Analysis Overview
SHA256
a4704b7ba12271b428693f4758ee9e829de8be98e31c66362affa951a2ef0037
Threat Level: Known bad
The file Discord-Leaks.zip was found to be: Known bad.
Malicious Activity Summary
Privateloader family
Loads dropped DLL
Executes dropped EXE
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Detects Pyinstaller
One or more HTTP URLs in qr code identified
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-01 13:16
Signatures
Privateloader family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
65s
Max time network
52s
Command Line
Signatures
Loads dropped DLL
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3128 wrote to memory of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe | C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe |
| PID 3128 wrote to memory of 1092 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe | C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe |
| PID 1092 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe | C:\Windows\system32\cmd.exe |
| PID 1092 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe | C:\Windows\system32\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe
"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe"
C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe
"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title [Discord Account Backup Bot] - Main Menu
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | canary.discordapp.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI31282\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\base_library.zip
| MD5 | e1315e6d33e2300bc1d691ed76bc6bf1 |
| SHA1 | 401075f435707c77904be8915a8c83a422cfe0ee |
| SHA256 | 52bd4ea66e4ece6bf404c3617d0c9723966adb9206c507fda8a2850d3c194ad0 |
| SHA512 | a1f7172dfa320976da468f9dab24678ae471904ed390b9721f16e7a86db7a11be7664013ef1125fe9f9c35501eb70c758fb9c20babcaf712af0ba9f5b3293e2c |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ctypes.pyd
| MD5 | 291a0a9b63bae00a4222a6df71a22023 |
| SHA1 | 7a6a2aad634ec30e8edb2d2d8d0895c708d84551 |
| SHA256 | 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324 |
| SHA512 | d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\python3.DLL
| MD5 | c9f0b55fce50c904dff9276014cef6d8 |
| SHA1 | 9f9ae27df619b695827a5af29414b592fc584e43 |
| SHA256 | 074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e |
| SHA512 | 8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\_socket.pyd
| MD5 | 4827652de133c83fa1cae839b361856c |
| SHA1 | 182f9a04bdc42766cfd5fb352f2cb22e5c26665e |
| SHA256 | 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba |
| SHA512 | 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\select.pyd
| MD5 | e21cff76db11c1066fd96af86332b640 |
| SHA1 | e78ef7075c479b1d218132d89bf4bec13d54c06a |
| SHA256 | fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28 |
| SHA512 | e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\libcrypto-1_1.dll
| MD5 | 89511df61678befa2f62f5025c8c8448 |
| SHA1 | df3961f833b4964f70fcf1c002d9fd7309f53ef8 |
| SHA256 | 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf |
| SHA512 | 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ssl.pyd
| MD5 | d4dfd8c2894670e9f8d6302c09997300 |
| SHA1 | c3a6cc8d8079a06a4cac8950e0baba2b43fb1f8e |
| SHA256 | 0a721fc230eca278a69a2006e13dfa00e698274281378d4df35227e1f68ea3e0 |
| SHA512 | 1422bf45d233e2e3f77dce30ba0123625f2a511f73dfdf42ee093b1755963d9abc371935111c28f0d2c02308c5e82867de2546d871c35e657da32a7182026048 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\libssl-1_1.dll
| MD5 | 50bcfb04328fec1a22c31c0e39286470 |
| SHA1 | 3a1b78faf34125c7b8d684419fa715c367db3daa |
| SHA256 | fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9 |
| SHA512 | 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\_hashlib.pyd
| MD5 | 5e5af52f42eaf007e3ac73fd2211f048 |
| SHA1 | 1a981e66ab5b03f4a74a6bac6227cd45df78010b |
| SHA256 | a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b |
| SHA512 | bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\_queue.pyd
| MD5 | dd146e2fa08302496b15118bf47703cf |
| SHA1 | d06813e2fcb30cbb00bb3893f30c2661686cf4b7 |
| SHA256 | 67e4e888559ea2c62ff267b58d7a7e95c2ec361703b5aa232aa8b2a1f96a2051 |
| SHA512 | 5b93a782c9562370fc5b3f289ca422b4d1a1c532e81bd6c95a0063f2e3889ecf828003e42b674439fc7cd0fa72f64ad607bab6910abe9d959a4fb9fb08df263c |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\_bz2.pyd
| MD5 | a49c5f406456b79254eb65d015b81088 |
| SHA1 | cfc2a2a89c63df52947af3610e4d9b8999399c91 |
| SHA256 | ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced |
| SHA512 | bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\_lzma.pyd
| MD5 | cf9fd17b1706f3044a8f74f6d398d5f1 |
| SHA1 | c5cd0debbde042445b9722a676ff36a0ac3959ad |
| SHA256 | 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4 |
| SHA512 | 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\certifi\cacert.pem
| MD5 | 3dcd08b803fbb28231e18b5d1eef4258 |
| SHA1 | b81ea40b943cd8a0c341f3a13e5bc05090b5a72a |
| SHA256 | de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e |
| SHA512 | 9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI31282\unicodedata.pyd
| MD5 | 601aee84e12b87ca66826dfc7ca57231 |
| SHA1 | 3a7812433ca7d443d4494446a9ced24b6774ceca |
| SHA256 | d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762 |
| SHA512 | 7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.lib | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\DiscoBotV2.exe
"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\DiscoBotV2.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.lib
database32.lib
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe hQXWxmWi9srZnKPhJw2x1irYfAesE8yUUNiuaZH1ZKI3qvin3WwekLs55e1P12rC
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | staekp63472.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | stlaip578223.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | 2captcha.com | udp |
| US | 8.8.8.8:53 | 2captcha.com | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
memory/3180-14-0x00000000008A0000-0x000000000092E000-memory.dmp
memory/3180-15-0x0000000005990000-0x0000000005F34000-memory.dmp
memory/3180-16-0x0000000073AF0000-0x00000000742A0000-memory.dmp
memory/3180-17-0x0000000005320000-0x00000000053B2000-memory.dmp
memory/3180-18-0x0000000005550000-0x0000000005560000-memory.dmp
memory/3180-19-0x00000000053C0000-0x00000000053CA000-memory.dmp
memory/3180-20-0x0000000005550000-0x0000000005560000-memory.dmp
memory/3180-21-0x0000000073AF0000-0x00000000742A0000-memory.dmp
memory/3180-22-0x0000000005550000-0x0000000005560000-memory.dmp
memory/3180-23-0x0000000005550000-0x0000000005560000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
85s
Max time network
65s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.cfg
lib32.cfg
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe y5HD4TSx18kBv3sVmf5VL7ELHGiy9UwT1mdM5cckmhNvvYfU8n7axnQGkmgfCGgp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | staekp63472.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | stlaip578223.ddnsgeek.com | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
memory/620-14-0x0000000000F20000-0x0000000000F28000-memory.dmp
memory/620-15-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/620-16-0x0000000075330000-0x0000000075AE0000-memory.dmp
memory/620-18-0x0000000075330000-0x0000000075AE0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
159s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin
data.bin
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe eErEsPUiSfIq35left1KrviZHrVxawxyIvFd4HDDBuT17ugP8hNVmuDFCb7SepX4
C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin
data.bin
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| NL | 23.62.61.59:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.3.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.59:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\python37.dll
| MD5 | 5d8c22938d89077f64537a9d09cf6fd5 |
| SHA1 | 15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4 |
| SHA256 | 8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69 |
| SHA512 | dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\base_library.zip
| MD5 | 770e57194dd00a1819d4397ab3a99a01 |
| SHA1 | dbe4fe0a51cab572e5e39cdfd47289a9a3258342 |
| SHA256 | 90899a12994ee4b850d2119a7a5f947b3baca07500568e9385c9f160139fbbf7 |
| SHA512 | cb4e992c1da0a9dde1549e7eaf85d9725b9d395e97f4934ad215d934a6c8d0c7ab705a948c5e97d9338fc535a531dea31d3f4a30f07fffc70bf3598996a1b223 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_ctypes.pyd
| MD5 | bf9d0771209cfbeb520c9e093d105d18 |
| SHA1 | 72551b0f452bb144e528513033cbd755ab3e07ed |
| SHA256 | d8b8cd706d524ab152d1f8f44f239487b89ee9c32bc692f6d2bdc84073ba56a0 |
| SHA512 | a94f99052058c1c2e1e680acae7167d3e5fd9aea18983ab6daac59878c3f7c33205ecf2ac69aa5db25af18654fc0141a569175b0c5c60d5fb469c011c6fb81f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_ssl.pyd
| MD5 | 3f332e60605790a55cc349fe04ec6c10 |
| SHA1 | e33b47855a3e2f8b2a0aa2d15de1e0cd3d668667 |
| SHA256 | ddd2a2734b1fb2d3881a8c05ad578cf9121549a8616b7d9fafb529c92597548e |
| SHA512 | f403f300a849d82bc10f4d72d0c32cf10d037bce46f2c8434f8a5f7b8d8bb873ad0be0bcefb2dce97de23b54365e4ad7decfed76e8b064f5a9c8ffb104ae01f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\libssl-1_1.dll
| MD5 | 90e6e4d388505d86eaf094ade0ab080c |
| SHA1 | 22b437a1702e4c45a8771ea4aae7b12f58f04769 |
| SHA256 | 0c9573ee96059fb5746769163f445e936b780090d17b0d1ef415e9e837434dc1 |
| SHA512 | dcf8e1c8c79a4484056d546b38bed20445c8d87858298d9e0362e2f1acb42921282e35ebdd854ec98cd339d6304d0e6654c60c821542d16d5ee75bbf21e25e3c |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\libcrypto-1_1.dll
| MD5 | 925b0753ee5a1ffafe647f988683b0a2 |
| SHA1 | 7f1862d04c8c8d7c69f9865b462f0e995e25aab5 |
| SHA256 | 95e3e9a86da6de563340b419962fc05f59038f32924b79d59e121bdd5e260a3a |
| SHA512 | 1e06e5d0177789175fb3f9bcac5a85a8caf1cc1609797ef823a56f420a01904b4cde240aabe0df42c57a0f3f6c69385f16539f01cf54632bd2894cd56f956bfb |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_socket.pyd
| MD5 | cfb4527e80439fd4b20164f8a2e2b6e4 |
| SHA1 | 93bb7f5bbc90f7c09e72ed3087fffc72985a5254 |
| SHA256 | b6f45e053997359f1932b0bd10cd46ff02f84b85d0ecc93dea97430693683c7e |
| SHA512 | 800417aba1e4524e06ef12be654048e17d699cd2733143d3e5f1a9f700268f181922525940537ab526b7d924a2e9db5d3282b4ef8adf49d314fa1bd055e6d652 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\select.pyd
| MD5 | 7867a50c9bb0c3d2aa9e9cc05fdb54ff |
| SHA1 | 6d7d895673b9b4ad2f8dfae34e001be1d5f270f2 |
| SHA256 | e9b612e38e6a1b6af89253a6ce5f63d85f9d7d98c940bb63fba5ce99d2f31071 |
| SHA512 | 6959544b0c2d0701f4d4414f07b8a6c100dd2985b3ccddabcb724842b322078ee07a607783e2649c00db20fc65897dd9222bf84b7c3082f61269fc2c8bc4e144 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_pytransform.dll
| MD5 | 6aecb4a764836d156e4d6f6ea7cbaa9d |
| SHA1 | 42e2386843550b36bee70e46ccc8ce5c8628c50a |
| SHA256 | 8414c81dd8bc12f80dbce1126f3bd83df136d886589ea4bc89c05bb494df2eab |
| SHA512 | 42968102be12601883f3cd116cfc1f3750930b685bde128f52abd18d3db9255ce56a4527af2a286360d6f7ae2e7acb4b96414ce1d8a7f13ca7f094dbcdb21481 |
memory/2900-95-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_hashlib.pyd
| MD5 | 7391051923fee611c474fcfbf3f7f548 |
| SHA1 | 5f284a87c18900515606a952bf2476e0c42066ad |
| SHA256 | 02753c507c95d2d434fa6499cfd6390ec98bffac6799d664148297334ea25575 |
| SHA512 | a3567bad9dc165af0359076f13ba1d0da68c9105e6555589a433a74644eebd082ce508d444a701d2a89910ed2a09adeff15f144f43075174f77ccb29ce8d4ff3 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_queue.pyd
| MD5 | 6fbcd906dcec9ea5b0de160e596c8435 |
| SHA1 | 974b49881702642415588d0a3c814396262cdf4b |
| SHA256 | fd0be33a0851c8a89adb694358ca7c064aac4454471bf57033f24a91f03e6f4c |
| SHA512 | d8b67d90f38d5488ab9f6c2ea50646f37f8f126d6d2aef6ed4eba5ad7552c8813e33e43ef84d95ac972d4c58c5536ff4c6ae5d9cb5d3b350df6ff48efce169b5 |
memory/2900-116-0x00007FFF40000000-0x00007FFF40001000-memory.dmp
memory/2900-115-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-113-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-111-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-109-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-107-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-105-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-103-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-93-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-91-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-89-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-87-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-85-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-83-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49962\license.lic
| MD5 | 320aa573435cfbac84163504b9abf0a6 |
| SHA1 | e1ddf425400f081fc4c4b9acf0951c412f9c2f06 |
| SHA256 | 0814d8054e2897cec2bcb92d9b38350f0a873dd1754e9f94c172033bf6853d71 |
| SHA512 | 331b182b32cd8370ceca2cc2ce7488b198f6c45171cf448eba8419caa8b2bb9b990779ce5c178ae517528614a8b36525e047ae2357a947042feaa1035e7661c7 |
memory/2900-74-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-72-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-70-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-68-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-66-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-64-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-62-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-60-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-58-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-56-0x000001A226AB0000-0x000001A226AB1000-memory.dmp
memory/2900-55-0x000001A226AA0000-0x000001A226AA1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI49962\pytransform.key
| MD5 | 2bcf75f492f791ef1a45b9e54cbe3170 |
| SHA1 | 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9 |
| SHA256 | 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455 |
| SHA512 | 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_lzma.pyd
| MD5 | e5fa638b1374685dbaf5beb12f67d71a |
| SHA1 | 1a7d171f66e88da4686f51d25094d85f2dd1577f |
| SHA256 | d58fc7163b58d96a7718733dec3562eb998a17100982bf7453782d01ca27ffd9 |
| SHA512 | be71f7050834c631ee12e32f78542156e09f8dfb6b8aa425db9a7267b45175caceb56805db382d85cff80ea9633bcc2c52ac7175cdd33a85002458650c399812 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\_bz2.pyd
| MD5 | f8770b9ea04aeb0b98eb1fab2a1bde84 |
| SHA1 | 7ac83db9bbc35231e917d522e1140bbacb855aa1 |
| SHA256 | 18e66c3a2104da1c338c40d7e249382f054e1e76e5a85e481d13052fd62c6cd9 |
| SHA512 | 7803517b89bfdc027691e495be089466f3aa80bb1efb770ec4619740b9f30ece28ca8bc2d8efabdafbf04fae68a3e24fffa7b4c5e91e3a0a07b1909065ce3924 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\unicodedata.pyd
| MD5 | 653d4fbd3a4e8364a37cddf09fd327c3 |
| SHA1 | b7b6fc5c4d17ba6c25ed7a06602bfab817ff3732 |
| SHA256 | a235b80e70280472c399e42453e35c7c29ae82c6ae54884d7263411b1c350969 |
| SHA512 | 1672a497a69b80b2fa192422d5879f04a6674541cb1dcc4c95618739a9d845e63513c635c6bfb74163dbb4e7bc213cf6569daadc9f908cd09d997844c0dc4675 |
C:\Users\Admin\AppData\Local\Temp\_MEI49962\certifi\cacert.pem
| MD5 | edd513e1d62ca2b059821b8380c19d19 |
| SHA1 | 7e785afc6a7174f008b8b6e775c91c018d72aee3 |
| SHA256 | 870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd |
| SHA512 | 31450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f |
memory/2900-128-0x0000000070A00000-0x0000000070ABE000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
143s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Leaf.xNet.dll",#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
89s
Max time network
158s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1836 wrote to memory of 3520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1836 wrote to memory of 3520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1836 wrote to memory of 3520 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\secproc.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\secproc.dll",#1
Network
| Country | Destination | Domain | Proto |
| NL | 23.62.61.59:443 | www.bing.com | tcp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/3520-0-0x00000000012F0000-0x0000000001300000-memory.dmp
memory/3520-1-0x00000000012F0000-0x0000000001300000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll
data32.dll
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe bC1jm3ThxSi780xbD20qjKkk4kNslwleuUaLM0KElKp9CjfpNhdMnKXPIX2LIoDw
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll
data32.dll
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Discord Generator ^| coded by Nightfall#2512
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title Discord Generator ^| Proxy: False ^| Threading: False
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | chromedriver.storage.googleapis.com | udp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| GB | 216.58.201.123:443 | chromedriver.storage.googleapis.com | tcp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gmailnator.com | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\ucrtbase.dll
| MD5 | 61eb0ad4c285b60732353a0cb5c9b2ab |
| SHA1 | 21a1bea01f6ca7e9828a522c696853706d0a457b |
| SHA256 | 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd |
| SHA512 | 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\python37.dll
| MD5 | 86af9b888a72bdceb8fd8ed54975edd5 |
| SHA1 | c9d67c9243f818c0a8cc279267cca44d9995f0cf |
| SHA256 | e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f |
| SHA512 | 5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\base_library.zip
| MD5 | eb723b4c1b48d3e8969ff3f4d897b79e |
| SHA1 | a03479e7a916d0ee5e3647322307aceb0b1c30b9 |
| SHA256 | ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5 |
| SHA512 | 4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_ctypes.pyd
| MD5 | 9a69561e94859bc3411c6499bc46c4bd |
| SHA1 | 3fa5bc2d4ffc23c4c383252c51098d6211949b99 |
| SHA256 | 6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c |
| SHA512 | 31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\pywintypes37.dll
| MD5 | 77b6875977e77c4619bbb471d5eaf790 |
| SHA1 | f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade |
| SHA256 | 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6 |
| SHA512 | 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\select.pyd
| MD5 | e1d0d18a0dd8e82f9b677a86d32e3124 |
| SHA1 | 96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e |
| SHA256 | 4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd |
| SHA512 | 38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_lzma.pyd
| MD5 | 16fb5a2363ce8dd12a65a9823a517b59 |
| SHA1 | 59979d9195259f48c678cdaa36b5efee13472ff5 |
| SHA256 | bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2 |
| SHA512 | d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_hashlib.pyd
| MD5 | 1f77f7a5f36c48e7c596e7031c80e4ff |
| SHA1 | 79f86e31203b60b3388047e39a2a26275da411f5 |
| SHA256 | 30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7 |
| SHA512 | b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_queue.pyd
| MD5 | 94b57996008875822a0b13fa089ae513 |
| SHA1 | 340ab82c3653c7e664f28d2dffb6863f1df20709 |
| SHA256 | 28136612834be0dd236f085f46c1d9b8a1830b9c073557464e22bc006d81e494 |
| SHA512 | aa9db065609dbae700a5c04266afa99ef838a9f5dc58acdca1c9b95c5d845195cfce895b81d718e761e69b5cfaeb71e9e8450fb76c590f991850e67f65b32abe |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\unicodedata.pyd
| MD5 | 23bba751c8a182262856eeba20db3341 |
| SHA1 | 0120468629aa035d92ebdf97f9f32a02085fbccf |
| SHA256 | 96eafcb208518f6df0674ef6f1a48f4687eb73f785c87b11cb4a52dcf1ce5c66 |
| SHA512 | 482fdb6f542be27d6bf3b41bc7aa7d7fda3077cd763f32bb25e0c50cf8ae11ebd8173d18cb0a52126b2150fc737109d384971298e8e2cf8a199ad1f1956d9326 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\certifi\cacert.pem
| MD5 | 1ba3b44f73a6b25711063ea5232f4883 |
| SHA1 | 1b1a84804f896b7085924f8bf0431721f3b5bdbe |
| SHA256 | bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197 |
| SHA512 | 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\selenium\webdriver\remote\isDisplayed.js
| MD5 | 313589fe40cbb546415aec5377da0e7d |
| SHA1 | bc2b6e547b1da94682e379af1ea11579e26de65b |
| SHA256 | c1a04024e5414fca8c1deedb452be77a8b9d13bb3cf67ff4230d5983537a3096 |
| SHA512 | bbdfa98ecd07a27f20966b5eb0cdcc0fac6085bebd6868a061563d210262f61d630b823e6eabd3217175b7f01516cda9c162adbfe063130d6510e0a3f4be2f7d |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\selenium\webdriver\remote\getAttribute.js
| MD5 | e6b3169414f3b9c47a9b826bb71a0337 |
| SHA1 | d22278a492d03863ce51569482dcfb30a0b006e9 |
| SHA256 | 1198a9999dde24dd2da0d9877cc2e8f8dd70bfdaeee0b5012b24e5474b50e88c |
| SHA512 | bf9e48caf03e19274b5020d5eae6a3d6d75b611676f307346cf28117da71410e6022a72da0f82a8f2c6ca06a2c503c8e6528c6a164c4fb488c5195d6aa3e3819 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\lxml\_elementpath.cp37-win_amd64.pyd
| MD5 | 3702f8ff3e1af9be72126683fca3a1ce |
| SHA1 | 82e6be08797fcd9558cb3e7759c0e3de2ffcea88 |
| SHA256 | 28fd0337a5251d409d8d8d27383f682ba63b3d52bd0691a22a90b208e23b4f93 |
| SHA512 | d18ffd06d6580b52d07749bd6f2927bc1bc445c3a7c8267288b9e4f00de321ad897959519e1aed199e36ff7008be26cc7af486bab0b2c7433a9c72c349a24713 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\lxml\etree.cp37-win_amd64.pyd
| MD5 | e685bf02d3b11fa4715a94107a7292be |
| SHA1 | b5822fda8f6ae3b7c5117c524584a490c6e95c91 |
| SHA256 | 04db5dfd6b41b3245b86d4f97e96664d0199ae2af755b71e011a4e0e92124633 |
| SHA512 | c6118cf72c6cadb68b33e37197ac64cf5151f3266e8059619e2a30fc7a12bc9176e2b2a2a8257a7b0a68c96665b566c606ab294e8798d578a62957fe34cf65f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\pyexpat.pyd
| MD5 | ebf42794afd81d3a158f1d4eb4096483 |
| SHA1 | 9c49d840a600d126b1d0b3a294218f82c2292c8d |
| SHA256 | 0cb9ae2dfd64c291de65aee89a524a0bbfe7755c34c8215e8b47a4f409ef3743 |
| SHA512 | 28db296525d48e970c40bf267523dfdcd823fbd471e606b97cd61af373af9d42bb72765f846df4bf33457124fd1a039e7e06b5e6e863503a26a3efc9b15078f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_elementtree.pyd
| MD5 | 80788d9c36aa4f950d1a71518abfa5fc |
| SHA1 | 3bcf2f8df698160d01c74f934ab4c06555ae1f8c |
| SHA256 | 75b93ebab7de27022d1d9f468c5051be5ac64b436b6a10928d75b3de19dbcb6b |
| SHA512 | f26187e364c80c5ff423699fbcf62a8035969592a6da339c80fa862185f1f2e674c44325321c6643cb6cb7e2034623e04603a9491d1e8f06a4063efbf85ef48e |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_bz2.pyd
| MD5 | 8b40a68ae537c0aab25a8b30b10ab098 |
| SHA1 | 1c8ac1f7f5c3697c457dd98f05296c2354ff7f55 |
| SHA256 | 0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa |
| SHA512 | 620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229 |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_socket.pyd
| MD5 | 0ea1df6137ee3369546a806a175aecf4 |
| SHA1 | 95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43 |
| SHA256 | 6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5 |
| SHA512 | 6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_ssl.pyd
| MD5 | 0e970f3353e65094165edcdfcaf1c299 |
| SHA1 | e86d2c4723ae09890f69ab1a6f4a1a935dc0a0e7 |
| SHA256 | 4fed9f05da139d66e0582b47c20ee91c91be44d379c225f89b22462bedc989d3 |
| SHA512 | 4621d1add268f9aadf0119055d6cce23739eec969ab031fc0a510c40cf4cce60230a89735fd85c38f28c22ed9dc829ff294ef48590fc56191464e1fec1fa4595 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\libcef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
65s
Max time network
54s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\xNet.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
90s
Max time network
99s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\database32.cfg
