935accc5d0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libegl.dll

Filesize
240KB

MD5
e18c6b9f61be74d36f8d4b5324925c8e

SHA1
d9e613afd4e7d7a486b12dcc30e1aa2146f9d9fe

SHA256
dc7c5c50823c9b923cc77d4f527a6eedb729edfadc5bc5956613f9836324e804

SHA512
d07d8cbb8bd0afdda5855ec2ec804cffa3813c66ad6f6469783697d459e4af0b2b784b72ac29987f6d958e7f20fe9c2f2fc231848ca24a93dfea3a3e5a4fae6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\libglesv2.dll

Filesize
640KB

MD5
93bafdce19c424c165bc541b4181d317

SHA1
dff870f27ffddb18de550c1924210cc05652987b

SHA256
f872aaa379c26d90163b45cce9d046aacdd036938fc9548020a8b30eb5f1eb53

SHA512
576dc4853355db5c069875c6091d9bd4c009133fa102b58031e333cbf139e1fd8015d5782de3dd44593c0e33b2aec85eb577d7fba79291c3a15f5f0f9228b62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\locales\en-US.pak

Filesize
88KB

MD5
af5c77e1d94dc4f772cb641bd310bc87

SHA1
0ceeb456e2601e22d873250bcc713bab573f2247

SHA256
781ef5aa8dce072a3e7732f39a7e991c497c70bfaec2264369d0d790ab7660a4

SHA512
8c3217b7d9b529d00785c7a1b2417a3297c234dec8383709c89c7ff9296f8ed4e9e6184e4304838edc5b4da9c9c3fe329b792c462e48b7175250ea3ea3acc70c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources.pak

Filesize
700KB

MD5
7dabd7babbae99fc86d5863090383aff

SHA1
4f25223514b70fb21765ef376045cc6083eac7c2

SHA256
f7acc18a502f46b1e8058ef4739643df999da0f8bf540c55190e8d1c003cf325

SHA512
5823bd7524d0507f42db819a3cb93158ec1f494b7dc9ab3f1add7c241cd1f33df36a96d90b02c8acd8bf01257f24670dde71d57e0764c59e1e1beac9f758471e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\app.asar

Filesize
772KB

MD5
e954ab556e494d5854a4bfff81edd279

SHA1
0e4228c6ed6c6ac97f53049c473db24df9f4e2fa

SHA256
0641de0618796f0b75f94112c49faf7998a90d3eba443960ef326e159ff27f1a

SHA512
043f4b51ba4da520ae4ea6c691c0030ac3673eb5ff79996a280e190e86e546c86e3228c00e5e73e2bceae7f229c43a4a71d385d9647533f04893dec39927e371

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\assets\images\background.png

Filesize
297B

MD5
32338b60ff8368fd431b32109eae89d2

SHA1
7a3a844f2e6371c8f3a08a142e2e792a6e77105a

SHA256
1d370406c3b0c6bfe109feb76229fd4a0fe1d4171ae2a77655a0fd3264558d2f

SHA512
be71b3dcc24cea203d59e08d8a4082dcf253eb02a971e67034f8cc0930f6af72830b1e35430cc861c08341082156585adcedcbfc788a83ec35fbd78107e20f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\resources\assets\license.txt

Filesize
2KB

MD5
f31549cdc3abfa48981759862a07519e

SHA1
1168fdb04883a65057168eaccb75e153aa3fe438

SHA256
267c8e6f5387fa5d54290044d30a5da427be3597fa7815c32689a533eaee8886

SHA512
f084f518eafc6a58c377c3f80d8a186d9a1d55473afc931bb913adb1fa6fd0bbbc2ba09a30ea39283cd5327079278ae7babea6a74b93a7f2d7cb48bfbba95795

Download Submit
C:\Users\Admin\AppData\Local\Temp\2PqhVVPE5kPb0ewa547FygNUcPX\v8_context_snapshot.bin

Filesize
161KB

MD5
d88d23551a4d7230f98fe0cbd363695b

SHA1
8e28eb4153e00aa5345bdb539b925a777588a26b

SHA256
72c3c123f10eb6e24c83ee40727a3a632cf7a8b062a3b7c7b41db4bfeda52ce4

SHA512
ea757e91c7cfc766b35da226263e82646f5b1153b8800c5cd69321d98b6d424413dcd7a02413a6a0e2f34905daf84bd21302b7ad58f2ebd814a7ac0a92b9d284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd659C.tmp\BgImage.dll

Filesize
7KB

MD5
487368e6fce9ab9c5ea053af0990c5ef

SHA1
b538e37c87d4b9a7645dcbbd9e93025a31849702

SHA256
e27efa5dfde875bd6b826fafb4c7698db6b6e30e68715a1c03eb018e3170fc04

SHA512
bb3ed4c0d17a11365b72653112b48c8c63ab10590dda3dfd90aa453f0d64203000e4571c73998063352240e1671d14da5ee394439899aaa31054fa2e9b722ea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd659C.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd659C.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Network Persistent State

Filesize
175B

MD5
2b7e4377653e6e07536efe7fc1bd78a7

SHA1
cdd9c03b91e368bc14c4ac0ff7204ee698fa285d

SHA256
bd367325bb3c469e1aa6dcff50b6296b9b8d5bf5bed538f01f36c29b0603511a

SHA512
5dae5ba1af5ae6e52a39092bc5b4ebb454906c919735ab5b7f7a4c84a487e26376f68aee9c86265142e03c0f163cc0623094fa4f2936bff17504c2059ba112dc

Download Submit
C:\Users\Admin\AppData\Roaming\BetterDiscord Installer\Network Persistent State~RFe59c5d7.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit