hxxps://discord[.]com/api/download/ptb?platform=win

Analysis

max time kernel
58s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.com/api/download/ptb?platform=win

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DiscordPTB.exeDiscordPTBSetup.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DiscordPTB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DiscordPTBSetup.exe

Executes dropped EXE 9 IoCs

Processes:

DiscordPTBSetup.exeUpdate.exeDiscordPTB.exeDiscordPTB.exeUpdate.exeDiscordPTB.exeDiscordPTB.exeDiscordPTBSetup.exeUpdate.exe

pid	process
1784	DiscordPTBSetup.exe
2720	Update.exe
6100	DiscordPTB.exe
5328	DiscordPTB.exe
5396	Update.exe
5572	DiscordPTB.exe
5520	DiscordPTB.exe
5604	DiscordPTBSetup.exe
5812	Update.exe

Loads dropped DLL 8 IoCs

Processes:

DiscordPTB.exeDiscordPTB.exeDiscordPTB.exeDiscordPTB.exe

pid	process
6100	DiscordPTB.exe
5328	DiscordPTB.exe
5572	DiscordPTB.exe
5520	DiscordPTB.exe
5520	DiscordPTB.exe
5520	DiscordPTB.exe
5520	DiscordPTB.exe
5520	DiscordPTB.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DiscordPTB = "\"C:\\Users\\Admin\\AppData\\Local\\DiscordPTB\\Update.exe\" --processStart DiscordPTB.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 discord.com
9 discord.com
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
6	discord.com
9	discord.com

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

DiscordPTB.exereg.exeDiscordPTB.exereg.exeDiscordPTBSetup.exeUpdate.exeDiscordPTBSetup.exeDiscordPTB.exereg.exereg.exeNOTEPAD.EXEUpdate.exeUpdate.exeDiscordPTB.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTBSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTBSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordPTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 13 IoCs

Processes:

msedge.exereg.exereg.exereg.exeDiscordPTBSetup.exereg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\URL Protocol	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\shell\open\command	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\DiscordPTB\\app-1.0.1090\\DiscordPTB.exe\" --url -- \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DiscordPTBSetup.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\DiscordPTB\\app-1.0.1090\\DiscordPTB.exe\",-1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Discord\shell\open	reg.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exe

pid process

5192 reg.exe
6096 reg.exe
1028 reg.exe
4528 reg.exe
5380 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 404888.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5180 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

4288 msedge.exe
4288 msedge.exe
3648 msedge.exe
3648 msedge.exe
1436 identity_helper.exe
1436 identity_helper.exe
4012 msedge.exe
4012 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe

pid	process
5192	reg.exe
6096	reg.exe
1028	reg.exe
4528	reg.exe
5380	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 404888.crdownload:SmartScreen	msedge.exe

pid	process
5180	NOTEPAD.EXE

pid	process
4288	msedge.exe
4288	msedge.exe
3648	msedge.exe
3648	msedge.exe
1436	identity_helper.exe
1436	identity_helper.exe
4012	msedge.exe
4012	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DiscordPTB.exe

description	pid	process
Token: SeShutdownPrivilege	6100	DiscordPTB.exe
Token: SeCreatePagefilePrivilege	6100	DiscordPTB.exe
Token: SeShutdownPrivilege	6100	DiscordPTB.exe
Token: SeCreatePagefilePrivilege	6100	DiscordPTB.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

msedge.exeUpdate.exeUpdate.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
2720	Update.exe
5812	Update.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3648 wrote to memory of 2688	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 2688	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1512	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 4288	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 4288	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 1184	3648	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://discord.com/api/download/ptb?platform=win
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb03046f8,0x7ffbb0304708,0x7ffbb0304718
2⤵
PID:2688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
2⤵
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
2⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5872 /prefetch:8
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
2⤵
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
2⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
2⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,6493354924326448820,17334721246090240735,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
2⤵
PID:5916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3440

C:\Users\Admin\Downloads\DiscordPTBSetup.exe
"C:\Users\Admin\Downloads\DiscordPTBSetup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2720

C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe
"C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe" --squirrel-install 1.0.1090
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6100

C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discordptb /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discordptb\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.1090 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=30.2.0 --initial-client-data=0x544,0x548,0x54c,0x540,0x550,0x9380cc4,0x9380cd0,0x9380cdc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5328