database32.cfg
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe oe58xMNkKU11UepyEs3u77yYHY7srJMJ4RqUywPyZJuxW9lwiAFxsMPksmoTu3WS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
65s
Max time network
60s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\libcef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | staekp63472.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | stlaip578223.ddnsgeek.com | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
101s
Max time network
108s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.135.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | 193.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| NL | 23.62.61.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
Files
memory/5616-0-0x0000000000470000-0x000000000047C000-memory.dmp
memory/5616-1-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/5616-2-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
memory/5616-4-0x00000000750D0000-0x0000000075880000-memory.dmp
memory/5616-5-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
103s
Max time network
158s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.cfg | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.cfg
CefSharp.cfg
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe u4bty6QwVuBS0x5H9n42DV5Ms9ZtKJkxoKy4OKYlNIYsCMduDyYR0NkQfinieGBh
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.106:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | discordapp.com | udp |
| US | 162.159.129.233:443 | discordapp.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 106.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
memory/4436-14-0x00000000008B0000-0x00000000008BC000-memory.dmp
memory/4436-15-0x0000000073930000-0x00000000740E0000-memory.dmp
memory/4436-16-0x00000000051F0000-0x0000000005200000-memory.dmp
memory/4436-18-0x0000000073930000-0x00000000740E0000-memory.dmp
memory/4436-19-0x00000000051F0000-0x0000000005200000-memory.dmp
memory/4436-21-0x0000000073930000-0x00000000740E0000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
65s
Max time network
59s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libcef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | staekp63472.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | stlaip578223.ddnsgeek.com | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
53s
Max time network
55s
Command Line
Signatures
Loads dropped DLL
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4080 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe | C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe |
| PID 4080 wrote to memory of 1964 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe | C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe"
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromedriver.storage.googleapis.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI40802\ucrtbase.dll
| MD5 | 61eb0ad4c285b60732353a0cb5c9b2ab |
| SHA1 | 21a1bea01f6ca7e9828a522c696853706d0a457b |
| SHA256 | 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd |
| SHA512 | 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\python37.dll
| MD5 | 86af9b888a72bdceb8fd8ed54975edd5 |
| SHA1 | c9d67c9243f818c0a8cc279267cca44d9995f0cf |
| SHA256 | e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f |
| SHA512 | 5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\base_library.zip
| MD5 | eb723b4c1b48d3e8969ff3f4d897b79e |
| SHA1 | a03479e7a916d0ee5e3647322307aceb0b1c30b9 |
| SHA256 | ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5 |
| SHA512 | 4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\_ctypes.pyd
| MD5 | 9a69561e94859bc3411c6499bc46c4bd |
| SHA1 | 3fa5bc2d4ffc23c4c383252c51098d6211949b99 |
| SHA256 | 6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c |
| SHA512 | 31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\pywintypes37.dll
| MD5 | 77b6875977e77c4619bbb471d5eaf790 |
| SHA1 | f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade |
| SHA256 | 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6 |
| SHA512 | 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\_socket.pyd
| MD5 | 0ea1df6137ee3369546a806a175aecf4 |
| SHA1 | 95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43 |
| SHA256 | 6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5 |
| SHA512 | 6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\select.pyd
| MD5 | e1d0d18a0dd8e82f9b677a86d32e3124 |
| SHA1 | 96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e |
| SHA256 | 4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd |
| SHA512 | 38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\_bz2.pyd
| MD5 | 8b40a68ae537c0aab25a8b30b10ab098 |
| SHA1 | 1c8ac1f7f5c3697c457dd98f05296c2354ff7f55 |
| SHA256 | 0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa |
| SHA512 | 620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\_hashlib.pyd
| MD5 | 1f77f7a5f36c48e7c596e7031c80e4ff |
| SHA1 | 79f86e31203b60b3388047e39a2a26275da411f5 |
| SHA256 | 30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7 |
| SHA512 | b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\_queue.pyd
| MD5 | 94b57996008875822a0b13fa089ae513 |
| SHA1 | 340ab82c3653c7e664f28d2dffb6863f1df20709 |
| SHA256 | 28136612834be0dd236f085f46c1d9b8a1830b9c073557464e22bc006d81e494 |
| SHA512 | aa9db065609dbae700a5c04266afa99ef838a9f5dc58acdca1c9b95c5d845195cfce895b81d718e761e69b5cfaeb71e9e8450fb76c590f991850e67f65b32abe |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\unicodedata.pyd
| MD5 | 23bba751c8a182262856eeba20db3341 |
| SHA1 | 0120468629aa035d92ebdf97f9f32a02085fbccf |
| SHA256 | 96eafcb208518f6df0674ef6f1a48f4687eb73f785c87b11cb4a52dcf1ce5c66 |
| SHA512 | 482fdb6f542be27d6bf3b41bc7aa7d7fda3077cd763f32bb25e0c50cf8ae11ebd8173d18cb0a52126b2150fc737109d384971298e8e2cf8a199ad1f1956d9326 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\certifi\cacert.pem
