Malware Analysis Report

2024-09-23 18:05

Sample ID 240501-qhh56aff4v
Target Discord-Leaks.zip
SHA256 a4704b7ba12271b428693f4758ee9e829de8be98e31c66362affa951a2ef0037
Tags
qr link pyinstaller privateloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a4704b7ba12271b428693f4758ee9e829de8be98e31c66362affa951a2ef0037

Threat Level: Known bad

The file Discord-Leaks.zip was found to be: Known bad.

Malicious Activity Summary

qr link pyinstaller privateloader

Privateloader family

Loads dropped DLL

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Program crash

Detects Pyinstaller

One or more HTTP URLs in qr code identified

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-01 13:16

Signatures

Privateloader family

privateloader

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

65s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe

"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe"

C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe

"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title [Discord Account Backup Bot] - Main Menu

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 canary.discordapp.com udp
US 8.8.8.8:53 g.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI31282\python38.dll

MD5 26ba25d468a778d37f1a24f4514d9814
SHA1 b64fe169690557656ede3ae50d3c5a197fea6013
SHA256 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA512 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

C:\Users\Admin\AppData\Local\Temp\_MEI31282\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI31282\base_library.zip

MD5 e1315e6d33e2300bc1d691ed76bc6bf1
SHA1 401075f435707c77904be8915a8c83a422cfe0ee
SHA256 52bd4ea66e4ece6bf404c3617d0c9723966adb9206c507fda8a2850d3c194ad0
SHA512 a1f7172dfa320976da468f9dab24678ae471904ed390b9721f16e7a86db7a11be7664013ef1125fe9f9c35501eb70c758fb9c20babcaf712af0ba9f5b3293e2c

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ctypes.pyd

MD5 291a0a9b63bae00a4222a6df71a22023
SHA1 7a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512 d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

C:\Users\Admin\AppData\Local\Temp\_MEI31282\python3.DLL

MD5 c9f0b55fce50c904dff9276014cef6d8
SHA1 9f9ae27df619b695827a5af29414b592fc584e43
SHA256 074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e
SHA512 8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_socket.pyd

MD5 4827652de133c83fa1cae839b361856c
SHA1 182f9a04bdc42766cfd5fb352f2cb22e5c26665e
SHA256 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba
SHA512 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

C:\Users\Admin\AppData\Local\Temp\_MEI31282\select.pyd

MD5 e21cff76db11c1066fd96af86332b640
SHA1 e78ef7075c479b1d218132d89bf4bec13d54c06a
SHA256 fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28
SHA512 e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libcrypto-1_1.dll

MD5 89511df61678befa2f62f5025c8c8448
SHA1 df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA512 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_ssl.pyd

MD5 d4dfd8c2894670e9f8d6302c09997300
SHA1 c3a6cc8d8079a06a4cac8950e0baba2b43fb1f8e
SHA256 0a721fc230eca278a69a2006e13dfa00e698274281378d4df35227e1f68ea3e0
SHA512 1422bf45d233e2e3f77dce30ba0123625f2a511f73dfdf42ee093b1755963d9abc371935111c28f0d2c02308c5e82867de2546d871c35e657da32a7182026048

C:\Users\Admin\AppData\Local\Temp\_MEI31282\libssl-1_1.dll

MD5 50bcfb04328fec1a22c31c0e39286470
SHA1 3a1b78faf34125c7b8d684419fa715c367db3daa
SHA256 fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9
SHA512 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_hashlib.pyd

MD5 5e5af52f42eaf007e3ac73fd2211f048
SHA1 1a981e66ab5b03f4a74a6bac6227cd45df78010b
SHA256 a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b
SHA512 bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_queue.pyd

MD5 dd146e2fa08302496b15118bf47703cf
SHA1 d06813e2fcb30cbb00bb3893f30c2661686cf4b7
SHA256 67e4e888559ea2c62ff267b58d7a7e95c2ec361703b5aa232aa8b2a1f96a2051
SHA512 5b93a782c9562370fc5b3f289ca422b4d1a1c532e81bd6c95a0063f2e3889ecf828003e42b674439fc7cd0fa72f64ad607bab6910abe9d959a4fb9fb08df263c