C:\Users\Admin\AppData\Local\DiscordPTB\Update.exe
C:\Users\Admin\AppData\Local\DiscordPTB\Update.exe --createShortcut DiscordPTB.exe --setupIcon C:\Users\Admin\AppData\Local\DiscordPTB\app.ico
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5396

C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe
"C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discordptb" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,5341357972489811182,3339539191954810603,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1928 /prefetch:2
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5520

C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe
"C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discordptb" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2216,i,5341357972489811182,3339539191954810603,262144 --enable-features=kWebSQLAccess --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5572

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v DiscordPTB /d "\"C:\Users\Admin\AppData\Local\DiscordPTB\Update.exe\" --processStart DiscordPTB.exe" /f
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5192

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies registry key
PID:6096

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies registry key
PID:1028

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe\",-1" /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies registry key
PID:4528

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\DiscordPTB.exe\" --url -- \"%1\"" /f
4⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Modifies registry key
PID:5380

C:\Users\Admin\Downloads\DiscordPTBSetup.exe
"C:\Users\Admin\Downloads\DiscordPTBSetup.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5604

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:5812

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log
2⤵
- System Location Discovery: System Language Discovery
- Opens file in notepad (likely ransom note)
PID:5180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\chrome_100_percent.pak

Filesize
146KB

MD5
6c2827fe702f454c8452a72ea0faf53c

SHA1
881f297efcbabfa52dd4cfe5bd2433a5568cc564

SHA256
2fb9826a1b43c84c08f26c4b4556c6520f8f5eef8ab1c83011031eb2d83d6663

SHA512
5619ad3fca8ea51b24ea759f42685c8dc7769dd3b8774d8be1917e0a25fa17e8a544f6882617b4faa63c6c4f29844b515d07db965c8ea50d5d491cdda7281fc5

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\chrome_200_percent.pak

Filesize
220KB

MD5
77088f98a0f7ea522795baec5c930d03

SHA1
9b272f152e19c478fcbd7eacf7356c3d601350ed

SHA256
83d9243037b2f7e62d0fdfce19ca72e488c18e9691961e2d191e84fb3f2f7a5d

SHA512
5b19115422d3133e81f17eedbacee4c8e140970120419d6bbfe0e99cf5528d513eea6583548fa8a6259b260d73fab77758ad95137b61fe9056101dd5772e8f4a

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\d3dcompiler_47.dll

Filesize
3.9MB

MD5
08ac37f455e0640c0250936090fe91b6

SHA1
7a91992d739448bc89e9f37a6b7efeb736efc43d

SHA256
2438b520ac961e38c5852779103734be373ee2b6d1e5a7a5d49248b52acc7c4d

SHA512
35a118f62b21160b0e7a92c7b9305da708c5cbd3491a724da330e3fc147dde2ca494387866c4e835f8e729b89ee0903fd1b479fcc75b9e516df8b86a2f1364c8

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\ffmpeg.dll

Filesize
3.0MB

MD5
18bc1f72bf282b2e1ae367495d0e9aa6

SHA1
f4cc4e7d911e2174bb2fe9fb9e4f03c02d18ac83

SHA256
d29d58bf6208fcd224713ca36640c239cbb90e005df264e44b74740fa05b1031

SHA512
2b15d6ef0880b53a9e45e0efd0d1bf0e1f78d7ead153188a8e4e4293800300817cfb8f3921931813455da66911ab5468a0494e23705d2e117649dbb38ff7e9c1

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\icudtl.dat

Filesize
10.2MB

MD5
74bded81ce10a426df54da39cfa132ff

SHA1
eb26bcc7d24be42bd8cfbded53bd62d605989bbf

SHA256
7bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9

SHA512
bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\libEGL.dll

Filesize
388KB

MD5
91e87382b8ac6e454511aea3b18e552d

SHA1
0316c54f29463b7122ee26321aebcebce62ccfbd

SHA256
016244e3ab0b03e6a50eeaa523c51d0c077271ea9b5077f9b5496c1b36a6392e

SHA512
da9d757fa636c5c60322cde123e675fa08f96efc808c841c1b8b8f48cae2d0cd2b9b46d060140fb86f548b9c51c0b0cc2cdba6d1e5dd43b102d8d0cad6cd3397

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\libglesv2.dll

Filesize
6.6MB

MD5
2210d9c20da513014f76567d37926965

SHA1
a28e146d6e084103487ccc0a0a2e7959f0d26926

SHA256
15b9fdf29ab65956b0152d3cbb7e09c2349b42a1971507775b82b6ceb329f986

SHA512
11b29b8f515343a6f11c050e339a20b4f96c6e4ce2d4d47b5f07e9d295e05fd46cbdb41b1feeb5ce331e0d8057ccd195c3427df59d8773ea07184eb61a6389ed

