9c32f86e6dec3a31137bbb5f693a7f1fce28b73006980829bf8b4c9c6cb36ec0

Analysis

max time kernel
345s
max time network
360s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
03/09/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Starwolf_beta/Starwolf_beta.exe
Size

68.3MB
MD5

3ea1c457fe2bd92ffdcbd4b3b46ae0f8
SHA1

15a02ab314b69160e1573e96a582500d18426f7e
SHA256

00cf81d3004efd89a47d5edb042969205342d90ea6c7b0f7bc1e4069865e73ff
SHA512

403c91011968cedc41eec75c16294c0062238b11051cf9f2d461d5866ddea54c81cecf8685f6c59d1c86493e52b66e4d9a05cbde7f34cdda2fc3bd46f47d227c
SSDEEP

393216:PyT3YGojrsBEnP4XrqSFM+FcrONRtgZJ93AEMQu58EISEhoIaE2FShMzTVA+BDE0:PWeBZ6QxhUDE52O26rsxciz/WyW/ZyVH

Score

9^/10

credential_access discovery execution persistence spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	Starwolf_beta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	Starwolf_beta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	Discord.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Starwolf_beta.exe	Starwolf_beta.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Starwolf_beta.exe	Starwolf_beta.exe

Executes dropped EXE 9 IoCs

pid	Process
3984	screenCapture_1.3.2.exe
4500	Update.exe
4032	Discord.exe
1744	Discord.exe
4964	Update.exe
2208	Discord.exe
3092	Discord.exe
4184	Update.exe
2844	screenCapture_1.3.2.exe

Loads dropped DLL 14 IoCs

pid	Process
4144	Starwolf_beta.exe
4144	Starwolf_beta.exe
4032	Discord.exe
1744	Discord.exe
2208	Discord.exe
2208	Discord.exe
2208	Discord.exe
2208	Discord.exe
2208	Discord.exe
3092	Discord.exe
4148	Starwolf_beta.exe
4148	Starwolf_beta.exe
216	Starwolf_beta.exe
216	Starwolf_beta.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 46 IoCs

Run Powershell to get system information.

execution

PowerShell

T1059.001

pid	Process
4400	powershell.exe
4912	powershell.exe
3672	powershell.exe
2844	powershell.exe
5020	powershell.exe
1828	powershell.exe
1300	powershell.exe
1688	powershell.exe
5032	powershell.exe
4504	powershell.exe
2444	powershell.exe
3832	powershell.exe
3832	powershell.exe
2008	powershell.exe
1996	powershell.exe
2740	powershell.exe
4492	powershell.exe
3704	powershell.exe
1372	powershell.exe
4540	powershell.exe
2912	powershell.exe
3312	powershell.exe
1340	powershell.exe
1660	powershell.exe
4544	powershell.exe
5004	powershell.exe
2052	powershell.exe
2956	powershell.exe
4384	powershell.exe
2952	powershell.exe
1184	powershell.exe
3700	powershell.exe
4612	powershell.exe
3484	powershell.exe
4384	powershell.exe
4812	powershell.exe
2684	powershell.exe
3580	powershell.exe
988	powershell.exe
1088	powershell.exe
4960	powershell.exe
664	powershell.exe
3312	powershell.exe
4280	powershell.exe
5096	powershell.exe
1020	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9161\\Discord.exe\" --url -- \"%1\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9161\\Discord.exe\",-1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Discord\shell	reg.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
2824	reg.exe
824	reg.exe
4368	reg.exe
3832	reg.exe
2296	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4540	powershell.exe
4540	powershell.exe
4540	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
2844	powershell.exe
2844	powershell.exe
2844	powershell.exe
5004	powershell.exe
5004	powershell.exe
5004	powershell.exe
5020	powershell.exe
5020	powershell.exe
5020	powershell.exe
1088	powershell.exe
1088	powershell.exe
1088	powershell.exe
1184	powershell.exe
1184	powershell.exe
1184	powershell.exe
3700	powershell.exe
3700	powershell.exe
3700	powershell.exe
3832	powershell.exe
3832	powershell.exe
3832	powershell.exe
4384	powershell.exe
4384	powershell.exe
4384	powershell.exe
1828	powershell.exe
1828	powershell.exe
1828	powershell.exe
1300	powershell.exe
1300	powershell.exe
1300	powershell.exe
2912	powershell.exe
2912	powershell.exe
2912	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
2684	powershell.exe
2684	powershell.exe
2684	powershell.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
5096	powershell.exe
5096	powershell.exe
5096	powershell.exe
4612	powershell.exe
4612	powershell.exe
4612	powershell.exe
1996	powershell.exe
1996	powershell.exe
1996	powershell.exe
4960	powershell.exe
4960	powershell.exe
4960	powershell.exe
3312	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeIncreaseQuotaPrivilege	4540	powershell.exe
Token: SeSecurityPrivilege	4540	powershell.exe
Token: SeTakeOwnershipPrivilege	4540	powershell.exe
Token: SeLoadDriverPrivilege	4540	powershell.exe
Token: SeSystemProfilePrivilege	4540	powershell.exe
Token: SeSystemtimePrivilege	4540	powershell.exe
Token: SeProfSingleProcessPrivilege	4540	powershell.exe
Token: SeIncBasePriorityPrivilege	4540	powershell.exe
Token: SeCreatePagefilePrivilege	4540	powershell.exe
Token: SeBackupPrivilege	4540	powershell.exe
Token: SeRestorePrivilege	4540	powershell.exe
Token: SeShutdownPrivilege	4540	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeSystemEnvironmentPrivilege	4540	powershell.exe
Token: SeRemoteShutdownPrivilege	4540	powershell.exe
Token: SeUndockPrivilege	4540	powershell.exe
Token: SeManageVolumePrivilege	4540	powershell.exe
Token: 33	4540	powershell.exe
Token: 34	4540	powershell.exe
Token: 35	4540	powershell.exe
Token: 36	4540	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeIncreaseQuotaPrivilege	3832	powershell.exe
Token: SeSecurityPrivilege	3832	powershell.exe
Token: SeTakeOwnershipPrivilege	3832	powershell.exe
Token: SeLoadDriverPrivilege	3832	powershell.exe
Token: SeSystemProfilePrivilege	3832	powershell.exe
Token: SeSystemtimePrivilege	3832	powershell.exe
Token: SeProfSingleProcessPrivilege	3832	powershell.exe
Token: SeIncBasePriorityPrivilege	3832	powershell.exe
Token: SeCreatePagefilePrivilege	3832	powershell.exe
Token: SeBackupPrivilege	3832	powershell.exe
Token: SeRestorePrivilege	3832	powershell.exe
Token: SeShutdownPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeSystemEnvironmentPrivilege	3832	powershell.exe
Token: SeRemoteShutdownPrivilege	3832	powershell.exe
Token: SeUndockPrivilege	3832	powershell.exe
Token: SeManageVolumePrivilege	3832	powershell.exe
Token: 33	3832	powershell.exe
Token: 34	3832	powershell.exe
Token: 35	3832	powershell.exe
Token: 36	3832	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeIncreaseQuotaPrivilege	2844	powershell.exe
Token: SeSecurityPrivilege	2844	powershell.exe
Token: SeTakeOwnershipPrivilege	2844	powershell.exe
Token: SeLoadDriverPrivilege	2844	powershell.exe
Token: SeSystemProfilePrivilege	2844	powershell.exe
Token: SeSystemtimePrivilege	2844	powershell.exe
Token: SeProfSingleProcessPrivilege	2844	powershell.exe
Token: SeIncBasePriorityPrivilege	2844	powershell.exe
Token: SeCreatePagefilePrivilege	2844	powershell.exe
Token: SeBackupPrivilege	2844	powershell.exe
Token: SeRestorePrivilege	2844	powershell.exe
Token: SeShutdownPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeSystemEnvironmentPrivilege	2844	powershell.exe
Token: SeRemoteShutdownPrivilege	2844	powershell.exe
Token: SeUndockPrivilege	2844	powershell.exe
Token: SeManageVolumePrivilege	2844	powershell.exe
Token: 33	2844	powershell.exe
Token: 34	2844	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4500	Update.exe
4184	Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 4540	4144	Starwolf_beta.exe	71
PID 4144 wrote to memory of 4540	4144	Starwolf_beta.exe	71
PID 4144 wrote to memory of 3832	4144	Starwolf_beta.exe	74
PID 4144 wrote to memory of 3832	4144	Starwolf_beta.exe	74
PID 4144 wrote to memory of 2844	4144	Starwolf_beta.exe	76
PID 4144 wrote to memory of 2844	4144	Starwolf_beta.exe	76
PID 4144 wrote to memory of 5004	4144	Starwolf_beta.exe	78
PID 4144 wrote to memory of 5004	4144	Starwolf_beta.exe	78
PID 4144 wrote to memory of 5020	4144	Starwolf_beta.exe	80
PID 4144 wrote to memory of 5020	4144	Starwolf_beta.exe	80
PID 4144 wrote to memory of 1088	4144	Starwolf_beta.exe	82
PID 4144 wrote to memory of 1088	4144	Starwolf_beta.exe	82
PID 4144 wrote to memory of 1184	4144	Starwolf_beta.exe	84
PID 4144 wrote to memory of 1184	4144	Starwolf_beta.exe	84
PID 4144 wrote to memory of 3700	4144	Starwolf_beta.exe	86
PID 4144 wrote to memory of 3700	4144	Starwolf_beta.exe	86
PID 4144 wrote to memory of 3832	4144	Starwolf_beta.exe	88
PID 4144 wrote to memory of 3832	4144	Starwolf_beta.exe	88
PID 4144 wrote to memory of 4384	4144	Starwolf_beta.exe	90
PID 4144 wrote to memory of 4384	4144	Starwolf_beta.exe	90
PID 4144 wrote to memory of 1828	4144	Starwolf_beta.exe	92
PID 4144 wrote to memory of 1828	4144	Starwolf_beta.exe	92
PID 4144 wrote to memory of 1300	4144	Starwolf_beta.exe	94
PID 4144 wrote to memory of 1300	4144	Starwolf_beta.exe	94
PID 4144 wrote to memory of 2912	4144	Starwolf_beta.exe	96
PID 4144 wrote to memory of 2912	4144	Starwolf_beta.exe	96
PID 4144 wrote to memory of 4812	4144	Starwolf_beta.exe	98
PID 4144 wrote to memory of 4812	4144	Starwolf_beta.exe	98
PID 4144 wrote to memory of 4240	4144	Starwolf_beta.exe	100
PID 4144 wrote to memory of 4240	4144	Starwolf_beta.exe	100
PID 4240 wrote to memory of 2544	4240	cmd.exe	102
PID 4240 wrote to memory of 2544	4240	cmd.exe	102
PID 4240 wrote to memory of 2544	4240	cmd.exe	102
PID 2544 wrote to memory of 4400	2544	csc.exe	103
PID 2544 wrote to memory of 4400	2544	csc.exe	103
PID 2544 wrote to memory of 4400	2544	csc.exe	103
PID 4240 wrote to memory of 3984	4240	cmd.exe	104
PID 4240 wrote to memory of 3984	4240	cmd.exe	104
PID 4144 wrote to memory of 2684	4144	Starwolf_beta.exe	105
PID 4144 wrote to memory of 2684	4144	Starwolf_beta.exe	105
PID 4144 wrote to memory of 2008	4144	Starwolf_beta.exe	107
PID 4144 wrote to memory of 2008	4144	Starwolf_beta.exe	107
PID 4144 wrote to memory of 1688	4144	Starwolf_beta.exe	109
PID 4144 wrote to memory of 1688	4144	Starwolf_beta.exe	109
PID 4144 wrote to memory of 1012	4144	Starwolf_beta.exe	111
PID 4144 wrote to memory of 1012	4144	Starwolf_beta.exe	111
PID 1012 wrote to memory of 5096	1012	cmd.exe	112
PID 1012 wrote to memory of 5096	1012	cmd.exe	112
PID 1764 wrote to memory of 4500	1764	DiscordSetup.exe	119
PID 1764 wrote to memory of 4500	1764	DiscordSetup.exe	119
PID 1764 wrote to memory of 4500	1764	DiscordSetup.exe	119
PID 4500 wrote to memory of 4032	4500	Update.exe	120
PID 4500 wrote to memory of 4032	4500	Update.exe	120
PID 4032 wrote to memory of 1744	4032	Discord.exe	121
PID 4032 wrote to memory of 1744	4032	Discord.exe	121
PID 4032 wrote to memory of 4964	4032	Discord.exe	122
PID 4032 wrote to memory of 4964	4032	Discord.exe	122
PID 4032 wrote to memory of 4964	4032	Discord.exe	122
PID 4032 wrote to memory of 2208	4032	Discord.exe	123
PID 4032 wrote to memory of 2208	4032	Discord.exe	123
PID 4032 wrote to memory of 2208	4032	Discord.exe	123
PID 4032 wrote to memory of 2208	4032	Discord.exe	123
PID 4032 wrote to memory of 2208	4032	Discord.exe	123
PID 4032 wrote to memory of 2208	4032	Discord.exe	123