| MD5 | 1ba3b44f73a6b25711063ea5232f4883 |
| SHA1 | 1b1a84804f896b7085924f8bf0431721f3b5bdbe |
| SHA256 | bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197 |
| SHA512 | 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\selenium\webdriver\remote\isDisplayed.js
| MD5 | 313589fe40cbb546415aec5377da0e7d |
| SHA1 | bc2b6e547b1da94682e379af1ea11579e26de65b |
| SHA256 | c1a04024e5414fca8c1deedb452be77a8b9d13bb3cf67ff4230d5983537a3096 |
| SHA512 | bbdfa98ecd07a27f20966b5eb0cdcc0fac6085bebd6868a061563d210262f61d630b823e6eabd3217175b7f01516cda9c162adbfe063130d6510e0a3f4be2f7d |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\selenium\webdriver\remote\getAttribute.js
| MD5 | e6b3169414f3b9c47a9b826bb71a0337 |
| SHA1 | d22278a492d03863ce51569482dcfb30a0b006e9 |
| SHA256 | 1198a9999dde24dd2da0d9877cc2e8f8dd70bfdaeee0b5012b24e5474b50e88c |
| SHA512 | bf9e48caf03e19274b5020d5eae6a3d6d75b611676f307346cf28117da71410e6022a72da0f82a8f2c6ca06a2c503c8e6528c6a164c4fb488c5195d6aa3e3819 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\_lzma.pyd
| MD5 | 16fb5a2363ce8dd12a65a9823a517b59 |
| SHA1 | 59979d9195259f48c678cdaa36b5efee13472ff5 |
| SHA256 | bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2 |
| SHA512 | d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
C:\Users\Admin\AppData\Local\Temp\_MEI40802\_ssl.pyd
| MD5 | 0e970f3353e65094165edcdfcaf1c299 |
| SHA1 | e86d2c4723ae09890f69ab1a6f4a1a935dc0a0e7 |
| SHA256 | 4fed9f05da139d66e0582b47c20ee91c91be44d379c225f89b22462bedc989d3 |
| SHA512 | 4621d1add268f9aadf0119055d6cce23739eec969ab031fc0a510c40cf4cce60230a89735fd85c38f28c22ed9dc829ff294ef48590fc56191464e1fec1fa4595 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
89s
Max time network
158s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\database32.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\database32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| NL | 23.62.61.59:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.59:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
65s
Max time network
56s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\libcef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | staekp63472.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | stlaip578223.ddnsgeek.com | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
53s
Max time network
58s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\database32.exe
"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\database32.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
65s
Max time network
53s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\bin32.exe
"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\bin32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
152s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\database32.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\database32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.57:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
138s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libGLESV2.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libGLESV2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.177:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 177.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
143s
Max time network
161s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Qt5Core.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Qt5Core.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
143s
Max time network
155s
Command Line
Signatures
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 35 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1640 wrote to memory of 4440 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe |
| PID 1640 wrote to memory of 4440 | N/A | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe | C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe"
C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI16402\python37.dll
| MD5 | 5d8c22938d89077f64537a9d09cf6fd5 |
| SHA1 | 15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4 |
| SHA256 | 8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69 |
| SHA512 | dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\base_library.zip
| MD5 | 770e57194dd00a1819d4397ab3a99a01 |
| SHA1 | dbe4fe0a51cab572e5e39cdfd47289a9a3258342 |
| SHA256 | 90899a12994ee4b850d2119a7a5f947b3baca07500568e9385c9f160139fbbf7 |
| SHA512 | cb4e992c1da0a9dde1549e7eaf85d9725b9d395e97f4934ad215d934a6c8d0c7ab705a948c5e97d9338fc535a531dea31d3f4a30f07fffc70bf3598996a1b223 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_ctypes.pyd
| MD5 | bf9d0771209cfbeb520c9e093d105d18 |
| SHA1 | 72551b0f452bb144e528513033cbd755ab3e07ed |
| SHA256 | d8b8cd706d524ab152d1f8f44f239487b89ee9c32bc692f6d2bdc84073ba56a0 |
| SHA512 | a94f99052058c1c2e1e680acae7167d3e5fd9aea18983ab6daac59878c3f7c33205ecf2ac69aa5db25af18654fc0141a569175b0c5c60d5fb469c011c6fb81f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_ssl.pyd
| MD5 | 3f332e60605790a55cc349fe04ec6c10 |
| SHA1 | e33b47855a3e2f8b2a0aa2d15de1e0cd3d668667 |
| SHA256 | ddd2a2734b1fb2d3881a8c05ad578cf9121549a8616b7d9fafb529c92597548e |
| SHA512 | f403f300a849d82bc10f4d72d0c32cf10d037bce46f2c8434f8a5f7b8d8bb873ad0be0bcefb2dce97de23b54365e4ad7decfed76e8b064f5a9c8ffb104ae01f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\libcrypto-1_1.dll
| MD5 | 925b0753ee5a1ffafe647f988683b0a2 |
| SHA1 | 7f1862d04c8c8d7c69f9865b462f0e995e25aab5 |
| SHA256 | 95e3e9a86da6de563340b419962fc05f59038f32924b79d59e121bdd5e260a3a |
| SHA512 | 1e06e5d0177789175fb3f9bcac5a85a8caf1cc1609797ef823a56f420a01904b4cde240aabe0df42c57a0f3f6c69385f16539f01cf54632bd2894cd56f956bfb |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\libssl-1_1.dll
| MD5 | 90e6e4d388505d86eaf094ade0ab080c |
| SHA1 | 22b437a1702e4c45a8771ea4aae7b12f58f04769 |
| SHA256 | 0c9573ee96059fb5746769163f445e936b780090d17b0d1ef415e9e837434dc1 |