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\locales\en-US.pak

Filesize
443KB

MD5
88bbc725e7eedf18ef1e54e98f86f696

SHA1
831d6402443fc366758f478e55647a9baa0aa42f

SHA256
95fd54494d992d46e72dad420ceee86e170527b94d77bfaaa2bfc01f83902795

SHA512
92a5c6cfc2d88272bb5144e7ee5c48337f2c42083bc9777506b738e3bcb8f5a2c34af00c4ccc63b24fb158c79f69e7205b398c9e22634dae554410450978a2c4

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\resources.pak

Filesize
5.1MB

MD5
db3fa7a7f7af66bbb73c1c0a46187572

SHA1
5c6f2b5c01a20f204bb67f28a907dec4cd98bce8

SHA256
0e114f6464cecae87988c1dd65ea1bc939681fee6415d343e947a5889717165f

SHA512
e639e96c36fa67dfdc7098c7d6863ee421a2de9fa49630038e8abf4f152b03e0bbb80eee0d40a68cac5a48bfa75f0cc3542c1170dd65ab1bf5626450f803d410

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\resources\app.asar

Filesize
7.6MB

MD5
5858be90a23a3bb63426ce1a5a7d9066

SHA1
8c6b4f37a9a04cfee54d7ad2dcee5f42d678d572

SHA256
78880e2db0ca22d389f31e1f0983a5979fec82ec5af28462fb84b584ec7a339c

SHA512
51eceaa5e529453e50b800d14790ce7ffc8edf192720c20ba49a27f9384a88bb2a8e00c335b5a6efe223518136338a314f0c20aa093791093a3e23e56a42115f

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\resources\build_info.json

Filesize
80B

MD5
2b8a45810461f67b44633ec22d319504

SHA1
62296f6c91e4ff07b2819f4000269733dc3df766

SHA256
f7210f074c98ce7c324d2bb44322fd5e25de9e637096b596755025dc1ceb37d5

SHA512
5b38cf1432ad7eb4eb861e8d964578584c9153066bd6a764dbea69ad784a0c2ad3b4ca80ed70d1d11599e3358a6aaa727916ae4f4318434f065f2db49c04e55d

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\v8_context_snapshot.bin

Filesize
643KB

MD5
4047b71dcdf50bdb971f461800a9b301

SHA1
b7d2d57a6599cd1b4c9563bfefe415ff23bc4234

SHA256
5138741bf5e91a65fd018bb361927bd6077ae76ac1d56ef4a0f6084d86699a80

SHA512
ff1a67caa6ba4d5cb656c5c1b6166222a33e772f5af42757ed6ffccff09acaffca6d802c687ae8d513e84346c86667805800bc137e0cb5a3996705a0e7e86f28

Download Submit
C:\Users\Admin\AppData\Local\DiscordPTB\app-1.0.1090\vk_swiftshader.dll

Filesize
4.5MB

MD5
47ad9ca7972f2d71ee8e3f9a6d262c3e

SHA1
5786cda2d11bd03a5c15194c2247e499b163fedf

SHA256
9f23a1c6929881279fd6c9f3d1f5386148c53f4f0d45c3452581d910f46a2653

SHA512
619ed05bc591146c1b8e0db0c24d4908dee86caa497bf9f13ac755b6403c1fef9dd3b591d4e1532dacaf182578f1f2723ef5cc8e1d11101610bc033778e2dccb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

Filesize
1KB

MD5
6eb96c16eb677b6a8c1df381a0497a1a

SHA1
d4596baadc2d4bee89d57e1718ab30c0b7d563ec

SHA256
e96331392d474ca0fbc51036c7d55aa3a37aae6b074d50ebd106a277b0cb4097

SHA512
3d472d56ceb73a3df3f65eff6af088b3a81ab553153cbda925091500a6543cf83e84872f2bc81f218deddecd8f3c9868d784c2fe08ece95f915138becaecfb0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8096ebf46d96c32f94c6e4ba3ecd8ce9

SHA1
41eb26668053f5f7a6b4f9e1c74ad7e22139f33c

SHA256
5cb246e49c09c8c99fe062b3a77e4f664d1eb1ce07a5a6e2552e44851aaa35b4

SHA512
164561ff5d0505f440ffe5b3044d808775af92a2f9cf9fc56d739cfff623ca0e6cdd4a1b7cd309c22e8bc3871a6333fb6c955908c4e383d0b754f7e0038c608e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
089c3e0274b859c7113aac206607a9fe