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202483-4144-184cs9q.z0z2e.jpg" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /nologo /r:"Microsoft.VisualBasic.dll" /win32manifest:"app.manifest" /out:"screenCapture_1.3.2.exe" "C:\Users\Admin\AppData\Local\Temp\SCREEN~1\SCREEN~1.BAT"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES677F.tmp" "c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCAAAD8627722D4F69A6EC35F2DC599B.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4400
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202483-4144-184cs9q.z0z2e.jpg"
    3⤵
    - Executes dropped EXE
    PID:3984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:5096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
    "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --squirrel-install 1.0.9161
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
      C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9161 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=30.2.0 --initial-client-data=0x4e4,0x4e8,0x4ec,0x4e0,0x4f0,0x7ff78bddf218,0x7ff78bddf224,0x7ff78bddf230
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1744
  - - C:\Users\Admin\AppData\Local\Discord\Update.exe
      C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4964
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1984,i,12493616305352386742,15116786571626566990,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2208
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2576,i,12493616305352386742,15116786571626566990,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2692 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3092
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3832
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:2296
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:2824
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe\",-1" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:824
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\Discord.exe\" --url -- \"%1\"" /f
      4⤵
      Modifies registry class
      Modifies registry key
      PID:4368

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe"
1⤵
- Loads dropped DLL
PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1340

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\DiscordSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:988
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4184

C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe
"C:\Users\Admin\AppData\Local\Temp\Starwolf_beta\Starwolf_beta.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
PID:216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:5032
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat" "C:\Users\Admin\AppData\Local\Temp\202483-216-od2uhg.o1li.jpg" "
  2⤵
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe
    screenCapture_1.3.2.exe "C:\Users\Admin\AppData\Local\Temp\202483-216-od2uhg.o1li.jpg"
    3⤵
    - Executes dropped EXE
    PID:2844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe /c "Get-CimInstance -className win32_process | select Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}""
  2⤵
  PID:3616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('The application was unable to start correctly (0xc000007b). Click OK to close the application.', 'Application Error', [System.Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Error)}"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\chrome_100_percent.pak

Filesize
146KB

MD5
6c2827fe702f454c8452a72ea0faf53c

SHA1
881f297efcbabfa52dd4cfe5bd2433a5568cc564

SHA256
2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663

SHA512
5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\chrome_200_percent.pak

Filesize
220KB

MD5
77088f98a0f7ea522795baec5c930d03

SHA1
9b272f152e19c478fcbd7eacf7356c3d601350ed

SHA256
83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d

SHA512
5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\locales\en-US.pak

Filesize
443KB

MD5
88bbc725e7eedf18ef1e54e98f86f696

SHA1
831d6402443fc366758f478e55647a9baa0aa42f

SHA256
95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795

SHA512
92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources.pak

Filesize
5.1MB

MD5
db3fa7a7f7af66bbb73c1c0a46187572

SHA1
5c6f2b5c01a20f204bb67f28a907dec4cd98bce8

SHA256
0e114f6464cecae87988c1dd65ea1bc939681fee6415d343e947a5889717165f

SHA512
e639e96c36fa67dfdc7098c7d6863ee421a2de9fa49630038e8abf4f152b03e0bbb80eee0d40a68cac5a48bfa75f0cc3542c1170dd65ab1bf5626450f803d410

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources\app.asar

Filesize
7.6MB

MD5
5858be90a23a3bb63426ce1a5a7d9066

SHA1
8c6b4f37a9a04cfee54d7ad2dcee5f42d678d572

SHA256
78880e2db0ca22d389f31e1f0983a5979fec82ec5af28462fb84b584ec7a339c

SHA512
51eceaa5e529453e50b800d14790ce7ffc8edf192720c20ba49a27f9384a88bb2a8e00c335b5a6efe223518136338a314f0c20aa093791093a3e23e56a42115f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\resources\build_info.json

Filesize
83B

MD5
2c6c10a638a35de9148aeea6e07bdc4d

SHA1
4e2e77e017251693d6fdd3e665f324b4b8884ed4

SHA256
47d7896ea98ef87cce794498cacfeb8b2276ac8647b025b28179bda3ad5fc0da

SHA512
d460dab2e0c1752049533c47276a5f3ff4d13903654e9a8708e60a9cbb690a90a0167892acad539f1122da824b2bb10cb2cb11f7de7d89434d642e97e2cd6a33

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9161\v8_context_snapshot.bin

Filesize
641KB

MD5
b1b09c057d365720ad26151066bf160c

SHA1
7bbf976150e9b63acd4aea4223085818445f7dfc

SHA256
0b239cf5ab92a27cfa087b49e6dc943e0c674b62cea643cff2130e1c2f8db31c

SHA512
ad4cbce2e8f367cff9b8b8ca56d1b6b833c3293dd55c1279732abda493b3a366efbefa67d75ab0ba6b93ca0a7545475728f9dc09bda9460ecf13f53f137a9b77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
128b5c395d2956830809b9b9e5c65b5e

SHA1
34603e22e3daf2379fd6f15c0af9980757ffd97c

SHA256
7e5984cbfd4e429dc8c98159d0f65c514e8e4ab09fb39280999bcce59cc5a93f

SHA512
749f11e940d35e17af95d336a6accf88e5a69cd73b028ed23dbae07f38de30b748a324c6e390b1d87abac03df530a992d04879de079f5323fb78de61fb8ee9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
36b4cdf68432294f728845fa891886ad

SHA1
36782b0d439538ba50fd4dfbb8905d9d3712080e

SHA256
e73d19dd5195097f1ead7cd5f45040abeb4fe326b40169f140e6834bcc6461ae

SHA512
4006ee03fcdb1337d89435f6261b276e943234a87dbfa049b9d04165ca34a2e2bcbc9a421176a84c5a1921808ca419a378a9a8595af82b651ff861ec7869841a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3eb69485371d641af9c57b141083ea28

SHA1
fc041684b5e8f416d40a905c33a59aefedf630ff

SHA256
acad2cab5022489e351f1e1e93c24f278e37915baff44c0357084f4129b0cca8

SHA512
24fe50c8a89ac230e9c9f60c073c8c826b1bec9f5d52b1182b7b7c5105e9ec8bcf0f3bcfcabbfb30087cc4ad4301a4df39e743b1b51c78764c54215fbcbf2ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
598165051d19a4839afbb221744b0467

SHA1
5686bb3acd160dc3c78f8f4fc44fc51e651a1423

SHA256
f8e641f00aa62b8546a1c931787e95d30f94efbedcdd180f42678d17ded23b3b

SHA512
8d28bf43b1967c0cc6d7c8096fc69fb9bcb6f85e75f6dd21f4b7cc06419b16e3952383557ce943c0ea93924b98c740de44f39aa0face9785ff1bd09f639068be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e6baba816e8e3c9c1df4a27726aedff6

SHA1
b39e36ca66edb5046f917c15b42bbb3d01380e08

SHA256
0c3a2f44c069bca0de3c62975921bf3cff86f76fc3ea01c316cbd54120555722

SHA512
5915958802307fad5cc766fe47c26951941e2753ccbe8bb2397d6a730e8033ab20640fd4c36fcadf7ef36af3718cf5318c78e85b258c4b617fd9ea1972d1eb98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5588e3ec662dd76f0d1b9071a960256c

SHA1
c1472d828a9ffccdc724ab234ca92a603c7904af

SHA256
8ec988b744574e6f8728ddee4b4fd4ed1d94a3716f160250781f7efbf75f5e1d

SHA512
c2ce9cf198b41645f09024551c1e656ecb9f8740a7e62e23b0cbb1c1526a2e6f5dd94e8642c9863cdb67698a0fc5e04fadaa9de751556c9412e8e4b53c63b7eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08159b604b56f97e848b9b3bad124f0a

SHA1
62d225090ce9ac8af5f80fc8ea8435bd0e8fcc80

SHA256
ab881c2209a1a4a72368a4cb91a5fd6cf4e9fc254e27f48d2526860dc773c292

SHA512
8cf045fdf4c0e0f246621e4cdb5ed553cf921f2194b50dbb21e4595dddc931d2d70291a0bf3f00880b0a0d4f9f9f9cef3394b2a0444f7320fec0071249707a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0d24733cc094bdb0552d8e502d0b75f1

SHA1
c93ff0f7b22e2735a10e103334e94dd741454728

SHA256
c269795dd4b65d82e4348c49e8213e4fa688e22babbc3e9e7f18ea4335594861

SHA512
592c9cc782185a8108b210a7efbfffbfae29abf9b82377872509134960961c3a93a71e67ebcb891c005fef4825b74886b678af4e1ddfbbb86f631a409eb79af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e68b45b1694094f0f07b9f6f231bcdf7

SHA1
e05595492aaee09b36fb1c8f78fe3161f56ad582

SHA256
4d35f7b5e1b2b3e2433887515681286673bdd00747947e3b51ab05900373ccc8

SHA512
5e6b76954cd98e3979da7547881448c162c0d7d83df206fed128aa79acb3dba677fad3fe488aaa09a6f0d85095f505c24d1b7ad967e690fd3d50683d26acbf95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8ea38080bc1f0f49bb679c9300ce79eb

SHA1
aa996a96bf5dc96260e85d5b73f1198d2250585c

SHA256
87f5e8a94f6997e44fcf3b413aba7840795eaf8f208927753994460454aa8fb6

SHA512
9ea08777bda40cc3f0300bdf326ef0a254c33a0bae4acc44f6bd1f6eb7abcaef9d313942565796fc64ed13ab127305a4c798369517d27a408f36bcc8724e599b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
48fb1c5db5f2cd4286aec8166787372f

SHA1
b70abc88c4bbebd429b91d6c32e3acb0e2f79dd5

SHA256
5c368493c507550f0402ab42bfa1e3cf38ee1bc8adcfe345d447e440e978fdbb

SHA512
4102db83dbcded4e810fd9e7acad55c089ff207b81c74e664c44a6be788b476d39219ac33341f6b028816836d4dc73485800edf27167b63f89dbb468bf7c3592

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2d0fa0ac38ad40535345d987a2fd13e5

SHA1
dc3c2836db5c897d35ff875be4f7ad3b16903936

SHA256
0bb63ff7dbfdcee16888445becad6aae01ddc50e20275d6433dab0e6bd18a6e0

SHA512
a329d87b7b953c820aa81b0669581ae72323b51e1f6941b2285e6568ee28b144db55fdef5dd966f0e55a058a87c176e4bb5b62a809106e11fd25967fb85b9b07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e5e86597f7ab9834d2ab17198b62f045