| SHA512 | dcf8e1c8c79a4484056d546b38bed20445c8d87858298d9e0362e2f1acb42921282e35ebdd854ec98cd339d6304d0e6654c60c821542d16d5ee75bbf21e25e3c |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_socket.pyd
| MD5 | cfb4527e80439fd4b20164f8a2e2b6e4 |
| SHA1 | 93bb7f5bbc90f7c09e72ed3087fffc72985a5254 |
| SHA256 | b6f45e053997359f1932b0bd10cd46ff02f84b85d0ecc93dea97430693683c7e |
| SHA512 | 800417aba1e4524e06ef12be654048e17d699cd2733143d3e5f1a9f700268f181922525940537ab526b7d924a2e9db5d3282b4ef8adf49d314fa1bd055e6d652 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\select.pyd
| MD5 | 7867a50c9bb0c3d2aa9e9cc05fdb54ff |
| SHA1 | 6d7d895673b9b4ad2f8dfae34e001be1d5f270f2 |
| SHA256 | e9b612e38e6a1b6af89253a6ce5f63d85f9d7d98c940bb63fba5ce99d2f31071 |
| SHA512 | 6959544b0c2d0701f4d4414f07b8a6c100dd2985b3ccddabcb724842b322078ee07a607783e2649c00db20fc65897dd9222bf84b7c3082f61269fc2c8bc4e144 |
memory/4440-44-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_hashlib.pyd
| MD5 | 7391051923fee611c474fcfbf3f7f548 |
| SHA1 | 5f284a87c18900515606a952bf2476e0c42066ad |
| SHA256 | 02753c507c95d2d434fa6499cfd6390ec98bffac6799d664148297334ea25575 |
| SHA512 | a3567bad9dc165af0359076f13ba1d0da68c9105e6555589a433a74644eebd082ce508d444a701d2a89910ed2a09adeff15f144f43075174f77ccb29ce8d4ff3 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_bz2.pyd
| MD5 | f8770b9ea04aeb0b98eb1fab2a1bde84 |
| SHA1 | 7ac83db9bbc35231e917d522e1140bbacb855aa1 |
| SHA256 | 18e66c3a2104da1c338c40d7e249382f054e1e76e5a85e481d13052fd62c6cd9 |
| SHA512 | 7803517b89bfdc027691e495be089466f3aa80bb1efb770ec4619740b9f30ece28ca8bc2d8efabdafbf04fae68a3e24fffa7b4c5e91e3a0a07b1909065ce3924 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_lzma.pyd
| MD5 | e5fa638b1374685dbaf5beb12f67d71a |
| SHA1 | 1a7d171f66e88da4686f51d25094d85f2dd1577f |
| SHA256 | d58fc7163b58d96a7718733dec3562eb998a17100982bf7453782d01ca27ffd9 |
| SHA512 | be71f7050834c631ee12e32f78542156e09f8dfb6b8aa425db9a7267b45175caceb56805db382d85cff80ea9633bcc2c52ac7175cdd33a85002458650c399812 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\unicodedata.pyd
| MD5 | 653d4fbd3a4e8364a37cddf09fd327c3 |
| SHA1 | b7b6fc5c4d17ba6c25ed7a06602bfab817ff3732 |
| SHA256 | a235b80e70280472c399e42453e35c7c29ae82c6ae54884d7263411b1c350969 |
| SHA512 | 1672a497a69b80b2fa192422d5879f04a6674541cb1dcc4c95618739a9d845e63513c635c6bfb74163dbb4e7bc213cf6569daadc9f908cd09d997844c0dc4675 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\certifi\cacert.pem
| MD5 | edd513e1d62ca2b059821b8380c19d19 |
| SHA1 | 7e785afc6a7174f008b8b6e775c91c018d72aee3 |
| SHA256 | 870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd |
| SHA512 | 31450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_queue.pyd
| MD5 | 6fbcd906dcec9ea5b0de160e596c8435 |
| SHA1 | 974b49881702642415588d0a3c814396262cdf4b |
| SHA256 | fd0be33a0851c8a89adb694358ca7c064aac4454471bf57033f24a91f03e6f4c |
| SHA512 | d8b67d90f38d5488ab9f6c2ea50646f37f8f126d6d2aef6ed4eba5ad7552c8813e33e43ef84d95ac972d4c58c5536ff4c6ae5d9cb5d3b350df6ff48efce169b5 |
memory/4440-102-0x00007FFDE0000000-0x00007FFDE0001000-memory.dmp
memory/4440-101-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-99-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-97-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-95-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-93-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-91-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-89-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-81-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-79-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-77-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-75-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-73-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-48-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-46-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-42-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-41-0x000001BBBD860000-0x000001BBBD861000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16402\pytransform.key
| MD5 | 2bcf75f492f791ef1a45b9e54cbe3170 |
| SHA1 | 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9 |
| SHA256 | 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455 |
| SHA512 | 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI16402\_pytransform.dll
| MD5 | 6aecb4a764836d156e4d6f6ea7cbaa9d |
| SHA1 | 42e2386843550b36bee70e46ccc8ce5c8628c50a |
| SHA256 | 8414c81dd8bc12f80dbce1126f3bd83df136d886589ea4bc89c05bb494df2eab |
| SHA512 | 42968102be12601883f3cd116cfc1f3750930b685bde128f52abd18d3db9255ce56a4527af2a286360d6f7ae2e7acb4b96414ce1d8a7f13ca7f094dbcdb21481 |
memory/4440-71-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-69-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI16402\license.lic
| MD5 | 320aa573435cfbac84163504b9abf0a6 |
| SHA1 | e1ddf425400f081fc4c4b9acf0951c412f9c2f06 |
| SHA256 | 0814d8054e2897cec2bcb92d9b38350f0a873dd1754e9f94c172033bf6853d71 |
| SHA512 | 331b182b32cd8370ceca2cc2ce7488b198f6c45171cf448eba8419caa8b2bb9b990779ce5c178ae517528614a8b36525e047ae2357a947042feaa1035e7661c7 |
memory/4440-60-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-58-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-56-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-54-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-52-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-50-0x000001BBBD870000-0x000001BBBD871000-memory.dmp
memory/4440-114-0x0000000070A00000-0x0000000070ABE000-memory.dmp
memory/4440-115-0x0000000070A00000-0x0000000070ABE000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\vshost\vshost.exe | N/A |
| N/A | N/A | C:\ProgramData\winst\winst.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe
"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe"
C:\ProgramData\vshost\vshost.exe
C:\ProgramData\\vshost\\vshost.exe ,.