SHA1
3a1d5b0e20a75691a41592bb21405863e22038ea

SHA256
dd923174b7c8ac3c1c4d88c82e69a99c18068daa52608b3cd26a9951a04d4767

SHA512
020759904137e90fca73629b408f9168dfb3f34b9fb230d52cdbf1e3eab9fe145f469e0c683337789ede208c9eae8c5a4f3e1b3e4407db6fb2f38ed6b13fe6d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7aef686cebd0f68e9c760222f7ae2603

SHA1
26093c34f99e62be48d107037ab88987fad63082

SHA256
e1872e76872f9ec4ba839c29c3b54696e18641fdd4d54919f48519f3d58967cc

SHA512
8c83a3863fc7f1a415129f5235d8fd8ea304c7c655eded466991e60a8c33dfdcaff18b77e6734d1daaa5f5ca71a7fa9cc542ff6d33d16e10bca88fcccf09397c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
df22b09ed3ca740b63aacc7d08ad2c64

SHA1
5e92747d825155e7f3fd4a51a117423fd9cd514d

SHA256
84f2ef3ca4a5107a0e31436de43552843b340d0f09d170a47b53982dae64a68f

SHA512
580cc7d21a553cc03790363939247913d62ec44ddc56bf3f31088683840321a17108057917fd48963ed217dab34d996c7b1c13feb205a5b099533ce3f71f37bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
619b8edf69fbb23f0199f730a3208131

SHA1
28e7acee4583a794652d13ed98b39ad79fa97d60

SHA256
25e8b586c0af9de3f9fea1bfd53ec45a96e167f4d6910f5f7f87226ae8b1ddd2

SHA512
596900a210fdb09fb02e7316f4a43623667ffdffa2734d4e7f89d630511394ae734e8a3580274d6325213e5b65e9646f586dec7cd0617edbcb89026b963d0cf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc68daa7df2e4d9d14ad7ccee686c573

SHA1
6dda82613af4a8b3812da502744fb97afc630046

SHA256
b01613d781f9801b11d9c6c30ce2a6577ab1a8dab8b2fdfd52b3dc4f9e38d0ae

SHA512
0affc46b588c0b609fc08e4e1190547c5ae92916eb0824a1e02a84f1d1bf5b231c93b50243866b3b5ca66a5eba63bd1052f8e8144d03cf225f00fb291a6deb55

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
84B

MD5
f9063eec328dd6a9ab5492e33c99ac79

SHA1
25783ce18d18f2ab30cd1c73224bcf9730547e0a

SHA256
84ff5175fc1ee2e777710eeb7ebb04be7590a60d7e7dd9b7dd622c5e7f28c818

SHA512
70c4d3ee2e8e6bd3cf6d9a700b44c6baf35f0e464cbd04f90a70ea6ea60fe93604c6b64ebf71021c0e1548238a66826ae14aeeeff87994b1295795031a45f2e5

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Filesize
4KB

MD5
0546e6b905bcd46c809cd413af26da85

SHA1
f05a9c83490cd1a676ed4d327b68fff71c1b7717

SHA256
3ed9f5a8c99ef6315f5c179f92ba147fd319278695f0ac52e0b6ec7d45f1eaef

SHA512
8a70b3f863491954af52da0d1f949bd9d0a2ad84bd2731887940adc35eb7ce6599a6099dfca7d7d7b00515ace003551cbeb36d169fa0f6ad580a91daf01d1eb5

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.5MB

MD5
d9aefa815c8389953a136125d4baaae6

SHA1
77cb094fb0229e9a3354457ed9b096d5dca11bb9

SHA256
65df86270cfcfdc5612a327a137d64a3e2e71a9109f21cc5ff9868108710ac2d

SHA512
07c8a47ff90ebff621e79354f054de627398c79ab410dc002cc385998994f789beb6c54c87a09651fe34aa70245e37af655b98e0b6b65530c6285dafb262a626

Download Submit
C:\Users\Admin\AppData\Local\Temp\SquirrelSetup.log

Filesize
67B

MD5
b226fc53ef7c9647dc4afbce9c03dd61

SHA1
d07960ff351e5112c5ed83d6f496cf7f7f64b308

SHA256
9d21a1ecc5c75108e77e1da43a323fd496bd88a1a3926f140a8d039216754db7

SHA512
56caf080c7286bbd0f964caaeb64838edccedca7a1a80ef3a11c053f4408046beac12f7e1f2077fd93a90d027a18e9051a6557d30c0a2f23c2de20f0c154de7a

Download Submit
C:\Users\Admin\AppData\Local\tmp02q1ysps.eqx\SquirrelSetup.log

Filesize
2KB

MD5
0134d637b8106e97157343094dbd67b4

SHA1
9083f56907b9b030b9d3eca9130fb14b0d4f0865

SHA256
36590ca7ba3900c4ea437fefe87ea76a51f68320795800138d1ec71b8e0169c2

SHA512
1c37653badd3760f0883ac4d7483cd477e2b2997053f2d1f9f52c114b9ab383d76a86716e72a478bfc34a0b0cb9695d5b8b9e4ae8b3909e397e5d1831bedf02a

Download Submit
C:\Users\Admin\AppData\Local\tmp02q1ysps.eqx\app-1.0.1090\locales\af.pak

Filesize
481KB

MD5
94af96b7f60a4cfb9d596cd8927ba37d

SHA1
556833517bc6ad77b5427000f2c3dccad91b92e6

SHA256
716e296c2f663ad90cdde85c5134582fc2305e5ebe10649fc9653bea533500a6

SHA512
6605688a373a358ff1dfbeda1c09dd031e4a63de662555f5304843c31eb3afcedbc8ffa4dae8ddc1483b04ea24cb709ecc639a9902caa68731d8e44d04cdbd83

Download Submit
C:\Users\Admin\AppData\Local\tmp02q1ysps.eqx\app-1.0.1090\locales\am.pak

Filesize
782KB

MD5
34b24f035bad74764b7cc57420488180

SHA1
fac3fdba1a94d7676ac4d71447178cfbd1fa4e82

SHA256
9cff5c4af5997b45fb2a384bd73560e56bcb7710149e1a7e3e172d64e6eda025

SHA512
a01da4c45c6295a57248603f01a6b6231c4ce400aa3ec94e4228b26e8cea995c31d52b2008f99d0f17482aad80f1d67725c32e0f37cad6b012b1022ecde998f0

Download Submit
C:\Users\Admin\AppData\Local\tmp02q1ysps.eqx\app-1.0.1090\locales\ar.pak

Filesize
855KB

MD5
38b30dfa8ccd369c747c46bef204e2f2

SHA1
047976a9b0aad536cc61ac3dfbc37b20f39ecbf4

SHA256
516584da5741e7bb49ba6a70c9cf2ac47ff190ca9c4f692c3a30bc03a4560f50

SHA512
5396af2e915808abb6f0ff8c4a1c3a7675e620687d717193d5e69905a070accce08925b7e243b54b922e1b022fd6210884fd12b18681e1b7d08f28c542cc4c3c

Download Submit
C:\Users\Admin\AppData\Local\tmp02q1ysps.eqx\app-1.0.1090\locales\bg.pak

Filesize
892KB

MD5
d08e8e493f0b3c8ab19070ab05a78af8

SHA1
c5fa430269dc2d32baa6885de2453fa84c36f2fc

SHA256
d223e994ad1aa6e747507187f724cdede8c369d2e8e0def50c4a6c912dba3880

SHA512
4b415fa2ae6ba399674f90ea67e571d90a35fff1ce93df77f20bf692b52c92bfc41e5a3622776e3979b1662fecd2d9665209d5d1d53ece1bff3ed01a28e499d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_3648_EXUZISRXNLTXMEWB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2720-292-0x0000000008310000-0x0000000008318000-memory.dmp

Filesize
32KB

Download
memory/2720-296-0x0000000008B90000-0x0000000008BC8000-memory.dmp

Filesize
224KB

Download
memory/2720-297-0x0000000008B70000-0x0000000008B7E000-memory.dmp

Filesize
56KB

Download
memory/2720-79-0x0000000000FD0000-0x0000000001146000-memory.dmp

Filesize
1.5MB

Download
memory/5328-440-0x000000006EAF0000-0x000000006F283000-memory.dmp

Filesize
7.6MB

Download
memory/5328-439-0x0000000000690000-0x0000000001690000-memory.dmp

Filesize
16.0MB

Download
memory/5396-311-0x00000000050E0000-0x0000000005100000-memory.dmp

Filesize
128KB

Download