SHA1
dde7e6aaba7da65ae9fb5be1de684ff1957e2a00

SHA256
8c8ab2e109389e3fe7b9949f6d4928b433e758163ac6468eeaadb056d4332c62

SHA512
0f87e73c9f278ceeb2f0e9fb36d234698d81ea278ffc2bbced9cf6eed840b044c9ca90457bd7b8cca3fefa6e00367d70ad8cc0f47c25f265f3ccb364ec7a5dc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06b5cb1bd7b331a2f5da03b9e179c469

SHA1
e1a2a5d588bb0996dd796d4e8185550ce5db59c7

SHA256
827f1108d9f5ead53956e8adf1970ee3be75180bd7aa597daa6945c91365b320

SHA512
52887a361e258cd6066f44f270175b2b236f9a7fd2e121e2978d0651c4625f1742b4bf1741c250cf01dc6eaaad5d76bae9ec3f36d61864371f7f32f9c64748c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
dd2b3ba1c8ef6162a1794183a934d171

SHA1
040deabf323b3123219596f45d7cdb67aacb21d1

SHA256
9f455c8c70ede14e0033bbff681c0514aaab76e29d06670a8194f11de39790a8

SHA512
13a2cea10c2b9e89800716d9b12e1297333bbb88ff363f08e6ed7ae1623fdc79923238e4443869abc9e3fd47fbcfec26e0b65a54a8e3cb276b75b9b5d61392a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba00a58fe1f617aef9b03d9ebaaef550

SHA1
c44a7bc80cb24e5530ccce2a8ec99544912e6227

SHA256
f6f174a9951fe27b8d831a5baa1601ed9d4edf4f214f5a496227d6a4e44ee072

SHA512
790bc79ef7d9893f8de2cee570d66d2b5692922ef73286435d9501b8d01486311a09dd9c4dd38182307ec59d6183624d3bc9718bfa66cef493391e260deecc08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9c68ec6ae7a2a906c3e41ac5f93ae096

SHA1
d1839a4c4363f016f9bb7dbd0bc8031256e84dee

SHA256
016b80384f617a862a56caf32d14cdd2b1ce8b4a02f5ca9358c012cdaa60fab6

SHA512
5e4d86f29d92c8ae8bd47a1a7b508cc9114271e5493a07583353a57481655650589b29c376345cc4030590da858cbde8440b293ad083c29081c8afc03cf186e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
64501173b5256a9ec8f0cb74ff3871c5

SHA1
39f35297b2ec062649178e12c45ecdd1bb5cc1a6

SHA256
87a276795f686f75cb007717c7d9bfc591f747eca9f0fb03e33a73c6a8026138

SHA512
18dcf31842a6c875a7a323556b2fc8c079adfa1d8123ebc2ab8af5fc82cc10a269ba47698947505d1431f4269e3e824ec76308762f0b0ec573a5e8f317ecb480

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
788686205f4868893057541ecd48328e

SHA1
6088c9df47a7f68b1c75170d4b55e787d115f411

SHA256
d378962173ae4b4b27e07f9d243833d7327e93c0f261a01995f0db61a1a94eba

SHA512
e7a56d905bbb57bae9bc8068d1102e382b1ab2cb4d99da20ad9d68295926d66b1cf69b54d99bd2a5306ce3dd34f52c7d11905716ebb1acad8866d04636190f75

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
771974507467d78570b821f76626cf04

SHA1
2e8994c3f137d81e61eafa717ff234355e9053a9

SHA256
679f99c88d254feb46909c017d5a00d22adc508ecf62378e126d258b74f09a83

SHA512
17dea568b740346f4a9167a073b5bc874582945c44a6527c8651c4ead64214ed93d9c15636251e097a7ee5d35df93b67367cbafe1c435a40064be07cb5166426

Download Submit
C:\Users\Admin\AppData\Local\Temp\04d5b0e6-9f5d-44d1-90ed-0f7c5683f211.zip

Filesize
45KB

MD5
b87965a2d55344d8589e911d232cd3cd

SHA1
56692002d039d6bfa4f69188f1dd9c4bdb0adcd9

SHA256
359a3812c8c457d5787f9065ac6be1f18977e1ada158a5e93014dec55f584257

SHA512
43e87992339b0776e09d487f6603f7378ba17af5ee4fce25c58c40ab52efdd6652717410b42100d80afcf3bc991ebec34422438403ae1c8b23a493e6e405a951

Download Submit
C:\Users\Admin\AppData\Local\Temp\202483-4144-184cs9q.z0z2e.jpg

Filesize
61KB

MD5
12108cf07297b17f40e863ee408a29af

SHA1
f32b9c6429b8dec509a6807846caaab35e726ea8

SHA256
58ee6d954099b31efa95bc88e34cb2583fd616eb971d9242d34d892df56ec038

SHA512
3099eec1483b9727bf5a614fc0598db9278a3cfc8cfb3c5f2210bdccc57b9ba23e9c1946bb8ac1e4202a720e41ae8ec3ca0e2c9622b2bd22fdfd326b0b64007a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES677F.tmp

