Malware Analysis Report

2025-08-06 00:44

Sample ID 240403-wx953sgg7w
Target DiscordSetup.exe
SHA256 ccd1b73aa774e3deefb7672629099eec167b130521b9036b553af6e46ffdbe3f
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ccd1b73aa774e3deefb7672629099eec167b130521b9036b553af6e46ffdbe3f

Threat Level: Shows suspicious behavior

The file DiscordSetup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads local data of messenger clients

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Loads dropped DLL

Enumerates physical storage devices

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry key

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-03 18:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-03 18:19

Reported

2024-04-03 18:39

Platform

win7-20240221-en

Max time kernel

121s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"

Signatures

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2920 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2920 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2920 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2920 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2920 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2920 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2600 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2600 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2600 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2600 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2600 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe

"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --squirrel-install 1.0.9039

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --squirrel-firstrun

Network

Country Destination Domain Proto
US 8.8.8.8:53 dl.discordapp.net udp
US 104.18.48.115:80 dl.discordapp.net tcp

Files

\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 f41538e41528534513d514dab4766ef1
SHA1 c12f27a11dc965097768760ca89521f18b6f88bb
SHA256 efc81c7e0c2df31b7f7d79910aa2129703d6d19771e74d0978eecd84a0f4c8ef
SHA512 b23319ec5fbcaa07a67d7bf5697653d867e56c9d83ed9134c7403ed4f26637ecf0c72024c26898926d88581b02c89a6877f012a7940202e82e9b9fd0ee01a6f0

memory/2600-11-0x00000000003A0000-0x0000000000516000-memory.dmp

memory/2600-12-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2600-13-0x0000000004CD0000-0x0000000004D10000-memory.dmp

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

MD5 08cb640b720c5d7b6fce3da10cff52df
SHA1 27eaf8eef5d4b0a0d7231fefb0117f5ef05b6b84
SHA256 a5597ddbea7f4a6719f343e223520fe4b5385e3a9da12de043c48d7e6353c93a
SHA512 6dcfaa05a0e9377b01541117e70246cd35d9029b219f7bdecdb5b7db61818b1ffb24dd4345067f89a1630f5efbffe58e8be31821ae09418d0af4850c9e3d8b3d

C:\Users\Admin\AppData\Local\SquirrelTemp\Discord-1.0.9039-full.nupkg

MD5 f6d21fe975682d7d6b33dda9c7006892
SHA1 3f219786844dcfe32c239d21ca36d38c6d6672c6
SHA256 41f3d369df1e1412dc5b6eabd03a0912fc94628f3c78346d4f31950925ed7b2c
SHA512 1d3c603c9f6d9896b01457a97f3455d8abd3bf6d9523c880508d9f984bf4d1b9f7139da03cbe74dbf7264f9e5ecfe1467875209613dc7c32b1e08fed6a17c1d1

memory/2600-27-0x0000000073ED0000-0x00000000745BE000-memory.dmp

memory/2600-28-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2600-40-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/2600-41-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/2600-51-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2600-48-0x0000000004CD0000-0x0000000004D10000-memory.dmp

\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

MD5 8da0897af3eb019033f585bd8e64b296
SHA1 287de02175312f99f536ee2b26a152903eaae2e4
SHA256 0ee2942b11493f4947a2b1e244c34acd4f1f00b0677c91f9a07557ac84cb0774
SHA512 1caac9456db6796164531cf1f031162e280a24612cde57b16bd715d8308ddfb45e715cc4605da216a032f98abebc59058d813ec5869fe9a39bc5677ab9fb9a07

memory/2600-208-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/2600-209-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/2600-210-0x0000000004CD0000-0x0000000004D10000-memory.dmp

memory/2600-211-0x0000000004CD0000-0x0000000004D10000-memory.dmp

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\ffmpeg.dll

MD5 55edcca632b1a22e36d348932765600b
SHA1 8570a38b48b90bfff3a0bce4771d80a1668dbc75
SHA256 7c1749d47f64a46b2f1e658b99083b5444f1f405da6125f10fe335059de7a10a
SHA512 f30d3b9a05ebece5c2997c5b9f055ccf3fa30f929b2039af5d8c72f15b11a996acb669f51800d9ffd3409d7705caf807ddba374f72735e010bb57d6023b285f6

memory/2600-230-0x0000000073ED0000-0x00000000745BE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-03 18:19

