download: | DiscordSetup.exe |
Full analysis: | https://app.any.run/tasks/f6b02cc0-f23a-485f-a842-8e46408c39dd |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 00:58:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 2F8A7BB9C48C4B3ECF223D1FBBD8AFA3 |
SHA1: | 6D00DC4F25408161AC63B1D28226C515E9EC04C5 |
SHA256: | 5EDC53181D1300141E42BC756A7188949F3CE6BBEBCAFE80CD8E326DEEC21EAE |
SSDEEP: | 1572864:OE4SZ1wRDBY5ev0B1QvvPz7OlCc5a5vE8HnJRk7u/lGyTtwc7vPkux4uneCsL:OELZ1wLYcv0ByvPHOlCc5sE8fpd7hxJC |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2021-Aug-07 00:35:47 |
Detected languages: |
|
Debug artifacts: |
|
FileDescription: | Discord - https://discord.com/ |
FileVersion: | 1.0.9004 |
InternalName: | Setup.exe |
LegalCopyright: | Copyright (c) 2022 Discord Inc. All rights reserved. |
OriginalFilename: | Setup.exe |
ProductName: | Discord - https://discord.com/ |
ProductVersion: | 1.0.9004 |
SquirrelAwareVersion: | 1 |
CompanyName: | Discord Inc. |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 280 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 7 |
TimeDateStamp: | 2021-Aug-07 00:35:47 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 131381 | 131584 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.63723 |
.rdata | 139264 | 46958 | 47104 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.92214 |
.data | 188416 | 6428 | 3584 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.0684 |
.gfids | 196608 | 300 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.33673 |
.tls | 200704 | 9 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 204800 | 82793672 | 82793984 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 7.9981 |
.reloc | 83001344 | 7056 | 7168 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.61065 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 4.01108 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 3.49078 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.67794 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 2.40176 | 270376 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 3.00563 | 142 | Latin 1 / Western European | English - United States | RT_STRING |
107 | 2.37447 | 34 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
108 | 2.49212 | 34 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
131 | 7.99865 | 82505385 | Latin 1 / Western European | English - United States | DATA |
1 (#2) | 2.37928 | 62 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
1 (#3) | 3.41043 | 896 | Latin 1 / Western European | English - United States | RT_VERSION |
COMCTL32.dll |
KERNEL32.dll |
USER32.dll (delay-loaded) |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2896 | "C:\Users\admin\Desktop\DiscordSetup.exe" | C:\Users\admin\Desktop\DiscordSetup.exe | Explorer.EXE | ||||||||||||
User: admin Company: Discord Inc. Integrity Level: MEDIUM Description: Discord - https://discord.com/ Exit code: 0 Version: 1.0.9004 Modules
| |||||||||||||||
1528 | "C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . | C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe | DiscordSetup.exe | ||||||||||||
User: admin Company: GitHub Integrity Level: MEDIUM Description: Update Exit code: 0 Version: 1.1.1.0 Modules
| |||||||||||||||
3924 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\SYSTEM32\WISPTIS.EXE | — | Update.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Pen and Touch Input Component Exit code: 3221226540 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2404 | "C:\Windows\SYSTEM32\WISPTIS.EXE" /ManualLaunch; | C:\Windows\SYSTEM32\WISPTIS.EXE | Update.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Pen and Touch Input Component Exit code: 24 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2816 | "C:\Users\admin\AppData\Local\Discord\app-1.0.9004\Discord.exe" --squirrel-install 1.0.9004 | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\Discord.exe | — | Update.exe | |||||||||||
User: admin Company: Discord Inc. Integrity Level: MEDIUM Description: Discord Exit code: 0 Version: 1.0.9004 Modules
| |||||||||||||||
1944 | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\Discord.exe --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Roaming\discord /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Roaming\discord\Crashpad --url=https://sentry.io/api/146342/minidump/?sentry_key=384ce4413de74fe0be270abe03b2b35a "--annotation=_companyName=Discord Inc." --annotation=_productName=Discord --annotation=_version=1.0.9004 --annotation=prod=Electron --annotation=ver=13.6.6 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e0,0x2f4,0x7113850,0x7113860,0x711386c | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\Discord.exe | — | Discord.exe | |||||||||||
User: admin Company: Discord Inc. Integrity Level: MEDIUM Description: Discord Exit code: 0 Version: 1.0.9004 Modules
| |||||||||||||||
3460 | C:\Users\admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\admin\AppData\Local\Discord\app.ico | C:\Users\admin\AppData\Local\Discord\Update.exe | — | Discord.exe | |||||||||||
User: admin Company: GitHub Integrity Level: MEDIUM Description: Update Exit code: 0 Version: 1.1.1.0 Modules
| |||||||||||||||
2488 | "C:\Users\admin\AppData\Local\Discord\app-1.0.9004\Discord.exe" --type=gpu-process --field-trial-handle=1120,9737510850198673215,6113243337378282999,131072 --disable-features=CookiesWithoutSameSiteMustBeSecure,HardwareMediaKeyHandling,MediaSessionService,SameSiteByDefaultCookies,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1116 /prefetch:2 | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\Discord.exe | — | Discord.exe | |||||||||||
User: admin Company: Discord Inc. Integrity Level: LOW Description: Discord Exit code: 0 Version: 1.0.9004 Modules
| |||||||||||||||
3480 | C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d "C:\Users\admin\AppData\Local\Discord\Update.exe --processStart Discord.exe" /f | C:\Windows\System32\reg.exe | Discord.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2568 | C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f | C:\Windows\System32\reg.exe | — | Discord.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
(PID) Process: | (1528) Update.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: Update.exe | |||
(PID) Process: | (1528) Update.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (1528) Update.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (1528) Update.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (1528) Update.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (2404) WISPTIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
Operation: | write | Name: | Name |
Value: WISPTIS.EXE | |||
(PID) Process: | (2404) WISPTIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Wisp\Touch |
Operation: | write | Name: | TouchGate |
Value: 1 | |||
(PID) Process: | (2404) WISPTIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Wisp\MultiTouch |
Operation: | write | Name: | MultiTouchEnabled |
Value: 1 | |||
(PID) Process: | (2404) WISPTIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Wisp\Pen\SysEventParameters |
Operation: | write | Name: | FlickMode |
Value: 1 | |||
(PID) Process: | (2404) WISPTIS.EXE | Key: | HKEY_CURRENT_USER\Software\Microsoft\Wisp\Pen\SysEventParameters |
Operation: | write | Name: | TouchFlickTolerance |
Value: 50 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2896 | DiscordSetup.exe | C:\Users\admin\AppData\Local\SquirrelTemp\Discord-1.0.9004-full.nupkg | — | |
MD5:— | SHA256:— | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\packages\Discord-1.0.9004-full.nupkg | — | |
MD5:— | SHA256:— | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\lib\net45\Discord.exe | — | |
MD5:— | SHA256:— | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\lib\net45\icudtl.dat | — | |
MD5:— | SHA256:— | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\lib\net45\resources.pak | — | |
MD5:— | SHA256:— | |||
2896 | DiscordSetup.exe | C:\Users\admin\AppData\Local\SquirrelTemp\RELEASES | text | |
MD5:6AAB95E146FA773BA3B0CDA33C67B032 | SHA256:002EBBB665B2C208636EE9C59473091E75554F097585B6616CE9871B6D335913 | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\lib\net45\ffmpeg.dll | executable | |
MD5:9B42ABF15163AF5D85210D289E1F8CB3 | SHA256:7D35C0B8786CF30FE1A32D9D27DA491E575B81D9A0BB11076B02661D20A5A2AB | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\lib\net45\installer.db | sqlite | |
MD5:B9D1D3F3BF3F14AF6A16EE2CA412E3A4 | SHA256:F5774ECA840880F31A0932A9A6A56BB926E015964821A66ADFA46FC13FB69A87 | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\lib\net45\vk_swiftshader.dll | executable | |
MD5:89217B7853A3D1FA814FA3CA6EDA2477 | SHA256:9FD78AA36A548477D19DECE9FC5A7C1978C790120A6D44194C4BB5A8F45FD496 | |||
1528 | Update.exe | C:\Users\admin\AppData\Local\Discord\app-1.0.9004\lib\net45\updater.node | executable | |
MD5:3B8EDD09C20448500394CC73BAF5BE91 | SHA256:600D1DFFC7F08644396556ED4F9B26F55F2E19B43810827804A013FBC0AAB4A5 |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2972 | Discord.exe | 172.217.17.110:443 | redirector.gvt1.com | GOOGLE | US | whitelisted |
3564 | Discord.exe | 162.159.138.232:443 | discord.com | CLOUDFLARENET | — | malicious |
3952 | Discord.exe | 162.159.136.234:443 | remote-auth-gateway.discord.gg | CLOUDFLARENET | — | shared |
3828 | Discord.exe | 162.159.133.232:443 | dl.discordapp.net | CLOUDFLARENET | — | shared |
— | — | 162.159.133.233:443 | discordapp.com | CLOUDFLARENET | — | shared |
3828 | Discord.exe | 162.159.138.232:443 | discord.com | CLOUDFLARENET | — | malicious |
3952 | Discord.exe | 162.159.130.233:443 | discordapp.com | CLOUDFLARENET | — | shared |
3564 | Discord.exe | 162.159.133.232:443 | dl.discordapp.net | CLOUDFLARENET | — | shared |
2972 | Discord.exe | 173.194.150.171:443 | r5---sn-5goeen76.gvt1.com | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
redirector.gvt1.com |
| whitelisted |
r5---sn-5goeen76.gvt1.com |
| whitelisted |
discord.com |
| whitelisted |
dl.discordapp.net |
| whitelisted |
updates.discord.com |
| malicious |
discordapp.com |
| whitelisted |
cdn.discordapp.com |
| shared |
remote-auth-gateway.discord.gg |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
3564 | Discord.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
3828 | Discord.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) |
3952 | Discord.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |
— | — | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discordapp .com) |
3952 | Discord.exe | Misc activity | ET INFO Observed Discord Domain (discordapp .com in TLS SNI) |
Process | Message |
---|---|
DiscordSetup.exe | Start up installer: |
DiscordSetup.exe | Elevated process: ?
|
DiscordSetup.exe | Want standard install |