Filesize
1KB

MD5
47bbb829b03149204f16aa4f23b6b683

SHA1
60240e9956e8d58332a6e04b1b6fb54842bff592

SHA256
99132ef13b0af7fb6fb2162167dbb1a1b5f0004b748d595eed9ca95216cbdc44

SHA512
cfe6bde8b295fb8b482baed58391adf75e4b7f29e372a1540465707f8bc3574446a92d37a62a3b77e397f7d7fb33d626fd87640df2532b1c5920930f35aa3713

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_am5b04ei.qyt.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba8fa3e7-a885-48eb-b4b7-e51bfd727550.zip

Filesize
52KB

MD5
59e026ec0483c0dea5dc94905311a7c2

SHA1
b2a6c2c0d486263cd01fc938389e288bf08fb636

SHA256
ff8a2a8719d975b0fed0732109bea68f21fdabf47f84a71e3519d63161824cc1

SHA512
d831df47f61dd9bd569a22093ed87e03ddce2154283fa639675b369ab443020618440e66c0233c9affd1029f40e19320a1a319d0987abfb8fce41696dce74d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba8fa3e7-a885-48eb-b4b7-e51bfd727550\screenshot.png

Filesize
70KB

MD5
277f89e83deb497b57c1ec5240d14ca3

SHA1
cb7ea2fb5a2d32d11bf2ede4009443f4519b60a0

SHA256
fced718ee33d97f29c2b7fd185289e549205895fc26af94111047e271ed6c41c

SHA512
bf87d6e3ffca2c38f4446647ae579334993df06b767b47042b54ee5e0a68868db224a7b94779b79b2127e2f68dd48924c06f1ee82c3090136ad9ffdfdd9a8576

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.bat

Filesize
13KB

MD5
da0f40d84d72ae3e9324ad9a040a2e58

SHA1
4ca7f6f90fb67dce8470b67010aa19aa0fd6253f

SHA256
818350a4fb4146072a25f0467c5c99571c854d58bec30330e7db343bceca008b

SHA512
30b7d4921f39c2601d94a3e3bb0e3be79b4b7b505e52523d2562f2e2f32154d555a593df87a71cddb61b98403265f42e0d6705950b37a155dc1d64113c719fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\screenCapture\screenCapture_1.3.2.exe

Filesize
12KB

MD5
263b4af207b13498dcce93053f70708b

SHA1
fb85bcbdd1632a97994639a0632b5c5e44eeadf0

SHA256
7829375a84ea92733db2bf9cebb4366a8ee7f433bead44db3f0731dc32c138dc

SHA512
05527642141c743a5a8a1e8f60c412b6abd3623c74ccc9f7135fb9a116a73194448ca4f0d6530cf1bde00cd2400652f830977e6deaad54ddf2ffa00eb490581f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\CSCAAAD8627722D4F69A6EC35F2DC599B.TMP

Filesize
1KB

MD5
a6f2d21624678f54a2abed46e9f3ab17

SHA1
a2a6f07684c79719007d434cbd1cd2164565734a

SHA256
ab96911d094b6070cbfb48e07407371ddb41b86e36628b6a10cdb11478192344

SHA512
0b286df41c3887eecff5c38cbd6818078313b555ef001151b41ac11b80466b2f4f39da518ab9c51eeff35295cb39d52824de13e026c35270917d7274f764c676

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\screenCapture\app.manifest

Filesize
350B

MD5
8951565428aa6644f1505edb592ab38f

SHA1
9c4bee78e7338f4f8b2c8b6c0e187f43cfe88bf2

SHA256
8814db9e125d0c2b7489f8c7c3e95adf41f992d4397ed718bda8573cb8fb0e83

SHA512
7577bad37b67bf13a0d7f9b8b7d6c077ecdfb81a5bee94e06dc99e84cb20db2d568f74d1bb2cef906470b4f6859e00214beacca7d82e2b99126d27820bf3b8f5

Download Submit
\Users\Admin\.cache\pkg\da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd\@primno\dpapi\prebuilds\win32-x64\node.napi.node

Filesize
137KB

MD5
04bfbfec8db966420fe4c7b85ebb506a

SHA1
939bb742a354a92e1dcd3661a62d69e48030a335

SHA256
da2172ce055fa47d6a0ea1c90654f530abed33f69a74d52fab06c4c7653b48fd

SHA512
4ea97a9a120ed5bee8638e0a69561c2159fc3769062d7102167b0e92b4f1a5c002a761bd104282425f6cee8d0e39dbe7e12ad4e4a38570c3f90f31b65072dd65

Download Submit
\Users\Admin\.cache\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

