Malware Analysis Report

2025-06-16 00:20

Sample ID 241112-vw421azrdm
Target DiscordCanarySetup.exe
SHA256 7221d924450be7f8d162c813d7ab0fc7e5941e2481aea27e25183b518fa97f95
Tags
discovery persistence spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7221d924450be7f8d162c813d7ab0fc7e5941e2481aea27e25183b518fa97f95

Threat Level: Shows suspicious behavior

The file DiscordCanarySetup.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer

Reads local data of messenger clients

Adds Run key to start application

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Opens file in notepad (likely ransom note)

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 17:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 17:21

Reported

2024-11-12 17:22

Platform

win7-20240903-en

Max time kernel

14s

Max time network

2s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2528 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 2528 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2528 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2528 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Windows\SysWOW64\NOTEPAD.EXE
PID 2528 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Windows\SysWOW64\NOTEPAD.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe

"C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe"

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe

"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe" --squirrel-install 1.0.328

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe

"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe" --squirrel-firstrun

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

Network

N/A

Files

\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 f6a4d597916c5f4bdaec6553f8e0f8a4
SHA1 cfe432ced144a6901fc421753d3b739be4c6a4e6
SHA256 b6ed43277d7b382ca1d841b3cbcd910e5405d962807cb33477b4db0a90b92b66
SHA512 a1de2f639c2f40a196723a827aaa1deeb1c0cbcc61b6afca35b01794ad546565d394c6010aec3179d187e2bbf8f707b74cefd9d152584eb9edf91061ad30028b

memory/2160-11-0x0000000001070000-0x00000000011E6000-memory.dmp

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

MD5 62ff6ef904f14f87221598ce63893e77
SHA1 7ce130c46f34c31ef97d7296a272ed3148326de1
SHA256 0577e637242b42488abe9cec3a5014bd4c89707dc085e527100f760f53938b78
SHA512 3ad201fa706012ff376d4672cca5e4e14e128eaec1ca573505ee7130647a76cabe9aa86703bf0453b8a24c8a8a50bdf7ca5509c38a46e3aa615d449e4fbf84d7

memory/2160-204-0x0000000000E60000-0x0000000000E6A000-memory.dmp

memory/2160-203-0x0000000000E60000-0x0000000000E6A000-memory.dmp

memory/2160-205-0x0000000000E60000-0x0000000000E6A000-memory.dmp

C:\Users\Admin\AppData\Local\SquirrelTemp\SquirrelSetup.log

MD5 0fee031d6963022315f0e8effe1e2036
SHA1 206ee2acb8f9dfdc7890a651027ee4dbb65e81fd
SHA256 cdf305d77b8feaa34b063fb12bd1bb1a8798632b9412c44e0b0146234b3e47e3
SHA512 b740f1cc8b3fed3f469bfa03988af32d61da03264f66c36403fc369484be0ade08a8adfd21e09624385b1f8308566a9f0041d77e2cb0107d546332e9e94a6c81

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 17:21

Reported

2024-11-12 17:24

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe"

Signatures

Reads local data of messenger clients

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DiscordCanary = "\"C:\\Users\\Admin\\AppData\\Local\\DiscordCanary\\Update.exe\" --processStart DiscordCanary.exe" C:\Windows\SysWOW64\reg.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\DiscordCanary\Update.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\shell C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\shell\open C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\DiscordCanary\\app-1.0.328\\DiscordCanary.exe\",-1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\shell\open\command C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\DiscordCanary\\app-1.0.328\\DiscordCanary.exe\" --url -- \"%1\"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\ = "URL:Discord Protocol" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\URL Protocol C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Discord\DefaultIcon C:\Windows\SysWOW64\reg.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1000 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 1000 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 1000 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
PID 3672 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 3672 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 3672 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\Update.exe
PID 2488 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\Update.exe
PID 2488 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\Update.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe
PID 2488 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe
PID 2488 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe

"C:\Users\Admin\AppData\Local\Temp\DiscordCanarySetup.exe"

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe

"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe" --squirrel-install 1.0.328

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discordcanary /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discordcanary\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.328 --annotation=plat=Win32 --annotation=prod=Electron --annotation=ver=31.2.1 --initial-client-data=0x53c,0x540,0x544,0x530,0x548,0x9c5d8dc,0x9c5d8e8,0x9c5d8f4

C:\Users\Admin\AppData\Local\DiscordCanary\Update.exe

C:\Users\Admin\AppData\Local\DiscordCanary\Update.exe --createShortcut DiscordCanary.exe --setupIcon C:\Users\Admin\AppData\Local\DiscordCanary\app.ico

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe

"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discordcanary" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1988,i,1671023170695555656,7053517772814600299,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1980 /prefetch:2

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe

"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discordcanary" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2244,i,1671023170695555656,7053517772814600299,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:3

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v DiscordCanary /d "\"C:\Users\Admin\AppData\Local\DiscordCanary\Update.exe\" --processStart DiscordCanary.exe" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe\",-1" /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\DiscordCanary.exe\" --url -- \"%1\"" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 100.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

MD5 f6a4d597916c5f4bdaec6553f8e0f8a4
SHA1 cfe432ced144a6901fc421753d3b739be4c6a4e6
SHA256 b6ed43277d7b382ca1d841b3cbcd910e5405d962807cb33477b4db0a90b92b66
SHA512 a1de2f639c2f40a196723a827aaa1deeb1c0cbcc61b6afca35b01794ad546565d394c6010aec3179d187e2bbf8f707b74cefd9d152584eb9edf91061ad30028b

memory/3672-9-0x00000000002B0000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

MD5 62ff6ef904f14f87221598ce63893e77
SHA1 7ce130c46f34c31ef97d7296a272ed3148326de1
SHA256 0577e637242b42488abe9cec3a5014bd4c89707dc085e527100f760f53938b78
SHA512 3ad201fa706012ff376d4672cca5e4e14e128eaec1ca573505ee7130647a76cabe9aa86703bf0453b8a24c8a8a50bdf7ca5509c38a46e3aa615d449e4fbf84d7

memory/3672-191-0x0000000010950000-0x0000000010958000-memory.dmp

memory/3672-192-0x00000000111D0000-0x0000000011208000-memory.dmp

memory/3672-193-0x00000000111B0000-0x00000000111BE000-memory.dmp

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\ffmpeg.dll

MD5 70e28b85d6f7c4a52cc0a21ac6f6ab2e
SHA1 f51921ba47b1a9dfca1f8dc8fcc1427e40226fda
SHA256 34ca6fad702e41713316e8a0e40364541d29e33bf112db4108629e4d2d6e08ce
SHA512 e6ad5728d76cfcdfaa67267792f46bc2230d425411f802a1a16ad2076ec93059c8ca6e6fa887ba398bdd6cb3a99dcb9f6d8076354844a7c32225c663171c0a13

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\icudtl.dat

MD5 ffd67c1e24cb35dc109a24024b1ba7ec
SHA1 99f545bc396878c7a53e98a79017d9531af7c1f5
SHA256 9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92
SHA512 e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\v8_context_snapshot.bin

MD5 f865716fe0d06505b9f5178877c03c09
SHA1 762be5046afdb41d65113fc0c6db4e5ee3602574
SHA256 4345194273b40a62e83fb6d1067a7ed5daf310470fa2220ac891fbb126fe1041
SHA512 c859b94687a2d595f4060c9a49d3bae0d2044fe10058c73f49a2306d9e08e50c1ab24f8ff7d72f397d7d729839518077e243276d04b225e49517c04969cfed76

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\resources\app.asar

MD5 5858be90a23a3bb63426ce1a5a7d9066
SHA1 8c6b4f37a9a04cfee54d7ad2dcee5f42d678d572
SHA256 78880e2db0ca22d389f31e1f0983a5979fec82ec5af28462fb84b584ec7a339c
SHA512 51eceaa5e529453e50b800d14790ce7ffc8edf192720c20ba49a27f9384a88bb2a8e00c335b5a6efe223518136338a314f0c20aa093791093a3e23e56a42115f

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\resources\build_info.json

MD5 279e481496cfa482d1e07cea293e9c6d
SHA1 f449153aa758c42dd4a7a73f0a5279b1c40e59b6
SHA256 074c350fdfaf095d3999a21e4d2c8e9ede1e7d980fde86a5aa4935183b09e8ae
SHA512 6cd03d4f5affdfb6d6e2f7eb9dd9344e6c163ce4656ee7b04c673aed9a8f12f05a0edbbec31aa6f309ea123513a347a4aa9d1966c8d56d71591ab62a9e2f5fbf

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\app.ico

MD5 b1177cead91e65699122ca293f51c478
SHA1 d306c44b148f59d4da8d7f5dde7cb14117b9a21e
SHA256 2dcb94cc54982584dd3137bf32c0757ae246757a66e8b45b9ac27829de729ea2
SHA512 1b71f11cb9c1cd0e38ac25abe4524d8a4785e0cc7d8e3b95258c4531255df362767e8bb685e84e0b9562838f047340ebb4fd5d692bb77618898348f07e9a480f

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\resources.pak

MD5 deaa8cf598b837b6edcd40cff3f47dae
SHA1 32e85997f4bf0355c105ffcb2403031585b306f5
SHA256 fd880b5f823ee0ed0e143eb3aa542279026317e037e2ab45b3c053245cf97e8b
SHA512 1811d294bdb5baa27f7d8f7864cc8f5eb7a35c16c439f995240228c7a91fad936edb844721b03442a1f7687c51c71d31ef28917df758546c1adbca54e6b24c5b

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\locales\en-US.pak

MD5 9bce1a4c9a06d63e8b4f7eb40535c080
SHA1 11bc263876228d22b0bee57c6ba80c523c79e5cc
SHA256 0013a8efed8a17a93b0e718fb41652b8a2a6ed38128575cee89a258134167e41
SHA512 b6d1ea3a81cb1b32eba16a1cb4f337cbd15f28efea1e31ebf12efb795c33f6eea70abbfa4fed1b241103a8f0865cb2dd138db598c9cfbdce34497d46119e7566

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\chrome_200_percent.pak

MD5 e9c1423fe5d139a4c88ba8b107573536
SHA1 46d3efe892044761f19844c4c4b8f9576f9ca43e
SHA256 2408969599d3953aae2fb36008e4d0711e30d0bc86fb4d03f8b0577d43c649fa
SHA512 abf8d4341c6de9c722168d0a9cf7d9bac5f491e1c9bedfe10b69096dcc2ef2cd08ff4d0e7c9b499c9d1f45fdb053eafc31add39d13c8287760f9304af0727bf4

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\chrome_100_percent.pak

MD5 cb4f128469cd84711ed1c9c02212c7a8
SHA1 8ae60303be80b74163d5c4132de4a465a1eafc52
SHA256 7dd5485def22a53c0635efdf8ae900f147ec8c8a22b9ed71c24668075dd605d3
SHA512 0f0febe4ee321eb09d6a841fe3460d1f5b657b449058653111e7d0f7a9f36620b3d30369e367235948529409a6ce0ce625aede0c61b60926dec4d2c308306277

memory/728-219-0x0000000004AF0000-0x0000000004B10000-memory.dmp

\??\pipe\crashpad_2488_HKUKANTXMNRAOWRB

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\libglesv2.dll

MD5 41be166661e5a050c0772a61fd883fb2
SHA1 3b540c099aa2643baa7514131260697298310807
SHA256 45798dfdc089e613c8b9ab89a5a2b3f860c855b3a2fd43af89b99b9be5db0b47
SHA512 5cf7a6b03cc69ca044831b797b7b4b420be34d93a903dc1c8bfeda7f81e73f67f4adcf008f314a71bac4c003929eda053eff578e65988c2b300fcaeb9c6cf08d

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\d3dcompiler_47.dll

MD5 08ac37f455e0640c0250936090fe91b6
SHA1 7a91992d739448bc89e9f37a6b7efeb736efc43d
SHA256 2438b520ac961e38c5852779103734be373ee2b6d1e5a7a5d49248b52acc7c4d
SHA512 35a118f62b21160b0e7a92c7b9305da708c5cbd3491a724da330e3fc147dde2ca494387866c4e835f8e729b89ee0903fd1b479fcc75b9e516df8b86a2f1364c8

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\libegl.dll

MD5 d0dffea06164554ef074473f39762b00
SHA1 cc125b4a25b863ca3e5e948c5d358d92d58027d9
SHA256 af2f97a6ebb399dd697b5cb3b59a01d31f12ecf6ad37babbdd5ade3fb5b032cc
SHA512 e0ab8c61360ce2914452c1230e51c346ef957214d68227b24724b81c5f0a1011feb91d1d6b84285c0d06615ba420197269b6f10440309dc6f8e0d9eebb700e09

C:\Users\Admin\AppData\Local\DiscordCanary\app-1.0.328\vk_swiftshader.dll

MD5 458d1070882afb5bd9760f83438e9165
SHA1 c6ed9f44e0736d2ba8643cee08edb424350ecd06
SHA256 5010111d98b68a62d01e40b1ef4377139ec19b4c443a1a5a14e0b52b95b316b8
SHA512 024f14864e0cccc6286b462853a61498946a4d2f4c59323da42fe8cbb4105326387ea04276fc634290a2ceb9fb5beb75968fc45a1cf8ccc56940e641b5e5043d

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84