discordrat | 16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82

Analysis

max time kernel
57s
max time network
48s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82.exe
Size

78KB
MD5

e3347a9a35a3397e489ae738b27f7cc7
SHA1

e72a6f4f1fed3513aeef20986cb362e5d2fdfebe
SHA256

16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82
SHA512

a75da2b099bef712bcf87c02aa23e84d5d90f5b0a9e5bb0a27b437ddd6ad777768a1273052e72a720e141db61c4f0ebbe50316df069253afc675a7e46bbb3151
SSDEEP

1536:52WjO8XeEXFh5P7v88wbjNrfxCXhRoKV6+V+5PIC:5Zv5PDwbjNrmAE+JIC

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit spyware stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTMzMDYxOTg4NTMzMTQxNTEyMA.GvolIj.JCM-OtlpaFBedk3GoFB_aY1Hi31oF4XpkLv81A
server_id
1330576263034699828

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Discordrat family
discordrat
Downloads MZ/PE file

Executes dropped EXE 7 IoCs

pid	Process
1544	DiscordSetup.exe
3820	Update.exe
3272	Discord.exe
2908	Discord.exe
2588	Update.exe
1464	Discord.exe
4148	Discord.exe

Loads dropped DLL 8 IoCs

pid	Process
3272	Discord.exe
2908	Discord.exe
1464	Discord.exe
4148	Discord.exe
1464	Discord.exe
1464	Discord.exe
1464	Discord.exe
1464	Discord.exe

Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Run\Discord = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\Update.exe\" --processStart Discord.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
12	discord.com
13	discord.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DiscordSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818611956249696"	chrome.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\URL Protocol	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9177\\Discord.exe\",-1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\shell\open	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-1.0.9177\\Discord.exe\" --url -- \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Discord\DefaultIcon	reg.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

T1112

pid	Process
4120	reg.exe
644	reg.exe
1268	reg.exe
3492	reg.exe
2668	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DiscordSetup.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4496	16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: 33	3340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3340	AUDIODG.EXE
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3820	Update.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 792	3600	chrome.exe	80
PID 3600 wrote to memory of 792	3600	chrome.exe	80
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 4928	3600	chrome.exe	81
PID 3600 wrote to memory of 840	3600	chrome.exe	82
PID 3600 wrote to memory of 840	3600	chrome.exe	82
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83
PID 3600 wrote to memory of 1856	3600	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82.exe
"C:\Users\Admin\AppData\Local\Temp\16e0775352021a90c3dec5a4d75d5db0b444ed8cae060fccdb86fde2080bdc82.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff12b0cc40,0x7fff12b0cc4c,0x7fff12b0cc58
  2⤵
  PID:792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1852,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4656,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4596,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4588,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5236,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5336,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:3696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5256,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:2
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4804,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3508,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5072,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:3872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5584,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5860,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5872 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3828,i,4441552567597946455,15405346648465132336,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4436 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2852
- C:\Users\Admin\Downloads\DiscordSetup.exe
  "C:\Users\Admin\Downloads\DiscordSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1544
- - C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:3820
  - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe
      "C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe" --squirrel-install 1.0.9177
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3272
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe
        
        C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\discord /prefetch:4 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\discord\Crashpad --url=https://f.a.k/e --annotation=_productName=discord --annotation=_version=1.0.9177 --annotation=plat=Win64 --annotation=prod=Electron --annotation=ver=32.2.7 --initial-client-data=0x540,0x544,0x548,0x538,0x54c,0x7ff7393a6bb0,0x7ff7393a6bbc,0x7ff7393a6bc8
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2908
    - - C:\Users\Admin\AppData\Local\Discord\Update.exe
        
        C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2588
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --gpu-preferences=UAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1968,i,14597819730923396400,7597919937520744126,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=1960 /prefetch:2
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1464
    - - C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe
        
        "C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\discord" --secure-schemes=sentry-ipc --bypasscsp-schemes=sentry-ipc --cors-schemes=sentry-ipc --fetch-schemes=sentry-ipc --field-trial-handle=2232,i,14597819730923396400,7597919937520744126,262144 --disable-features=AllowAggressiveThrottlingWithWebSocket,HardwareMediaKeyHandling,IntensiveWakeUpThrottling,MediaSessionService,SpareRendererForSitePerProcess,UseEcoQoSForBackgroundProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:11
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4148
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "\"C:\Users\Admin\AppData\Local\Discord\Update.exe\" --processStart Discord.exe" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4120
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:644
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:1268
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe\",-1" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:3492
    - - C:\Windows\System32\reg.exe
        
        C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\Discord.exe\" --url -- \"%1\"" /f
        5⤵
        Modifies registry class
        Modifies registry key
        
        PID:2668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\D3DCompiler_47.dll

Filesize
4.7MB

MD5
a7349236212b0e5cec2978f2cfa49a1a

SHA1
5abb08949162fd1985b89ffad40aaf5fc769017e

SHA256
a05d04a270f68c8c6d6ea2d23bebf8cd1d5453b26b5442fa54965f90f1c62082

SHA512
c7ff4f9146fefedc199360aa04236294349c881b3865ebc58c5646ad6b3f83fca309de1173f5ebf823a14ba65e5ada77b46f20286d1ea62c37e17adbc9a82d02

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\app.ico

Filesize
278KB

MD5
084f9bc0136f779f82bea88b5c38a358

SHA1
64f210b7888e5474c3aabcb602d895d58929b451

SHA256
dfcea1bea8a924252d507d0316d8cf38efc61cf1314e47dca3eb723f47d5fe43

SHA512
65bccb3e1d4849b61c68716831578300b20dcaf1cbc155512edbc6d73dccbaf6e5495d4f95d089ee496f8e080057b7097a628cc104fa8eaad8da866891d9e3eb

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\chrome_100_percent.pak

Filesize
147KB

MD5
3c72d78266a90ed10dc0b0da7fdc6790

SHA1
6690eb15b179c8790e13956527ebbf3d274eef9b

SHA256
14a6a393c60f62df9bc1036e98346cd557e0ae73e8c7552d163fa64da77804d7

SHA512
b1babf1c37b566a5f0e5f84156f7ab59872690ba0bdd51850525f86769bfebc245f83988a3508945cf7617d73cd25e8469228974dd2c38415388b6a378552420

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\chrome_200_percent.pak

Filesize
222KB

MD5
3969308aae1dc1c2105bbd25901bcd01

SHA1
a32f3c8341944da75e3eed5ef30602a98ec75b48

SHA256
20c93f2cfd69f3249cdfd46f317b37a9432ecc0de73323d24ecf65ce0f3c1bb6

SHA512
f81ed1890b46f7d9f6096b9ef5daab5b21788952efb5c4dcd6b8fd43e4673a91607c748f31434c84a180d943928d83928037058493e7e9b48c3de1fc8025df7f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\ffmpeg.dll

Filesize
4.2MB

MD5
2eecfeea275cade84c09e274b94ec28f

SHA1
4f911d72246261b704f326fccdbae5fabf7f9988

SHA256
d9eb546b72aa016eb6a5972dbfb5fd6c712f49254128e3ba578b40f19e7ccd56

SHA512
17584e96309788a719be323a6af7447baf5f57577c2049b44b0f09bf570580cc9b7d1d8f5288a3947ae312a26047eeee502df10dc988e1b5884b3e00bf640aa6

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\icudtl.dat

Filesize
10.0MB

MD5
ffd67c1e24cb35dc109a24024b1ba7ec

SHA1
99f545bc396878c7a53e98a79017d9531af7c1f5

SHA256
9ae98c06cbb0ea43c5cd6b5725310c008c65e46072421a1118cb88e1de9a8b92

SHA512
e1a865e685d2d3bacd0916d4238a79462519d887feb273a251120bb6af2b4481d025f3b21ce9a1a95a49371a0aa3ecf072175ba756974e831dbfde1f0feaeb79

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\libegl.dll

Filesize
483KB

MD5
bc681532b4af4a1920133f618fd65c34

SHA1
17ed1a3fbc0ba6be8968c4945635ae13a5f79071

SHA256
8cebdc7e33d7c4a5c5deca726c57d1d31d9ddae362f1d0811672813f3f5c9ba9

SHA512
80a6c673b9c65f5ef3e6d9942ae49f5ac17b38ba1f4774f22aeb871d4f5de3b45dbe6614482febb0f3dc442881dfc9c06e1fb17bef1c19fd433c258776ebc3e0

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\libglesv2.dll

Filesize
8.0MB

MD5
3110444a90cf8f4bb89791a8155092e7

SHA1
2f7255b7ec728cc73b31210914e9183a3e560e27

SHA256
4c4c615c7c7291a7f123c8f9791fb0a49d74d4a58334740db964331284c67c37

SHA512
8aaf20b198e477c1ae316dd1b17b76da73bbf40bf48e3d29014756442c5d4860b3c41e9d5e65f06e2ff93c2303218d4dc05c6e0713faf78ef8884427c1d605c5

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\locales\en-US.pak

Filesize
460KB

MD5
6702b5fb089f003b5d24e96efc486140

SHA1
254ecdfc69c4367fe544fbb3fc45644401e6a747

SHA256
4f012f54a1bf3ed73579ce31fc1381586e047bccd587ff1442aceb6da1d3149a

SHA512
762afd09f1f8807e6634179cbb2bcf9a80e9b8b06d4d48d303c1d0911f9c69e6365703fab7f5ecbf9ef621125e2322d6aeb573dbef6b923dac65b5effcbc3ae4

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\resources.pak

Filesize
5.2MB

MD5
67bdb0b49deeddc7ff6b20b1d0832b34

SHA1
e31638ce61d6557b22d720512c09fee5826cfba8

SHA256
c86ecb841e248270a5456589d953209ace93cd253b336d57447e07e66d7f8a44

SHA512
72e1a26df130627ed08de365b592052e73098f6b2ba8fe0c12ebbe8564b2b657254c645506f9b653dfc121930cc37959b64ee1208f7e8e09b388f99e48d72f9e

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\resources\app.asar

Filesize
7.3MB

MD5
71b339d636428cf9319a270728bdfb0b

SHA1
d84de7827e24d0dfb67e77a80a68772059314f17

SHA256
56561c512212ca1215a7f97f1afd03c30068ecf1dab2b030a86d71c98ef06a5f

SHA512
cfb3868bdf798bf186b0fa3241b4f5572ccf14e7d19ee47d0b8fbb5f6490474c3f7fed2da50a97d341d6cd69fab03ca5fe26bf9312dc4aef37f016401c5c7ba9

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\resources\build_info.json

Filesize
83B

MD5
3cac8e203b550c80dfb9712ebc64da2b

SHA1
b4a2f0c199e7046d65b80baa219db40d015a72f6

SHA256
34f212f0098531a87acd919f00561e7954a9e71edf19dde1ff0f9d4c8d160c6e

SHA512
9c1cd6994cceca0f7aaa473e202f967b16a415a4b1f5d7902e7c0d2e99bcd2b64394d22ee6929f9b3497b2c8cadc2665ec907a9f7c97c362409d11fbce7c3384

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\v8_context_snapshot.bin

Filesize
650KB

MD5
c3048304913b58e1f8e0df23f15bc864

SHA1
241013fabc2e905dbcd8f02af4d008676db421b6

SHA256
8ac45d2ee2705bab53e3ff9564936455301ff722c3b0af0680fabb83d3c27bae

SHA512
a9a1e2b3af0fee8eafede606594b4f934ee4f0c34ed288b6366897cd42042a1ce3fa9d55029f9a87e6e692ae7f7d5e83d007bcb8e6bd685d84ef0df0fdffa9e1

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-1.0.9177\vk_swiftshader.dll

Filesize
5.2MB

MD5
416456576ae7f5296581475f4b6318ba

SHA1
f644a74e4eea85289a7c12b5b1b5b8ec216e4149

SHA256
caffa67d53a719c03a277d58a928012e1b88100f64eb6a6b1715e0991ec46527

SHA512
47eacfea594238be3dbc878972760981b9f7e4383f2285d0afcfa63578b239b7cf21edb97964695e491d4139750a52d256e210bf9a694fcd6b92de0674bc2e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8c69f3f8b023f6a1ed29190b6e561b1b

SHA1
f4af0fd6e5963b46e0746c40bab242da1f194793

SHA256
ecec296666fab3bef9eec530c9a0b2f4c1c84f82404f8d620ae53da1465f8704

SHA512
6fd38a58847d52cfebe864c7c81e3ea568c66172043a7f18faca38650f14315acbad95e383d04af48bf1f23d5810afe7d49c04508d9b8c2c5db3b434a25ad628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002d

Filesize
366KB

MD5
8af9c9af250339f71eb9d036f3310893

SHA1
7a8cd64fd10508d784ce30de59fd286e4dbd3375

SHA256
c719d3d86df635f70d00e2fde56f0a5041bb7e1d6ed3e2115b850d9e907d49ea

SHA512
6d0643026fa4be31137c0648f1e021ae32e2e9e0d116e7aa2d2424bbf31a44ff827e6d7580c9b00d13d67ec9f69dc6f6a6780a78f0b8126bd9111a8c1902219d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
2e8e6ff7ed4f5a13a334034d6230b00f

SHA1
03e572a178afc46be0691510ae58377a17ef7dac

SHA256
659da4a27834a8662fe96954796786c617de029470e49ac31539250d44e7ae78

SHA512
4a4ba44c267d63017c6d75e08eaf6ec5e9fd10d7e665e566aa6a7b0fc2addced11fe6399e4c3151ce8271bfd8409de5d4055bcef5a4ad9efcc93816a9dc8d1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
22bbce3ab371afb9ed9a18a951eea8a2

SHA1
da726bd2034b9a00cb7c6913405fbac7e6f86882

SHA256
e7d5fcfb06d648be2790eb94022ab9aacc0744aef2d09770183ac96d5769d1f3

SHA512
f8ce58a97112b0f29ad780f1d42355cc1fc278e45dcbaee41bdb8f8b228cc9492815c6819669ec122bc593166702590c2369bee45b0cafc870e975ef33690450

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
af8b27c405745f0956ff5e184c8eb301

SHA1
b13fd0a38f083313212adc830f444ea7932fa925

SHA256
f6898c7bd968db0d43b744b1195f45b9cfac291b4873dec5b6a28accfc47887b

SHA512
2311d6420576dd67726e951621800980d60304dc6b162ecc0bbcbc56752e28a031186f2486a3931cd4b2de36100801e96bbcdc9b3e36186f0908c57d1ec81a32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3912a6697c57a765ad5db3733bcd9b96

SHA1
61e1de57a9db3d2dd33fd92553f0ccd6b47aa990

SHA256
697de8349c22b1b9146084e53d04fb90c7a8e7254a463eee638c94efbe066ab4

SHA512
0a7ed750ae7c403fa785636d0656312d0c42812f49c6518f822e1cd9c9e2b07b074a796a2577caa0020a65a87804a624df531d91cc4b44b4f8a7025cf80c4e0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e6bdd863ae2060a155409857cd496c1

SHA1
edd365bcddb015b028e526d9a622f6eae7032909

SHA256
c9b440457c572cf938f6e6206e59ed347bccabeee8a58764ce57912eb3ec4da9

SHA512
a8f902ccadea1c9c275eca53d4ffd5d65a68271c284a155a03d66855a4d8c604417956ef3f45d9537bb06574998e62a4f5f891e892c68088c55dbf76013feda1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92f463c15b8c12625ca3e7ba4a46525e

SHA1
8a6d9462ac2d4215c5bec85e46ba8b6f9b6541ad

SHA256
95f82da69ce361d792c6d513856d01520125e69f23b756422c519fddde605658

SHA512
7c8c5a95a26a934e15f523061362eaaaf2ffdc5d35f2bdc69ad51825211077a320f3f9db3fbd08f2be6516beebf547087ad5919025f82cfb81a5ec1e301867d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83637bdb80416f24e9002354dbedf9c6

SHA1
b7a48a8603a74482ddf46f855681d9db4a157bca

SHA256
35c3a17c44b3736aec3a810df2175e3f1ebb5528c58c19f2ae86bee54ed9bb33

SHA512
19e5fc5a75f3c354f9546893d10ce63c83b1ee1b62045c5404d9a66824897df51126e9d3996936938db93212f90adcb9542c9df59adfd101385dbe5cf2ddbbee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4bced2867e81cc0b86e3c623149c6afd

SHA1
006c49b3c98518f2f2f9665961e5dacfa8f69497

SHA256
ddbe2f56b707f464dde675018d84f4d22a2a9a5c8281b85659f98d55ac017128

SHA512
6173342a1a95bd4ec5215050eba5c7a430028b57fb202fbb63fee6bc4b0ae1c071053282fb39c203646fa0e8db2a916bc56a5e073a7852e507ca2e9457665982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9462cc770c46810a6f3c4759f790f86c

SHA1
3d4de88434104107c93d43b61d0187c5fec2d718

SHA256
cde28b3365fa58e76be6ee97a8bcb0b43979c022c82ef117726a0980b45c7c15

SHA512
9d5aa0d60ca831942be66040105337667dad4587666e0a32078627293fb44a2b5a6bf0910f36efbd9152b89914f78fe4c8f8d8bc3aff26176973af1cd443ce03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
f59527e4babae320ad38e4a7c1feb71e

SHA1
5f421bca84976a564ee13280607a078837474e0f

SHA256
7de21aabedf28c48092089cdfc60dc2beeb3b8c8c0bf5fef5855d21e8116131a

SHA512
28794d06962b1022e7efa163a09e826d9e1b88c49a79c02088f53c057c7aac9a95b1c7209fc952c2211886c870c2c28d4b77392e651b060ec74ff728ad2d5b9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
0b9465af345464710f84f56d3c28275a

SHA1
88163d26ea5befdbb88c201481e4f126a5b311e5

SHA256
5dfb8ef261554b4d29ad0abd58f814bfe55e6684e900725b15f1161a9c3ca0c6

SHA512
01bfaac1930eb440bbad33114ab3e2e3f763c79e00452b7514b52c7508e9759b550f67d9fb8f9d19c949939767993969338294f1136bcf0866523f4ae5b6b7a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ed43005752f1f7436debf53f4cd798c5

SHA1
35472f6714d46496fe4db9b4d7ff2a08d6b96301

SHA256
897d6b34a4258ccd9d1c2858f106ac3ebfc9862223c216ca76ac1d95c83667d9

SHA512
e702a738553147c21eaaab4594f3b96a15f4301982967b650e772a4788a68a664b44467ebf014b8c17ebddf968d5ab6866db99484ea87a6abb788c81ba6f35a6

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
81B

MD5
bf25ff1602b5069c42687b04e344fc09

SHA1
db30ab60c785c1873e6ae8a3defa1a1c547e32f8

SHA256
eda43195cbcfccb0da5628639ba84bfe3529cf9b955366d827f477fe9c5f6edf

SHA512
69f58f88a0ae2e78e7c2f177817545e4d9fe399396f95575ea25a0d9c459fe1c70dc97b3d34cc7b2c3dceb837bea2b6d399d433118feeb17d031a18ea323dd35

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.4MB

MD5
748557a179cbdeb99cb20f1285d63740

SHA1
d62dc69d9f19a81f9b7c98ef0feee7b5459ee1c8

SHA256
7d3d911783e437aee63b839e8d759cf71c546b8700e9e4283ec35c99074f3caf

SHA512
3787ead5c8ef91e2f70fb3d0f6bbbe1f11fb3d1389a30825cda0958d19b82bc687793916d492b3ce42073b3e0441c2b234d59139426eeaeb96481b14caccd60c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3600_645036073\86aedd95-d3a8-4d56-a7a0-0dc6d3c4b3b0.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3600_645036073\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\discord\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
memory/2588-990-0x0000000004CB0000-0x0000000004CD0000-memory.dmp

Filesize
128KB

Download
memory/3820-739-0x00000000009C0000-0x0000000000B36000-memory.dmp

Filesize
1.5MB

Download
memory/3820-958-0x0000000012650000-0x0000000012688000-memory.dmp

Filesize
224KB

Download
memory/3820-959-0x0000000012630000-0x000000001263E000-memory.dmp

Filesize
56KB

Download
memory/3820-957-0x00000000125D0000-0x00000000125D8000-memory.dmp

Filesize
32KB

Download
memory/4496-21-0x00007FFF17350000-0x00007FFF17E12000-memory.dmp

Filesize
10.8MB

Download
memory/4496-5-0x00007FFF17353000-0x00007FFF17355000-memory.dmp

Filesize
8KB

Download
memory/4496-0-0x00007FFF17353000-0x00007FFF17355000-memory.dmp

Filesize
8KB

Download
memory/4496-4-0x00000277F59A0000-0x00000277F5EC8000-memory.dmp

Filesize
5.2MB

Download
memory/4496-3-0x00007FFF17350000-0x00007FFF17E12000-memory.dmp

Filesize
10.8MB

Download
memory/4496-2-0x00000277F46D0000-0x00000277F4892000-memory.dmp

Filesize
1.8MB

Download
memory/4496-1-0x00000277DA020000-0x00000277DA038000-memory.dmp

Filesize
96KB

Download