Filesize
1.8MB

MD5
66a65322c9d362a23cf3d3f7735d5430

SHA1
ed59f3e4b0b16b759b866ef7293d26a1512b952e

SHA256
f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

SHA512
0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9161\d3dcompiler_47.dll

Filesize
4.7MB

MD5
a7b7470c347f84365ffe1b2072b4f95c

SHA1
57a96f6fb326ba65b7f7016242132b3f9464c7a3

SHA256
af7b99be1b8770c0e4d18e43b04e81d11bdeb667fa6b07ade7a88f4c5676bf9a

SHA512
83391a219631f750499fd9642d59ec80fb377c378997b302d10762e83325551bb97c1086b181fff0521b1ca933e518eab71a44a3578a23691f215ebb1dce463d

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9161\ffmpeg.dll

Filesize
3.9MB

MD5
8462e861bd73fccc5eb018d1be18eb0d

SHA1
305689b0d7a17cca0ee634faef943459fb7f1e7b

SHA256
20c45a0e40ee9f7be0d0b674b1185547dc6dfc575291d64f5f30eefe9d425e60

SHA512
eeec3474df0af857d6678e5eea0e2ef06858cd642714a7a647be935219efe91e68a81d015f1bbc8e55f8c782601b7a9fd7329747c2f696cf761ffb91a5ffce3f

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9161\libEGL.dll

Filesize
486KB

MD5
9a2ad1877a1deb964505a24e2c315082

SHA1
1acafe8e4641d8ee3d16a88c39057a8e483a254a

SHA256
c71d6fd3c0008699d1cd542cf364c08bbae1185ecb9731bd64c07e204255bcef

SHA512
abef068f73c23af48d8bb7ce1e15c6e113073eb5cd0397ad87d5f369afa2b238eef51004429a9e10da121e1a8df6c548652ec7d2521e69a0b61bf79ab9a58f97

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9161\libGLESv2.dll

Filesize
7.6MB

MD5
f1c2108e1ad4cc11a7d4db0b1ad46795

SHA1
27e0c8aae70267a7197404bded53dd7ea38812ad

SHA256
5c24576258ee98d382b43faa0ac184c10072a76782598e67d515449e4551e713

SHA512
d030fd112bf187afbb2869b1d39b501872075a2ae824c63529765cf9f0406bb895ee1a57088687555cba2b2cae786b0a474e08b6591e2539aa36c21e554af078

Download Submit
\Users\Admin\AppData\Local\Discord\app-1.0.9161\vk_swiftshader.dll

Filesize
5.1MB

MD5
27c6460e166a151e804d7342fb678a45

SHA1
a56ef17674199be3bc70eb96d5fa47281df91e60

SHA256
2e131067eda5ad888a5a4c95da76e8c089dad1d423e9079959ab57825342a9f7

SHA512
d62316814b6a9215a237e055abdd8d7827ceb66c8dc1e400f9fcda21c0cd35a5f4f177ba4371416d5848df4ce832011c4fb51b62e4371aed928f63e442fa1dab

Download Submit
memory/1744-6006-0x00007FF781A20000-0x00007FF782A20000-memory.dmp

Filesize
16.0MB

Download
memory/3984-2954-0x0000000000430000-0x000000000043A000-memory.dmp

Filesize
40KB

Download
memory/4500-3648-0x0000000000FF0000-0x0000000001166000-memory.dmp

Filesize
1.5MB

Download
memory/4500-3661-0x0000000007EF0000-0x0000000007EF8000-memory.dmp

Filesize
32KB

Download
memory/4500-3662-0x0000000006AF0000-0x0000000006B28000-memory.dmp

Filesize
224KB

Download
memory/4540-53-0x00007FFF8BF30000-0x00007FFF8C91C000-memory.dmp

Filesize
9.9MB

Download
memory/4540-44-0x00007FFF8BF33000-0x00007FFF8BF34000-memory.dmp

Filesize
4KB

Download
memory/4540-49-0x000002CCFB1D0000-0x000002CCFB1F2000-memory.dmp

Filesize
136KB

Download
memory/4540-219-0x000002CCFB480000-0x000002CCFB4AA000-memory.dmp

Filesize
168KB

Download
memory/4540-52-0x000002CCFB4D0000-0x000002CCFB546000-memory.dmp

Filesize
472KB

Download
memory/4540-238-0x000002CCFB480000-0x000002CCFB4A2000-memory.dmp

Filesize
136KB

Download
memory/4540-255-0x00007FFF8BF30000-0x00007FFF8C91C000-memory.dmp

Filesize
9.9MB

Download
memory/4540-62-0x00007FFF8BF30000-0x00007FFF8C91C000-memory.dmp

Filesize
9.9MB

Download
memory/4964-3873-0x0000000004B90000-0x0000000004BB0000-memory.dmp

Filesize
128KB

Download