C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib
Qt5Core.lib
C:\ProgramData\winst\winst.exe
C:\ProgramData\\winst\\winst.exe u4bty6QwVuBS0x5H9n42DV5Ms9ZtKJkxoKy4OKYlNIYsCMduDyYR0NkQfinieGBh
C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib
Qt5Core.lib
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title [Discord Account Backup Bot] - Main Menu
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | canary.discordapp.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 162.159.134.233:443 | canary.discordapp.com | tcp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.138:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
C:\ProgramData\vshost\vshost.exe
| MD5 | 4e6a7ee0e286ab61d36c26bd38996821 |
| SHA1 | 820674b4c75290f8f667764bfb474ca8c1242732 |
| SHA256 | f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3 |
| SHA512 | f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a |
C:\ProgramData\winst\winst.exe
| MD5 | 59238144771807b1cbc407b250d6b2c3 |
| SHA1 | 6c9f87cca7e857e888cb19ea45cf82d2e2d29695 |
| SHA256 | 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b |
| SHA512 | cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\python38.dll
| MD5 | 26ba25d468a778d37f1a24f4514d9814 |
| SHA1 | b64fe169690557656ede3ae50d3c5a197fea6013 |
| SHA256 | 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128 |
| SHA512 | 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\VCRUNTIME140.dll
| MD5 | 4a365ffdbde27954e768358f4a4ce82e |
| SHA1 | a1b31102eee1d2a4ed1290da2038b7b9f6a104a3 |
| SHA256 | 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c |
| SHA512 | 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\base_library.zip
| MD5 | e1315e6d33e2300bc1d691ed76bc6bf1 |
| SHA1 | 401075f435707c77904be8915a8c83a422cfe0ee |
| SHA256 | 52bd4ea66e4ece6bf404c3617d0c9723966adb9206c507fda8a2850d3c194ad0 |
| SHA512 | a1f7172dfa320976da468f9dab24678ae471904ed390b9721f16e7a86db7a11be7664013ef1125fe9f9c35501eb70c758fb9c20babcaf712af0ba9f5b3293e2c |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\python3.DLL
| MD5 | c9f0b55fce50c904dff9276014cef6d8 |
| SHA1 | 9f9ae27df619b695827a5af29414b592fc584e43 |
| SHA256 | 074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e |
| SHA512 | 8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_ctypes.pyd
| MD5 | 291a0a9b63bae00a4222a6df71a22023 |
| SHA1 | 7a6a2aad634ec30e8edb2d2d8d0895c708d84551 |
| SHA256 | 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324 |
| SHA512 | d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_socket.pyd
| MD5 | 4827652de133c83fa1cae839b361856c |
| SHA1 | 182f9a04bdc42766cfd5fb352f2cb22e5c26665e |
| SHA256 | 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba |
| SHA512 | 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\select.pyd
| MD5 | e21cff76db11c1066fd96af86332b640 |
| SHA1 | e78ef7075c479b1d218132d89bf4bec13d54c06a |
| SHA256 | fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28 |
| SHA512 | e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_ssl.pyd
| MD5 | d4dfd8c2894670e9f8d6302c09997300 |
| SHA1 | c3a6cc8d8079a06a4cac8950e0baba2b43fb1f8e |
| SHA256 | 0a721fc230eca278a69a2006e13dfa00e698274281378d4df35227e1f68ea3e0 |
| SHA512 | 1422bf45d233e2e3f77dce30ba0123625f2a511f73dfdf42ee093b1755963d9abc371935111c28f0d2c02308c5e82867de2546d871c35e657da32a7182026048 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\libcrypto-1_1.dll
| MD5 | 89511df61678befa2f62f5025c8c8448 |
| SHA1 | df3961f833b4964f70fcf1c002d9fd7309f53ef8 |
| SHA256 | 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf |
| SHA512 | 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\libssl-1_1.dll
| MD5 | 50bcfb04328fec1a22c31c0e39286470 |
| SHA1 | 3a1b78faf34125c7b8d684419fa715c367db3daa |
| SHA256 | fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9 |
| SHA512 | 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_hashlib.pyd
| MD5 | 5e5af52f42eaf007e3ac73fd2211f048 |
| SHA1 | 1a981e66ab5b03f4a74a6bac6227cd45df78010b |
| SHA256 | a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b |
| SHA512 | bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_queue.pyd
| MD5 | dd146e2fa08302496b15118bf47703cf |
| SHA1 | d06813e2fcb30cbb00bb3893f30c2661686cf4b7 |
| SHA256 | 67e4e888559ea2c62ff267b58d7a7e95c2ec361703b5aa232aa8b2a1f96a2051 |
| SHA512 | 5b93a782c9562370fc5b3f289ca422b4d1a1c532e81bd6c95a0063f2e3889ecf828003e42b674439fc7cd0fa72f64ad607bab6910abe9d959a4fb9fb08df263c |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_bz2.pyd
| MD5 | a49c5f406456b79254eb65d015b81088 |
| SHA1 | cfc2a2a89c63df52947af3610e4d9b8999399c91 |
| SHA256 | ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced |
| SHA512 | bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\_lzma.pyd
| MD5 | cf9fd17b1706f3044a8f74f6d398d5f1 |
| SHA1 | c5cd0debbde042445b9722a676ff36a0ac3959ad |
| SHA256 | 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4 |
| SHA512 | 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\certifi\cacert.pem
| MD5 | 3dcd08b803fbb28231e18b5d1eef4258 |
| SHA1 | b81ea40b943cd8a0c341f3a13e5bc05090b5a72a |
| SHA256 | de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e |
| SHA512 | 9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5 |
C:\Users\Admin\AppData\Local\Temp\_MEI10202\unicodedata.pyd
| MD5 | 601aee84e12b87ca66826dfc7ca57231 |
| SHA1 | 3a7812433ca7d443d4494446a9ced24b6774ceca |
| SHA256 | d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762 |
| SHA512 | 7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7 |
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
90s
Max time network
96s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\libcef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| NL | 23.62.61.104:443 | www.bing.com | tcp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| NL | 23.62.61.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
157s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Qt5Core.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Qt5Core.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.193:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
53s
Max time network
56s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp |
Files
memory/4020-0-0x0000000000300000-0x0000000000308000-memory.dmp
memory/4020-1-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/4020-2-0x00000000750B0000-0x0000000075860000-memory.dmp
memory/4020-4-0x00000000750B0000-0x0000000075860000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
65s
Max time network
56s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.exe
"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
memory/5200-0-0x0000000000DD0000-0x0000000000E5E000-memory.dmp
memory/5200-1-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/5200-2-0x0000000005F00000-0x00000000064A4000-memory.dmp
memory/5200-3-0x0000000005830000-0x00000000058C2000-memory.dmp
memory/5200-4-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/5200-5-0x0000000005900000-0x000000000590A000-memory.dmp
memory/5200-6-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/5200-7-0x00000000746A0000-0x0000000074E50000-memory.dmp
memory/5200-8-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/5200-9-0x00000000057D0000-0x00000000057E0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
147s
Max time network
159s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\bin32.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\bin32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 139.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
139s
Max time network
128s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3720 wrote to memory of 3600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3720 wrote to memory of 3600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3720 wrote to memory of 3600 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\DXCore.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\DXCore.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3600 -ip 3600
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.59:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:19
Platform
win10v2004-20240419-en
Max time kernel
142s
Max time network
56s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\chromedriver.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\chromedriver.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-01 13:15
Reported
2024-05-01 13:23
Platform
win10v2004-20240426-en
Max time kernel
321s
Max time network
326s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\libcef.exe
"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\libcef.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.242.216.162.in-addr.arpa | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| NL | 23.62.61.139:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.224.247.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stlaip74566.ddnsgeek.com | udp |
| US | 162.216.242.206:80 | stlaip74566.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | stlaep34621.ddnsgeek.com | udp |
| RO | 185.247.224.98:443 | stlaep34621.ddnsgeek.com | tcp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |