9c32f86e6dec3a31137bbb5f693a7f1fce28b73006980829bf8b4c9c6cb36ec0

Analysis

max time kernel
397s
max time network
405s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03/09/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Starwolf_beta/DiscordSetup.exe
Size

109.4MB
MD5

d36f97bffe90431a08a40aa58f2d59af
SHA1

c528ea762df5b975b73990ba96bb48c63b5e31a5
SHA256

26e1ff9fc464497b5860c4133877de7606482f4c14c6be84d52e423fe29b98f0
SHA512

c188c98064f5f14e3a37d9553c417bcb0015ad33bb386ea6f5220a553e5157e523fce103e79f771152327d404b6901995c119c1acde1b1572b1867798bf9261c
SSDEEP

3145728:ZfZGAbehL3TlyVDyudsjFNgKhUd0b2Vhncl/VIk3WEx:ZEyehDlQDyudsjFPbltIkGQ

Score

9^/10

credential_access discovery execution persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Starwolf_beta.exe	Starwolf_beta.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Starwolf_beta.exe	Starwolf_beta.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Discord.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation	Discord.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 54 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
4352	powershell.exe
4848	powershell.exe
4548	powershell.exe
596	powershell.exe
3420	powershell.exe
2532	powershell.exe
4056	powershell.exe
512	powershell.exe
320	powershell.exe
212	powershell.exe
3572	powershell.exe
3580	powershell.exe
1984	powershell.exe
2000	powershell.exe
3424	powershell.exe
2636	powershell.exe
800	powershell.exe
596	powershell.exe
4128	powershell.exe
3756	powershell.exe
4184	powershell.exe
4820	powershell.exe
5020	powershell.exe
2124	powershell.exe
1536	powershell.exe
2044	powershell.exe
3612	powershell.exe
4864	powershell.exe
2100	powershell.exe
4412	powershell.exe
1564	powershell.exe
1464	powershell.exe
3600	powershell.exe
932	powershell.exe
3548	powershell.exe
4448	powershell.exe
1876	powershell.exe
1128	powershell.exe
4132	powershell.exe
2144	powershell.exe
2192	powershell.exe
2112	powershell.exe
4432	powershell.exe
1060	powershell.exe
4908	powershell.exe
4808	powershell.exe
2052	powershell.exe
2328	powershell.exe
3696	powershell.exe
2796	powershell.exe
3292	powershell.exe
1352	powershell.exe
1928	powershell.exe
2792	powershell.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_url_fetcher_2200_1209313953\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\_platform_specific\win_x64\widevinecdm.dll.sig	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\_platform_specific\win_x64\widevinecdm.dll	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\LICENSE	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\_platform_specific\win_x64\widevinecdm.dll	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\LICENSE	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\_metadata\verified_contents.json	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\manifest.json	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\manifest.fingerprint	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\manifest.fingerprint	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\_platform_specific\win_x64\widevinecdm.dll.sig	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\_metadata\verified_contents.json	Discord.exe
File created	C:\Program Files\chrome_url_fetcher_2212_2066522627\oimompecagnajdejgnnjijobebaeigek_4.10.2710.0_win64_adsurwm4gclupf32xdrpgdnapira.crx3	Discord.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\manifest.json	Discord.exe

Executes dropped EXE 27 IoCs

pid	Process
864	Update.exe
772	Discord.exe
4824	Discord.exe
2300	Update.exe
2192	Discord.exe
4184	Discord.exe
2460	Update.exe
2200	Discord.exe
3648	Discord.exe
932	Discord.exe
1964	Discord.exe
1700	Discord.exe
4056	Discord.exe
4352	Discord.exe
2052	Update.exe
2212	Discord.exe
4656	Discord.exe
3824	Discord.exe
4076	Discord.exe
1600	Discord.exe
356	Discord.exe
2856	Discord.exe
356	screenCapture_1.3.2.exe
4040	screenCapture_1.3.2.exe
4436	Update.exe
1748	Update.exe
2672	screenCapture_1.3.2.exe

Loads dropped DLL 42 IoCs

pid	Process
772	Discord.exe
4824	Discord.exe
2192	Discord.exe
2192	Discord.exe
2192	Discord.exe
2192	Discord.exe
2192	Discord.exe
4184	Discord.exe
2200	Discord.exe
3648	Discord.exe
932	Discord.exe
932	Discord.exe
932	Discord.exe
932	Discord.exe
932	Discord.exe
2200	Discord.exe
1964	Discord.exe
1700	Discord.exe
4056	Discord.exe
1700	Discord.exe
1700	Discord.exe
4352	Discord.exe
2212	Discord.exe
4656	Discord.exe
3824	Discord.exe
3824	Discord.exe
3824	Discord.exe
3824	Discord.exe
3824	Discord.exe
2212	Discord.exe
4076	Discord.exe
1600	Discord.exe
1600	Discord.exe
1600	Discord.exe
356	Discord.exe
2856	Discord.exe
5084	Starwolf_beta.exe
5084	Starwolf_beta.exe
1116	Starwolf_beta.exe
1116	Starwolf_beta.exe
2768	Starwolf_beta.exe
2768	Starwolf_beta.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9161\\Discord.exe\",-1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\URL Protocol	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9161\\Discord.exe\",-1"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9161\\Discord.exe\" --url -- \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\shell	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9161\\Discord.exe\" --url -- \"%1\""	reg.exe

Modifies registry key 1 TTPs 9 IoCs

Modify Registry

T1112

pid	Process
4064	reg.exe
4348	reg.exe
1436	reg.exe
3544	reg.exe
4580	reg.exe
1764	reg.exe
4128	reg.exe
2312	reg.exe
3216	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	Discord.exe
1700	Discord.exe
1600	Discord.exe
1600	Discord.exe
3756	powershell.exe
3756	powershell.exe
3756	powershell.exe
4448	powershell.exe
4448	powershell.exe
4448	powershell.exe
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
800	powershell.exe
800	powershell.exe
800	powershell.exe
4908	powershell.exe
4908	powershell.exe
4908	powershell.exe
4820	powershell.exe
4820	powershell.exe
4820	powershell.exe
1876	powershell.exe
1876	powershell.exe
1876	powershell.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
4848	powershell.exe
4848	powershell.exe
4848	powershell.exe
3420	powershell.exe
3420	powershell.exe
3420	powershell.exe
320	powershell.exe
320	powershell.exe
320	powershell.exe
212	powershell.exe
212	powershell.exe
212	powershell.exe
3572	powershell.exe
3572	powershell.exe
3572	powershell.exe
3580	powershell.exe
3580	powershell.exe
3580	powershell.exe
1128	powershell.exe
1128	powershell.exe
1128	powershell.exe
1536	powershell.exe
1536	powershell.exe
1536	powershell.exe
1352	powershell.exe
1352	powershell.exe
1352	powershell.exe
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	772	Discord.exe
Token: SeCreatePagefilePrivilege	772	Discord.exe
Token: SeShutdownPrivilege	2200	Discord.exe
Token: SeCreatePagefilePrivilege	2200	Discord.exe
Token: SeShutdownPrivilege	2200	Discord.exe
Token: SeCreatePagefilePrivilege	2200	Discord.exe
Token: SeShutdownPrivilege	2200	Discord.exe
Token: SeCreatePagefilePrivilege	2200	Discord.exe
Token: SeShutdownPrivilege	2200	Discord.exe
Token: SeCreatePagefilePrivilege	2200	Discord.exe
Token: SeShutdownPrivilege	2200	Discord.exe
Token: SeCreatePagefilePrivilege	2200	Discord.exe
Token: SeShutdownPrivilege	2200	Discord.exe
Token: SeCreatePagefilePrivilege	2200	Discord.exe
Token: SeShutdownPrivilege	2212	Discord.exe
Token: SeCreatePagefilePrivilege	2212	Discord.exe
Token: SeShutdownPrivilege	2212	Discord.exe
Token: SeCreatePagefilePrivilege	2212	Discord.exe
Token: SeShutdownPrivilege	2212	Discord.exe
Token: SeCreatePagefilePrivilege	2212	Discord.exe
Token: SeShutdownPrivilege	2212	Discord.exe
Token: SeCreatePagefilePrivilege	2212	Discord.exe
Token: SeShutdownPrivilege	2212	Discord.exe
Token: SeCreatePagefilePrivilege	2212	Discord.exe
Token: SeShutdownPrivilege	2212	Discord.exe
Token: SeCreatePagefilePrivilege	2212	Discord.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeIncreaseQuotaPrivilege	3756	powershell.exe
Token: SeSecurityPrivilege	3756	powershell.exe
Token: SeTakeOwnershipPrivilege	3756	powershell.exe
Token: SeLoadDriverPrivilege	3756	powershell.exe
Token: SeSystemProfilePrivilege	3756	powershell.exe
Token: SeSystemtimePrivilege	3756	powershell.exe
Token: SeProfSingleProcessPrivilege	3756	powershell.exe
Token: SeIncBasePriorityPrivilege	3756	powershell.exe
Token: SeCreatePagefilePrivilege	3756	powershell.exe
Token: SeBackupPrivilege	3756	powershell.exe
Token: SeRestorePrivilege	3756	powershell.exe
Token: SeShutdownPrivilege	3756	powershell.exe
Token: SeDebugPrivilege	3756	powershell.exe
Token: SeSystemEnvironmentPrivilege	3756	powershell.exe
Token: SeRemoteShutdownPrivilege	3756	powershell.exe
Token: SeUndockPrivilege	3756	powershell.exe
Token: SeManageVolumePrivilege	3756	powershell.exe
Token: 33	3756	powershell.exe
Token: 34	3756	powershell.exe
Token: 35	3756	powershell.exe
Token: 36	3756	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeIncreaseQuotaPrivilege	4448	powershell.exe
Token: SeSecurityPrivilege	4448	powershell.exe
Token: SeTakeOwnershipPrivilege	4448	powershell.exe
Token: SeLoadDriverPrivilege	4448	powershell.exe
Token: SeSystemProfilePrivilege	4448	powershell.exe
Token: SeSystemtimePrivilege	4448	powershell.exe
Token: SeProfSingleProcessPrivilege	4448	powershell.exe
Token: SeIncBasePriorityPrivilege	4448	powershell.exe
Token: SeCreatePagefilePrivilege	4448	powershell.exe
Token: SeBackupPrivilege	4448	powershell.exe
Token: SeRestorePrivilege	4448	powershell.exe
Token: SeShutdownPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeSystemEnvironmentPrivilege	4448	powershell.exe
Token: SeRemoteShutdownPrivilege	4448	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
864	Update.exe
1928	powershell.exe
4436	Update.exe
1748	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 864	4868	DiscordSetup.exe	73
PID 4868 wrote to memory of 864	4868	DiscordSetup.exe	73
PID 4868 wrote to memory of 864	4868	DiscordSetup.exe	73
PID 864 wrote to memory of 772	864	Update.exe	74
PID 864 wrote to memory of 772	864	Update.exe	74
PID 772 wrote to memory of 4824	772	Discord.exe	75
PID 772 wrote to memory of 4824	772	Discord.exe	75
PID 772 wrote to memory of 2300	772	Discord.exe	76
PID 772 wrote to memory of 2300	772	Discord.exe	76
PID 772 wrote to memory of 2300	772	Discord.exe	76
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 2192	772	Discord.exe	77
PID 772 wrote to memory of 4184	772	Discord.exe	78
PID 772 wrote to memory of 4184	772	Discord.exe	78
PID 772 wrote to memory of 4064	772	Discord.exe	79
PID 772 wrote to memory of 4064	772	Discord.exe	79
PID 772 wrote to memory of 4580	772	Discord.exe	81
PID 772 wrote to memory of 4580	772	Discord.exe	81
PID 772 wrote to memory of 4348	772	Discord.exe	84
PID 772 wrote to memory of 4348	772	Discord.exe	84
PID 772 wrote to memory of 1764	772	Discord.exe	86
PID 772 wrote to memory of 1764	772	Discord.exe	86
PID 772 wrote to memory of 4128	772	Discord.exe	88
PID 772 wrote to memory of 4128	772	Discord.exe	88
PID 2460 wrote to memory of 2200	2460	Update.exe	93
PID 2460 wrote to memory of 2200	2460	Update.exe	93
PID 2200 wrote to memory of 3648	2200	Discord.exe	94
PID 2200 wrote to memory of 3648	2200	Discord.exe	94
PID 2200 wrote to memory of 932	2200	Discord.exe	95
PID 2200 wrote to memory of 932	2200	Discord.exe	95
PID 2200 wrote to memory of 932	2200	Discord.exe	95
PID 2200 wrote to memory of 932	2200	Discord.exe	95
PID 2200 wrote to memory of 932	2200	Discord.exe	95
PID 2200 wrote to memory of 932	2200	Discord.exe	95
PID 2200 wrote to memory of 932	2200	Discord.exe	95
PID 2200 wrote to memory of 932	2200	Discord.exe	95

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --squirrel-install 1.0.9161
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
      C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9161 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.2.0 --initial-client-data=0x4bc,0x4c0,0x4c8,0x4b8,0x4d0,0x7ff66eebf218,0x7ff66eebf224,0x7ff66eebf230
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4824
  - - C:\Users\Admin\AppData\Local\Discord\Update.exe
      C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2300
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,5746856399884383732,15409354952008495576,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1824 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2192
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2668,i,5746856399884383732,15409354952008495576,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2568 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4184
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4064
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:4580
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:4348
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe\",-1" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:1764
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe\" --url -- \"%1\"" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:4128

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9161 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.2.0 --initial-client-data=0x4b8,0x4bc,0x4c0,0x4b4,0x4c4,0x7ff66eebf218,0x7ff66eebf224,0x7ff66eebf230
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3648
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1788,i,16293557018032947881,4683365365307703567,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1780 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:932
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2540,i,16293557018032947881,4683365365307703567,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2536 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1964
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:2312
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2812,i,16293557018032947881,4683365365307703567,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1700
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3340,i,16293557018032947881,4683365365307703567,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4056
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:3216
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe\",-1" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:1436
- - C:\Windows\System32\reg.exe
    C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe\" --url -- \"%1\"" /f
    3⤵
    - Modifies registry class
    - Modifies registry key
    PID:3544
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=3956,i,16293557018032947881,4683365365307703567,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:376

C:\Users\Admin\AppData\Local\Discord\Update.exe
"C:\Users\Admin\AppData\Local\Discord\Update.exe" --processStart Discord.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052
- C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
  "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9161 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.2.0 --initial-client-data=0x4ac,0x4b0,0x4b4,0x4a8,0x4b8,0x7ff66eebf218,0x7ff66eebf224,0x7ff66eebf230
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4656
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,16376129771681277631,5356470301628531137,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1772 /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3824
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=2512,i,16376129771681277631,5356470301628531137,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2400 /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4076
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=0 --gpu-device-id=0 --gpu-sub-system-id=0 --gpu-revision=0 --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3100,i,16376129771681277631,5356470301628531137,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3096 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1600
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --app-user-model-id=com.squirrel.Discord.Discord --app-path="C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources\app.asar" --no-sandbox --no-zygote --autoplay-policy=no-user-gesture-required --disable-background-timer-throttling --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,16376129771681277631,5356470301628531137,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3060 /prefetch:1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:356
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=disclip,sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=disclip,sentry-ipc --field-trial-handle=3708,i,16376129771681277631,5356470301628531137,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=3704 /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2856

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s fdPHost
1⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe"
1⤵
- Drops startup file
- Loads dropped DLL
PID:5084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202483-5084-1adr676.ej8r.jpg" "
  2⤵
  PID:2172
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8029.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSC6A6F3E47E78F41F094B4A9759F7BBB3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202483-5084-1adr676.ej8r.jpg"
    3⤵
    - Executes dropped EXE
    PID:356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1352

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe"
1⤵
- Loads dropped DLL
PID:1116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4808
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:596
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202483-1116-1roqozb.nns2.jpg" "
  2⤵
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202483-1116-1roqozb.nns2.jpg"
    3⤵
    - Executes dropped EXE
    PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2044
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:1392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of FindShellTrayWindow
    PID:1928

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2724
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4436

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4376
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1748

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe"
1⤵
- Loads dropped DLL
PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202483-2768-am9948.x538s.jpg" "
  2⤵
  PID:4180
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202483-2768-am9948.x538s.jpg"
    3⤵
    - Executes dropped EXE
    PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3548
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:4940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2200_138546068\manifest.json

Filesize
1001B

MD5
2648d437c53db54b3ebd00e64852687e

SHA1
66cfe157f4c8e17bfda15325abfef40ec6d49608

SHA256
68a3d7cb10f3001f40bc583b7fff0183895a61d3bd1b7a1c34e602df6f0f8806

SHA512
86d5c3129bec156b17b8ebd5dec5a6258e10cb426b84dd3e4af85c9c2cd7ebf4faea01fd10dd906a18ea1042394c3f41a835eae2d83dc8146dfe4b6d71147828

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\_metadata\verified_contents.json

Filesize
1KB

MD5
c6a8dcff24d9d1852b0175d5ff59231c

SHA1
b343627d458933aab66d303aa57c723a1d00dead

SHA256
d0715b04bb7d32c7f7d888834983406ceef885799520af976dd164e6b8d1d535

SHA512
52905fdbfcf9b24708be49c1bd481a066c7091e8769e049a46cde0da866aae92e2daaf4c930a9234c4253eff383c62414e8837fe5a4ff3fcd3d0827252bbaaeb

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\_platform_specific\win_x64\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\_platform_specific\win_x64\widevinecdm.dll.sig

Filesize
1KB

MD5
36e5ee071a6f2f03c5d3889de80b0f0d

SHA1
cf6e8ddb87660ef1ef84ae36f97548a2351ac604

SHA256
6be809d16e0944386e45cf605eae0cd2cf46f111d1a6fe999fec813d2c378683

SHA512
99b61896659e558a79f0e9be95286ebf01d31d13b71df6db4923406e88b3ba72584ef2b62e073b2f5e06901af2c7d1b92d3d12187fe5b4b29c9dd2678444f34e

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping2212_657856240\manifest.fingerprint

Filesize
66B

MD5
a2c66c5636ba1d6c6f4e6f6e2beab7b5

SHA1
72f4d77d5fcba521e25df2ae082e339d39f7bae3

SHA256
a47ff5dba25765c696476506ed4cba5e7ef5dc1b402d8acc5887bad76083f6aa

SHA512
23b9484380a44db3fa7f45bff40928f3e940d67899d2d0ef3c7faa80f943aed69e878964f4cca3405563a87af3db2b7bff8fb88f66698abb94293dccf940fe38

Download Submit
C:\Users\Admin\AppData\Local\Discord\SquirrelSetup.log

Filesize
2KB

MD5
e84f846c8037a9cff37cb45107102ccf

SHA1
1b4453735d98ffdcc3eb0e514c86b483dee604e7

SHA256
196d110fbd02ff15ac60d2760f5935269e0751dec70c4b934fcb5081b1dfa8b0

SHA512
c17c3bbe6aced624135629d9083ab9fdf662aea64b2dcea23d473b512b52b99e901e3284ac7792e82c93d36eddafb50eb269f825ba0494492040bb3a1a36c0cd

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\chrome_100_percent.pak

Filesize
146KB

MD5
6c2827fe702f454c8452a72ea0faf53c

SHA1
881f297efcbabfa52dd4cfe5bd2433a5568cc564

SHA256
2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663

SHA512
5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\chrome_200_percent.pak

Filesize
220KB

MD5
77088f98a0f7ea522795baec5c930d03

SHA1
9b272f152e19c478fcbd7eacf7356c3d601350ed

SHA256
83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d

SHA512
5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\ffmpeg.dll

Filesize
3.9MB

MD5
8462e861bd73fccc5eb018d1be18eb0d

SHA1
305689b0d7a17cca0ee634faef943459fb7f1e7b

SHA256
20c45a0e40ee9f7be0d0b674b1185547dc6dfc575291d64f5f30eefe9d425e60

SHA512
eeec3474df0af857d6678e5eea0e2ef06858cd642714a7a647be935219efe91e68a81d015f1bbc8e55f8c782601b7a9fd7329747c2f696cf761ffb91a5ffce3f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\libegl.dll

Filesize
486KB

MD5
9a2ad1877a1deb964505a24e2c315082

SHA1
1acafe8e4641d8ee3d16a88c39057a8e483a254a

SHA256
c71d6fd3c0008699d1cd542cf364c08bbae1185ecb9731bd64c07e204255bcef

SHA512
abef068f73c23af48d8bb7ce1e15c6e113073eb5cd0397ad87d5f369afa2b238eef51004429a9e10da121e1a8df6c548652ec7d2521e69a0b61bf79ab9a58f97

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\libglesv2.dll

Filesize
7.6MB

MD5
f1c2108e1ad4cc11a7d4db0b1ad46795

SHA1
27e0c8aae70267a7197404bded53dd7ea38812ad

SHA256
5c24576258ee98d382b43faa0ac184c10072a76782598e67d515449e4551e713

SHA512
d030fd112bf187afbb2869b1d39b501872075a2ae824c63529765cf9f0406bb895ee1a57088687555cba2b2cae786b0a474e08b6591e2539aa36c21e554af078

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\locales\en-US.pak

Filesize
443KB

MD5
88bbc725e7eedf18ef1e54e98f86f696

SHA1
831d6402443fc366758f478e55647a9baa0aa42f

SHA256
95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795

SHA512
92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources.pak

Filesize
5.1MB

MD5
db3fa7a7f7af66bbb73c1c0a46187572

SHA1
5c6f2b5c01a20f204bb67f28a907dec4cd98bce8

SHA256
0e114f6464cecae87988c1dd65ea1bc939681fee6415d343e947a5889717165f

SHA512
e639e96c36fa67dfdc7098c7d6863ee421a2de9fa49630038e8abf4f152b03e0bbb80eee0d40a68cac5a48bfa75f0cc3542c1170dd65ab1bf5626450f803d410

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources\app.asar

Filesize
7.6MB

MD5
5858be90a23a3bb63426ce1a5a7d9066

SHA1
8c6b4f37a9a04cfee54d7ad2dcee5f42d678d572

SHA256
78880e2db0ca22d389f31e1f0983a5979fec82ec5af28462fb84b584ec7a339c

SHA512
51eceaa5e529453e50b800d14790ce7ffc8edf192720c20ba49a27f9384a88bb2a8e00c335b5a6efe223518136338a314f0c20aa093791093a3e23e56a42115f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources\build_info.json

Filesize
83B

MD5
2c6c10a638a35de9148aeea6e07bdc4d

SHA1
4e2e77e017251693d6fdd3e665f324b4b8884ed4

SHA256
47d7896ea98ef87cce794498cacfeb8b2276ac8647b025b28179bda3ad5fc0da

SHA512
d460dab2e0c1752049533c47276a5f3ff4d13903654e9a8708e60a9cbb690a90a0167892acad539f1122da824b2bb10cb2cb11f7de7d89434d642e97e2cd6a33

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\v8_context_snapshot.bin

Filesize
641KB

MD5
b1b09c057d365720ad26151066bf160c

SHA1
7bbf976150e9b63acd4aea4223085818445f7dfc

SHA256
0b239cf5ab92a27cfa087b49e6dc943e0c674b62cea643cff2130e1c2f8db31c

SHA512
ad4cbce2e8f367cff9b8b8ca56d1b6b833c3293dd55c1279732abda493b3a366efbefa67d75ab0ba6b93ca0a7545475728f9dc09bda9460ecf13f53f137a9b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

Filesize
1KB

MD5
2244dc0b3273589a6f523d1132743c50

SHA1
aa3b1e074e6db473c5b29c613f96bdb1e055224f

SHA256
95360f53262f25f870960255268efe6213d026715336c1366db1a58b2b5e0f3f

SHA512
951c1be44dad2f68c35bbdc2a971316bc348298d91a1be97cc90eeb1e1082263473affc1117fd35ebff3744a70e19eb6c20cb587a059281ba1e24ee5636ea5d0

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
788686205f4868893057541ecd48328e

SHA1
6088c9df47a7f68b1c75170d4b55e787d115f411

SHA256
d378962173ae4b4b27e07f9d243833d7327e93c0f261a01995f0db61a1a94eba

SHA512
e7a56d905bbb57bae9bc8068d1102e382b1ab2cb4d99da20ad9d68295926d66b1cf69b54d99bd2a5306ce3dd34f52c7d11905716ebb1acad8866d04636190f75

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
771974507467d78570b821f76626cf04

SHA1
2e8994c3f137d81e61eafa717ff234355e9053a9

SHA256
679f99c88d254feb46909c017d5a00d22adc508ecf62378e126d258b74f09a83

SHA512
17dea568b740346f4a9167a073b5bc874582945c44a6527c8651c4ead64214ed93d9c15636251e097a7ee5d35df93b67367cbafe1c435a40064be07cb5166426

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c76b7c2-783f-49cc-bc59-d3c03cd0c25a.zip

Filesize
50KB

MD5
dbd6772bbffa903542a914135bb9950b

SHA1
80c50ee96d4cc9b4c041278ac76e0fcd32a472f8

SHA256
58a796514b0e3618f9a3ff1c8d917a45bd7290e8cf4a8a68f03e0f6bfe82ec6a

SHA512
56e449b324897fade1031eb1a90de861af087e2212d3247b5f4950b447a22e89affea4a0aa34c2cbe9cb5d3f77bd0b8625112510cc61572626dd2307be74c986

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bba85f5-df01-4210-bf05-827be7abdba3.zip

Filesize
40KB

MD5
d9b6939cf865d216b426f4cdaaf4d57d

SHA1
17e4177391e9d3276a1f3dc2d1be57fc6e857bc9

SHA256
55abf39d7d53c9808571c560e236449f48ae4a997874a1e6be538b10fa303511

SHA512
d20488c62f7744b5864d5e5354c3f83a99880e4b7af16221a2e81512636b9b615e0d4f0d366b22290fcd9dfe7f2557370946c2fe6579f62b17df5631be451b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\65e635d1-0ec9-4107-8435-b787ab03b594.zip

Filesize
46KB

MD5
0d01c8bc331fccd8410fc60cc63e13d6

SHA1
060777d6b6b595e6662a69454d5adcaa18d9c15d

SHA256
9136edd757da22cc645ac0adfb321d483c879ad9dc3acd152a415cdd7401fab2

SHA512
6ceac3cf2d8731728b8bb69ec402d1579e85f54d011316ea6581987e061f0bee8d5c14ba57970fd7febc1524aa71687424cd96e76aeb5d55c7a8e69a22a1d09f

Download Submit
C:\Users\Admin\AppData\Local\Temp\65e635d1-0ec9-4107-8435-b787ab03b594\screenshot.png

Filesize
65KB

MD5
df22e5a901bd6a5d1c0b4ac669a2c087

SHA1
214a37020b8336be1038c2a8996efb01531fe38e

SHA256
4a59f386109005123f4b675a226a6b6989292ceef229dd75b5caf8083186e1e7

SHA512
592981fde6761a087783eddb067f933cb1cb8d963c01eaf17b86da7b7b30e628cc4f799f7eedaed46df62affd81c161050c02681131625c76da580f2e087ebe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqljo1lf.kwb.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\wasm\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
d7f39b534cef3c3eddd201a52ae8b21e

SHA1
cd4167d99de0705991c394ab6ec86f477998b494

SHA256
b05e2a216b4d6e8e855a34935201270bb3045df31231d5d13b41cc001aba1837

SHA512
acf1db70c655f65d139cabdaf7a63f77755a2947c52976ffc8f05be033eba46ccd48c2054ca1b3d5aabb211de02b28f938a9f04de10348a8b0044f328a6a3d44

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Crashpad\settings.dat

Filesize
40B

MD5
29275aab3c566cab7d0d1385cef7ab28

SHA1
1cb7e607de1e823faf0cc4342711cf7bbee6d1b2

SHA256
1915cd21b748ed79b6b13e6426d8b0f6ef59a996254eeb114f56dbae5ec71c61

SHA512
32f12cfeed497baf2b7217c1902d74a00347f9fe52d8745825c50728b9a585bc94188fa166050eb0bdc5fe510bfe88ed9e7956f485f631f0fa180433e4ba9a18

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnWebGPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\discord\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\discord\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
649B

MD5
3eca407dbffda3dbb77baccdd8472b03

SHA1
fa4af801a69dfeb9dde220f51640889568f2ceb7

SHA256
1a933fabdc404e8f1b9ec7c7eac1ce7a77c51f8a7eba5fbdd77cd9d1f9dad4b2

SHA512
b6ee1cdbbc1b7b70598a6ede39dd4198098e807c73a135d10064905787c77125f5a65f54b6ff053cc5e8719ffb4158b8f9592ef291ba676698873e66be3b9322

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
434B

MD5
3eb4166fd42b437e8b42c43641908d59

SHA1
a6088c25d081a007258eeba7b728cf62941f64f8

SHA256
1e45b6786cc54823075dba15f6fe5983e674277b0dcc020f2e24dff05bd3171c

SHA512
5428661707544a6acd066cc43dd070c762162da546e41f475162f423cfce2185ea87a542862318051b91e8eeba421a8926078ffe52ffb77282c8426c541f2237

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local State

Filesize
649B

MD5
2d3ca1f997add2ba48e0be2c803801aa

SHA1
498018d805e3904ac46fdbcaad9afedad3d7d3b2

SHA256
994d2e41bb4dcf00bc7cf4050b1de9adf2b90e99d8608c48e2dfee40a0f7511d

SHA512
b545f2ad8bdb8df853875e5cc0c41396008e2d16dfeb055363d8bc29f35b5a8916c38b6969d7cdb8cd331fd3c3cbe7ffea0556d265962dcd5ad9078302e9c2af

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\LOG

Filesize
247B

MD5
d462746f6713967fa0a0d38cb0be733a

SHA1
e9787ea975089dfef309a6cd920adf532dcb48a5

SHA256
2793ab634a6b0a4cba56bf3d72d32333d22494a64b2c5d3cc8b3344bf4e01e7d

SHA512
fcd85cb659a355697fc26dcdc0e722b21d53463b1d1ecb7ddf19a1f1002b0c74a64c0c740a312cde0fc8c84ec89701e7e21e8362454cb3e9d21e46fbca2849db

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
300B

MD5
d97e8f7d6ee6b34242f9485e17a6bca8

SHA1
8dbd0c2ed50d47ed600b83f646da7519200d21a6

SHA256
e33569514d30bd41c97f81c8bc2ed11afc00cc7a2ddf5503e97c95adf3e499fd

SHA512
5a11bf6bfad1f409ea36604a9a0cb3ffa5a63065d363e859d26182e9e2008758e3cce8b20a18157834c1b23707bdfcb3ba8c5a2c05426629346629ffd6b85d77

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\Network Persistent State

Filesize
391B

MD5
40bae6de87274907ef9d18aad60daad6

SHA1
d20736b40f5c7551e5901e8ce72d27fe4795d1aa

SHA256
a7bd5e796a1a4418af7b65e13ece15b583a136e2b938dd5b9709e2bf276545fb

SHA512
5f7b7bff1690c06279f7e80864d4890037778e144756f0008204c7bff6638bd023baf380c725810bf58ee76ed9ee50baa5383b4a837b3c58a2e351773190b725

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Network\TransportSecurity

Filesize
188B

MD5
c218dd56f5007a52bae2c8e915c41ac7

SHA1
87df4dfc1c93a1bd091993aaee41c4beead03137

SHA256
24aa60583d4a34cb87ec7392c471cc3206d21b0348268c71c9ff4c6052629b99

SHA512
78457e804b2663ed90f3dcc245a936b74e75b2ae6496b57d4bac22527a214aed25831f9741a623a1f93a9bbc8a40d9009cfd098ada78ea63df0fc817b9200258

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Preferences

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\discord\component_crx_cache\oimompecagnajdejgnnjijobebaeigek_1.d9a253514b6a010dfc1916c55246797e5773f13844ea3ec2d25078e845fef760

Filesize
13.7MB

MD5
17c227679ab0ed29eae2192843b1802f

SHA1
cc78820a5be29fd58da8ef97f756b5331db3c13e

SHA256
d9a253514b6a010dfc1916c55246797e5773f13844ea3ec2d25078e845fef760

SHA512
7e33288afd65948a5752323441c42fcc437d7c12d1eaf7a9b6ae1995784d0771e15637f23cc6bc958e40ea870414543d67a27b4c20331fde93d5b6dc6a59cbaf

Download Submit
C:\Users\Admin\AppData\Roaming\discord\module_data\crashlogs\2024_09_03T19_39_31_450Z-0-events.log

Filesize
548B

MD5
0ef5f6fbc1ec51fc90a9919bb39fc6ef

SHA1
5daad7db9d76c54f4a513833db9debeccde588f1

SHA256
e0854bd76f9cd1c29c5dee0ce60f0c755982ec3b52434e630d090111168500d6

SHA512
cc4f25a2261b68efacb4128af4cbf4a1b5d670994a8c444919373f6042f73dbd1473d0b768494d1e7098d24f5ffa4a4c0ab3beebeacdd7408c9c9c1ffc71dac8

Download Submit
C:\Users\Admin\AppData\Roaming\discord\sentry\queue\queue.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Roaming\discord\sentry\scope_v3.json

Filesize
1KB

MD5
e1630a23ba3a09c590ed8833a04e47ac

SHA1
bb0ef04d66f4d90a99a1bd92bef6f63809a98298

SHA256
672ff911e31ce4454459ee650cae67f1a33ac081a0490f2a3db6884332f3e49b

SHA512
348f88a83802e2708e16aa9fc897870d27501ada7f34c2de6cecbcbf549926d3327a1e4843e79947f6f505e76ce28d02d5d0c43a5e49b9a2f10b6e88397a512b

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9161\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9161\vk_swiftshader.dll

Filesize
5.1MB

MD5
27c6460e166a151e804d7342fb678a45

SHA1
a56ef17674199be3bc70eb96d5fa47281df91e60

SHA256
2e131067eda5ad888a5a4c95da76e8c089dad1d423e9079959ab57825342a9f7

SHA512
d62316814b6a9215a237e055abdd8d7827ceb66c8dc1e400f9fcda21c0cd35a5f4f177ba4371416d5848df4ce832011c4fb51b62e4371aed928f63e442fa1dab

Download Submit
memory/356-3615-0x0000000000A10000-0x0000000000A1A000-memory.dmp

Filesize
40KB

Download
memory/864-191-0x0000000012440000-0x0000000012448000-memory.dmp

Filesize
32KB

Download
memory/864-194-0x0000000006040000-0x0000000006078000-memory.dmp

Filesize
224KB

Download
memory/864-9-0x0000000000BE0000-0x0000000000D56000-memory.dmp

Filesize
1.5MB

Download
memory/2300-231-0x0000000005410000-0x0000000005430000-memory.dmp

Filesize
128KB

Download
memory/3756-714-0x000002274F9C0000-0x000002274F9E2000-memory.dmp

Filesize
136KB

Download
memory/3756-718-0x000002274FB80000-0x000002274FBF6000-memory.dmp

Filesize
472KB

Download
memory/3756-884-0x000002274FA20000-0x000002274FA4A000-memory.dmp

Filesize
168KB

Download
memory/3756-903-0x000002274FA20000-0x000002274FA42000-memory.dmp

Filesize
136KB

Download
memory/4352-409-0x00007FFFDD4D0000-0x00007FFFDD4D1000-memory.dmp

Filesize
4KB

Download
memory/4352-408-0x00007FFFDD4C0000-0x00007FFFDD4C1000-memory.dmp

Filesize
4KB

Download