Reported

2024-04-03 18:39

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"

Signatures

Reads local data of messenger clients

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9039\\Discord.exe\" --url -- \"%1\"" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\URL Protocol C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9039\\Discord.exe\",-1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\ = "URL:Discord Protocol" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\DefaultIcon C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Discord\shell\open C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2664 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2664 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 4416 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 4416 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 4416 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\Update.exe
PID 2476 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\Update.exe
PID 2476 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\Update.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe
PID 2476 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe
PID 2476 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe

"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --squirrel-install 1.0.9039

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9039 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=28.2.7 --initial-client-data=0x528,0x52c,0x530,0x524,0x534,0x827800c,0x8278018,0x8278024

C:\Users\Admin\AppData\Local\Discord\Update.exe

C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1948 --field-trial-handle=1952,i,15242475349511559386,10096802058289808418,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --mojo-platform-channel-handle=2184 --field-trial-handle=1952,i,15242475349511559386,10096802058289808418,262144 --enable-features=kWebSQLAccess --disable-features=CalculateNativeWinOcclusion,HardwareMediaKeyHandling,MediaSessionService,SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe\",-1" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe\" --url -- \"%1\"" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 33.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 34.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 f41538e41528534513d514dab4766ef1
SHA1 c12f27a11dc965097768760ca89521f18b6f88bb
SHA256 efc81c7e0c2df31b7f7d79910aa2129703d6d19771e74d0978eecd84a0f4c8ef
SHA512 b23319ec5fbcaa07a67d7bf5697653d867e56c9d83ed9134c7403ed4f26637ecf0c72024c26898926d88581b02c89a6877f012a7940202e82e9b9fd0ee01a6f0

memory/4416-9-0x0000000000120000-0x0000000000296000-memory.dmp

memory/4416-10-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/4416-11-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

MD5 08cb640b720c5d7b6fce3da10cff52df
SHA1 27eaf8eef5d4b0a0d7231fefb0117f5ef05b6b84
SHA256 a5597ddbea7f4a6719f343e223520fe4b5385e3a9da12de043c48d7e6353c93a
SHA512 6dcfaa05a0e9377b01541117e70246cd35d9029b219f7bdecdb5b7db61818b1ffb24dd4345067f89a1630f5efbffe58e8be31821ae09418d0af4850c9e3d8b3d

C:\Users\Admin\AppData\Local\SquirrelTemp\Discord-1.0.9039-full.nupkg

MD5 f6d21fe975682d7d6b33dda9c7006892
SHA1 3f219786844dcfe32c239d21ca36d38c6d6672c6
SHA256 41f3d369df1e1412dc5b6eabd03a0912fc94628f3c78346d4f31950925ed7b2c
SHA512 1d3c603c9f6d9896b01457a97f3455d8abd3bf6d9523c880508d9f984bf4d1b9f7139da03cbe74dbf7264f9e5ecfe1467875209613dc7c32b1e08fed6a17c1d1

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\Discord.exe

MD5 8da0897af3eb019033f585bd8e64b296
SHA1 287de02175312f99f536ee2b26a152903eaae2e4
SHA256 0ee2942b11493f4947a2b1e244c34acd4f1f00b0677c91f9a07557ac84cb0774
SHA512 1caac9456db6796164531cf1f031162e280a24612cde57b16bd715d8308ddfb45e715cc4605da216a032f98abebc59058d813ec5869fe9a39bc5677ab9fb9a07

memory/4416-198-0x000000000FAB0000-0x000000000FAB8000-memory.dmp

memory/4416-199-0x0000000010330000-0x0000000010368000-memory.dmp

memory/4416-200-0x0000000005350000-0x000000000535E000-memory.dmp

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\ffmpeg.dll

MD5 55edcca632b1a22e36d348932765600b
SHA1 8570a38b48b90bfff3a0bce4771d80a1668dbc75
SHA256 7c1749d47f64a46b2f1e658b99083b5444f1f405da6125f10fe335059de7a10a
SHA512 f30d3b9a05ebece5c2997c5b9f055ccf3fa30f929b2039af5d8c72f15b11a996acb669f51800d9ffd3409d7705caf807ddba374f72735e010bb57d6023b285f6

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\v8_context_snapshot.bin

MD5 5e59b98c444e66f981b8605636e88efd
SHA1 78ce5d12ef8d76e5de09873eec59657a5b3964ee
SHA256 457167b96cf7cb9d80bf5f74976314b465439adb0563ed820be15d848f3daf66
SHA512 9401047fb86cd7d9b9aeea72bc3b7981b834e914d7ecc19ef2f787ccf946548a95241b89d508372caad6a7cc157e2be6fa931d952f836404b7c0c5abe4ca614b

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\icudtl.dat

MD5 e0f1ad85c0933ecce2e003a2c59ae726
SHA1 a8539fc5a233558edfa264a34f7af6187c3f0d4f
SHA256 f5170aa2b388d23bebf98784dd488a9bcb741470384a6a9a8d7a2638d768defb
SHA512 714ed5ae44dfa4812081b8de42401197c235a4fa05206597f4c7b4170dd37e8360cc75d176399b735c9aec200f5b7d5c81c07b9ab58cbca8dc08861c6814fb28

memory/4416-207-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\resources\app.asar

MD5 a3fae9e385d9b80ea269c68bbdb97e41
SHA1 e5ab851e94104edcf4751b1c1b4312dbcfbf8214
SHA256 3674c0eb2a447e6449ba819e04d493a1f4284c587739f0611a19bb4ab236ba65
SHA512 a5cf45bae5c9ebd397504ccac18d3187a6034c1022b62bd7780f070460f8fb6d44aee08e1af964bd4cbcfab3c6263d8348740274a81f16483b6a4d76b2c73a2b

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\resources\build_info.json

MD5 2975d2275891f5984e461bdf7c5ac170
SHA1 c324f18d726e6591e56b2117703b2d23e1d335df
SHA256 415f673c0b3933f8bd08e30421b85f0d75f2f2339bd3e4a29f85fc5c7c98f457
SHA512 31f50d242ab3cd59fea7ebc22368f6b42574602ee5abd2905ecc3722cf40fad590c30028e6aa2c2b2be64d5954c09086bdb89900e8d47e3f60ab5dcd1e2a1e28

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\app.ico

MD5 084f9bc0136f779f82bea88b5c38a358
SHA1 64f210b7888e5474c3aabcb602d895d58929b451
SHA256 dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43
SHA512 65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

memory/3736-219-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/3736-220-0x0000000005A50000-0x0000000005A60000-memory.dmp

memory/3736-223-0x0000000005970000-0x0000000005990000-memory.dmp

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\resources.pak

MD5 e9056386a2b4edac9f0ffa829bc0cfa0
SHA1 f8d4b8289ebb088c9997a1fde1c2f12aedd6c82e
SHA256 546456d9a1328836a99876824f3beb7279f38403cd001515f5d9eb204939e57c
SHA512 c49e832e5c16a1846ea882395e83f9cbe9f4f6b44be9f0c7276d0a4495b88091bd95593c5e167dba853834058d7ca823db60d2fac73434ed952b7064b2daf6da

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\locales\en-US.pak

MD5 809b600d2ee9e32b0b9b586a74683e39
SHA1 99d670c66d1f4d17a636f6d4edc54ad82f551e53
SHA256 0db4f65e527553b9e7bee395f774cc9447971bf0b86d1728856b6c15b88207bb
SHA512 9dfbe9fe0cfa3fcb5ce215ad8ab98e042760f4c1ff6247a6a32b18dd12617fc033a3bbf0a4667321a46a372fc26090e4d67581eaab615bf73cc96cb90e194431

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\chrome_200_percent.pak

MD5 47668ac5038e68a565e0a9243df3c9e5
SHA1 38408f73501162d96757a72c63e41e78541c8e8e
SHA256 fac820a98b746a04ce14ec40c7268d6a58819133972b538f9720a5363c862e32
SHA512 5412041c923057ff320aba09674b309b7fd71ede7e467f47df54f92b7c124e3040914d6b8083272ef9f985eef1626eaf4606b17a3cae97cfe507fb74bc6f0f89

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\chrome_100_percent.pak

MD5 4fc6564b727baa5fecf6bf3f6116cc64
SHA1 6ced7b16dc1abe862820dfe25f4fe7ead1d3f518
SHA256 b7805392bfce11118165e3a4e747ac0ca515e4e0ceadab356d685575f6aa45fb
SHA512 fa7eab7c9b67208bd076b2cbda575b5cc16a81f59cc9bba9512a0e85af97e2f3adebc543d0d847d348d513b9c7e8bef375ab2fef662387d87c82b296d76dffa2

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\libglesv2.dll

MD5 5dbf4a2b443fbe52d9b80511ea0b94cc
SHA1 a4a3d31f9d2902c455e9e5e1fab931fd6108272e
SHA256 53cd9f341abe29b5b53c58a9060087551685385cc18bf5c8c25b54cf8773d499
SHA512 e30aaaaeaf42250b45d8a867352af6aec33dd81bbd7eeb72fae17f6a8050cf7aeacba9ab08c3a5ea489a030738474909d97210f56f0222165b8c9a645540514a

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\libEGL.dll

MD5 42c5ffe970aa12c10e5a45f837a033d9
SHA1 0b0d82cebe169768c892c7bbfcc0346db47da4a7
SHA256 3eafdd2a558f1110606e4c95b5f2efac0536bb0005d5bd9f68957d3e866771c6
SHA512 83de7c9638ac8e6ac2d34c87917dfc8aa309dfbec54e56b327384a47d959ce53207c2c214a2a42f44a6f9c524448f0cb405cbdcf9319f70a616da332dcaac0f5

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\vk_swiftshader.dll

MD5 d045ce8fac358f6ca98e61ea86787f67
SHA1 71ce4486853720deaa43df67c1768e93e76f57c0
SHA256 0c75f2949da407561083ab79a3122152f69aa1ceb6d4df919fc2a277ba56c33b
SHA512 273308a6e0b094171aaa1cf445ef88c0449b54be69529532fcbe91d6742cac28ff5145f482130f9e7f2f528899bd4844d05e9c51b70e2334ed420e2e31d19fee

\??\pipe\crashpad_2476_UMWPTSEZUFABNDFH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Discord\app-1.0.9039\d3dcompiler_47.dll

MD5 08ac37f455e0640c0250936090fe91b6
SHA1 7a91992d739448bc89e9f37a6b7efeb736efc43d
SHA256 2438b520ac961e38c5852779103734be373ee2b6d1e5a7a5d49248b52acc7c4d
SHA512 35a118f62b21160b0e7a92c7b9305da708c5cbd3491a724da330e3fc147dde2ca494387866c4e835f8e729b89ee0903fd1b479fcc75b9e516df8b86a2f1364c8

memory/3736-293-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/4416-317-0x00000000744A0000-0x0000000074C50000-memory.dmp

memory/4416-318-0x0000000004BB0000-0x0000000004BC0000-memory.dmp

memory/4416-319-0x0000000004BB0000-0x0000000004BC0000-memory.dmp