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_bz2.pyd

MD5 a49c5f406456b79254eb65d015b81088
SHA1 cfc2a2a89c63df52947af3610e4d9b8999399c91
SHA256 ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced
SHA512 bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

C:\Users\Admin\AppData\Local\Temp\_MEI31282\_lzma.pyd

MD5 cf9fd17b1706f3044a8f74f6d398d5f1
SHA1 c5cd0debbde042445b9722a676ff36a0ac3959ad
SHA256 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4
SHA512 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

C:\Users\Admin\AppData\Local\Temp\_MEI31282\certifi\cacert.pem

MD5 3dcd08b803fbb28231e18b5d1eef4258
SHA1 b81ea40b943cd8a0c341f3a13e5bc05090b5a72a
SHA256 de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e
SHA512 9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

C:\Users\Admin\AppData\Local\Temp\_MEI31282\unicodedata.pyd

MD5 601aee84e12b87ca66826dfc7ca57231
SHA1 3a7812433ca7d443d4494446a9ced24b6774ceca
SHA256 d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762
SHA512 7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\DiscoBotV2.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vshost\vshost.exe N/A
N/A N/A C:\ProgramData\winst\winst.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.lib N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\DiscoBotV2.exe

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\DiscoBotV2.exe"

C:\ProgramData\vshost\vshost.exe

C:\ProgramData\\vshost\\vshost.exe ,.

C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.lib

database32.lib

C:\ProgramData\winst\winst.exe

C:\ProgramData\\winst\\winst.exe hQXWxmWi9srZnKPhJw2x1irYfAesE8yUUNiuaZH1ZKI3qvin3WwekLs55e1P12rC

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 8.8.8.8:53 staekp63472.ddnsgeek.com udp
US 8.8.8.8:53 stlaip578223.ddnsgeek.com udp
US 8.8.8.8:53 2captcha.com udp
US 8.8.8.8:53 2captcha.com udp

Files

C:\ProgramData\vshost\vshost.exe

MD5 4e6a7ee0e286ab61d36c26bd38996821
SHA1 820674b4c75290f8f667764bfb474ca8c1242732
SHA256 f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512 f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

C:\ProgramData\winst\winst.exe

MD5 59238144771807b1cbc407b250d6b2c3
SHA1 6c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA256 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512 cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

memory/3180-14-0x00000000008A0000-0x000000000092E000-memory.dmp

memory/3180-15-0x0000000005990000-0x0000000005F34000-memory.dmp

memory/3180-16-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/3180-17-0x0000000005320000-0x00000000053B2000-memory.dmp

memory/3180-18-0x0000000005550000-0x0000000005560000-memory.dmp

memory/3180-19-0x00000000053C0000-0x00000000053CA000-memory.dmp

memory/3180-20-0x0000000005550000-0x0000000005560000-memory.dmp

memory/3180-21-0x0000000073AF0000-0x00000000742A0000-memory.dmp

memory/3180-22-0x0000000005550000-0x0000000005560000-memory.dmp

memory/3180-23-0x0000000005550000-0x0000000005560000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

85s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vshost\vshost.exe N/A
N/A N/A C:\ProgramData\winst\winst.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 908 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\ProgramData\vshost\vshost.exe
PID 908 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\ProgramData\vshost\vshost.exe
PID 908 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\ProgramData\vshost\vshost.exe
PID 908 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.cfg
PID 908 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.cfg
PID 908 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.cfg
PID 908 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\ProgramData\winst\winst.exe
PID 908 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\ProgramData\winst\winst.exe
PID 908 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe C:\ProgramData\winst\winst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Discord Checker.exe"

C:\ProgramData\vshost\vshost.exe

C:\ProgramData\\vshost\\vshost.exe ,.

C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.cfg

lib32.cfg

C:\ProgramData\winst\winst.exe

C:\ProgramData\\winst\\winst.exe y5HD4TSx18kBv3sVmf5VL7ELHGiy9UwT1mdM5cckmhNvvYfU8n7axnQGkmgfCGgp

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 8.8.8.8:53 staekp63472.ddnsgeek.com udp
US 8.8.8.8:53 stlaip578223.ddnsgeek.com udp

Files

C:\ProgramData\vshost\vshost.exe

MD5 4e6a7ee0e286ab61d36c26bd38996821
SHA1 820674b4c75290f8f667764bfb474ca8c1242732
SHA256 f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512 f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

C:\ProgramData\winst\winst.exe

MD5 59238144771807b1cbc407b250d6b2c3
SHA1 6c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA256 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512 cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

memory/620-14-0x0000000000F20000-0x0000000000F28000-memory.dmp

memory/620-15-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/620-16-0x0000000075330000-0x0000000075AE0000-memory.dmp

memory/620-18-0x0000000075330000-0x0000000075AE0000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

141s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vshost\vshost.exe N/A
N/A N/A C:\ProgramData\winst\winst.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2852 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\ProgramData\vshost\vshost.exe
PID 2852 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\ProgramData\vshost\vshost.exe
PID 2852 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\ProgramData\vshost\vshost.exe
PID 2852 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin
PID 2852 wrote to memory of 4996 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin
PID 2852 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\ProgramData\winst\winst.exe
PID 2852 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\ProgramData\winst\winst.exe
PID 2852 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe C:\ProgramData\winst\winst.exe
PID 4996 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin
PID 4996 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\Discord Token Checker ULTRA by zoony.exe"

C:\ProgramData\vshost\vshost.exe

C:\ProgramData\\vshost\\vshost.exe ,.

C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin

data.bin

C:\ProgramData\winst\winst.exe

C:\ProgramData\\winst\\winst.exe eErEsPUiSfIq35left1KrviZHrVxawxyIvFd4HDDBuT17ugP8hNVmuDFCb7SepX4

C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.bin

data.bin

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

C:\ProgramData\vshost\vshost.exe

MD5 4e6a7ee0e286ab61d36c26bd38996821
SHA1 820674b4c75290f8f667764bfb474ca8c1242732
SHA256 f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512 f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

C:\ProgramData\winst\winst.exe

MD5 59238144771807b1cbc407b250d6b2c3
SHA1 6c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA256 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512 cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

C:\Users\Admin\AppData\Local\Temp\_MEI49962\python37.dll

MD5 5d8c22938d89077f64537a9d09cf6fd5
SHA1 15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4
SHA256 8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69
SHA512 dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31

C:\Users\Admin\AppData\Local\Temp\_MEI49962\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI49962\base_library.zip

MD5 770e57194dd00a1819d4397ab3a99a01
SHA1 dbe4fe0a51cab572e5e39cdfd47289a9a3258342
SHA256 90899a12994ee4b850d2119a7a5f947b3baca07500568e9385c9f160139fbbf7
SHA512 cb4e992c1da0a9dde1549e7eaf85d9725b9d395e97f4934ad215d934a6c8d0c7ab705a948c5e97d9338fc535a531dea31d3f4a30f07fffc70bf3598996a1b223

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_ctypes.pyd

MD5 bf9d0771209cfbeb520c9e093d105d18
SHA1 72551b0f452bb144e528513033cbd755ab3e07ed
SHA256 d8b8cd706d524ab152d1f8f44f239487b89ee9c32bc692f6d2bdc84073ba56a0
SHA512 a94f99052058c1c2e1e680acae7167d3e5fd9aea18983ab6daac59878c3f7c33205ecf2ac69aa5db25af18654fc0141a569175b0c5c60d5fb469c011c6fb81f2

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_ssl.pyd

MD5 3f332e60605790a55cc349fe04ec6c10
SHA1 e33b47855a3e2f8b2a0aa2d15de1e0cd3d668667
SHA256 ddd2a2734b1fb2d3881a8c05ad578cf9121549a8616b7d9fafb529c92597548e
SHA512 f403f300a849d82bc10f4d72d0c32cf10d037bce46f2c8434f8a5f7b8d8bb873ad0be0bcefb2dce97de23b54365e4ad7decfed76e8b064f5a9c8ffb104ae01f3

C:\Users\Admin\AppData\Local\Temp\_MEI49962\libssl-1_1.dll

MD5 90e6e4d388505d86eaf094ade0ab080c
SHA1 22b437a1702e4c45a8771ea4aae7b12f58f04769
SHA256 0c9573ee96059fb5746769163f445e936b780090d17b0d1ef415e9e837434dc1
SHA512 dcf8e1c8c79a4484056d546b38bed20445c8d87858298d9e0362e2f1acb42921282e35ebdd854ec98cd339d6304d0e6654c60c821542d16d5ee75bbf21e25e3c

C:\Users\Admin\AppData\Local\Temp\_MEI49962\libcrypto-1_1.dll

MD5 925b0753ee5a1ffafe647f988683b0a2
SHA1 7f1862d04c8c8d7c69f9865b462f0e995e25aab5
SHA256 95e3e9a86da6de563340b419962fc05f59038f32924b79d59e121bdd5e260a3a
SHA512 1e06e5d0177789175fb3f9bcac5a85a8caf1cc1609797ef823a56f420a01904b4cde240aabe0df42c57a0f3f6c69385f16539f01cf54632bd2894cd56f956bfb

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_socket.pyd

MD5 cfb4527e80439fd4b20164f8a2e2b6e4
SHA1 93bb7f5bbc90f7c09e72ed3087fffc72985a5254
SHA256 b6f45e053997359f1932b0bd10cd46ff02f84b85d0ecc93dea97430693683c7e
SHA512 800417aba1e4524e06ef12be654048e17d699cd2733143d3e5f1a9f700268f181922525940537ab526b7d924a2e9db5d3282b4ef8adf49d314fa1bd055e6d652

C:\Users\Admin\AppData\Local\Temp\_MEI49962\select.pyd

MD5 7867a50c9bb0c3d2aa9e9cc05fdb54ff
SHA1 6d7d895673b9b4ad2f8dfae34e001be1d5f270f2
SHA256 e9b612e38e6a1b6af89253a6ce5f63d85f9d7d98c940bb63fba5ce99d2f31071
SHA512 6959544b0c2d0701f4d4414f07b8a6c100dd2985b3ccddabcb724842b322078ee07a607783e2649c00db20fc65897dd9222bf84b7c3082f61269fc2c8bc4e144

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_pytransform.dll

MD5 6aecb4a764836d156e4d6f6ea7cbaa9d
SHA1 42e2386843550b36bee70e46ccc8ce5c8628c50a
SHA256 8414c81dd8bc12f80dbce1126f3bd83df136d886589ea4bc89c05bb494df2eab
SHA512 42968102be12601883f3cd116cfc1f3750930b685bde128f52abd18d3db9255ce56a4527af2a286360d6f7ae2e7acb4b96414ce1d8a7f13ca7f094dbcdb21481

memory/2900-95-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_hashlib.pyd

MD5 7391051923fee611c474fcfbf3f7f548
SHA1 5f284a87c18900515606a952bf2476e0c42066ad
SHA256 02753c507c95d2d434fa6499cfd6390ec98bffac6799d664148297334ea25575
SHA512 a3567bad9dc165af0359076f13ba1d0da68c9105e6555589a433a74644eebd082ce508d444a701d2a89910ed2a09adeff15f144f43075174f77ccb29ce8d4ff3

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_queue.pyd

MD5 6fbcd906dcec9ea5b0de160e596c8435
SHA1 974b49881702642415588d0a3c814396262cdf4b
SHA256 fd0be33a0851c8a89adb694358ca7c064aac4454471bf57033f24a91f03e6f4c
SHA512 d8b67d90f38d5488ab9f6c2ea50646f37f8f126d6d2aef6ed4eba5ad7552c8813e33e43ef84d95ac972d4c58c5536ff4c6ae5d9cb5d3b350df6ff48efce169b5

memory/2900-116-0x00007FFF40000000-0x00007FFF40001000-memory.dmp

memory/2900-115-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-113-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-111-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-109-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-107-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-105-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-103-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-93-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-91-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-89-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-87-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-85-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-83-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49962\license.lic

MD5 320aa573435cfbac84163504b9abf0a6
SHA1 e1ddf425400f081fc4c4b9acf0951c412f9c2f06
SHA256 0814d8054e2897cec2bcb92d9b38350f0a873dd1754e9f94c172033bf6853d71
SHA512 331b182b32cd8370ceca2cc2ce7488b198f6c45171cf448eba8419caa8b2bb9b990779ce5c178ae517528614a8b36525e047ae2357a947042feaa1035e7661c7

memory/2900-74-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-72-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-70-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-68-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-66-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-64-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-62-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-60-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-58-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-56-0x000001A226AB0000-0x000001A226AB1000-memory.dmp

memory/2900-55-0x000001A226AA0000-0x000001A226AA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI49962\pytransform.key

MD5 2bcf75f492f791ef1a45b9e54cbe3170
SHA1 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9
SHA256 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455
SHA512 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_lzma.pyd

MD5 e5fa638b1374685dbaf5beb12f67d71a
SHA1 1a7d171f66e88da4686f51d25094d85f2dd1577f
SHA256 d58fc7163b58d96a7718733dec3562eb998a17100982bf7453782d01ca27ffd9
SHA512 be71f7050834c631ee12e32f78542156e09f8dfb6b8aa425db9a7267b45175caceb56805db382d85cff80ea9633bcc2c52ac7175cdd33a85002458650c399812

C:\Users\Admin\AppData\Local\Temp\_MEI49962\_bz2.pyd

MD5 f8770b9ea04aeb0b98eb1fab2a1bde84
SHA1 7ac83db9bbc35231e917d522e1140bbacb855aa1
SHA256 18e66c3a2104da1c338c40d7e249382f054e1e76e5a85e481d13052fd62c6cd9
SHA512 7803517b89bfdc027691e495be089466f3aa80bb1efb770ec4619740b9f30ece28ca8bc2d8efabdafbf04fae68a3e24fffa7b4c5e91e3a0a07b1909065ce3924

C:\Users\Admin\AppData\Local\Temp\_MEI49962\unicodedata.pyd

MD5 653d4fbd3a4e8364a37cddf09fd327c3
SHA1 b7b6fc5c4d17ba6c25ed7a06602bfab817ff3732
SHA256 a235b80e70280472c399e42453e35c7c29ae82c6ae54884d7263411b1c350969
SHA512 1672a497a69b80b2fa192422d5879f04a6674541cb1dcc4c95618739a9d845e63513c635c6bfb74163dbb4e7bc213cf6569daadc9f908cd09d997844c0dc4675

C:\Users\Admin\AppData\Local\Temp\_MEI49962\certifi\cacert.pem

MD5 edd513e1d62ca2b059821b8380c19d19
SHA1 7e785afc6a7174f008b8b6e775c91c018d72aee3
SHA256 870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd
SHA512 31450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f

memory/2900-128-0x0000000070A00000-0x0000000070ABE000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

143s

Max time network

153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Leaf.xNet.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Leaf.xNet.dll",#1

Network

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

89s

Max time network

158s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\secproc.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1836 wrote to memory of 3520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1836 wrote to memory of 3520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1836 wrote to memory of 3520 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\secproc.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\secproc.dll",#1

Network

Country Destination Domain Proto
NL 23.62.61.59:443 www.bing.com tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3520-0-0x00000000012F0000-0x0000000001300000-memory.dmp

memory/3520-1-0x00000000012F0000-0x0000000001300000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vshost\vshost.exe N/A
N/A N/A C:\ProgramData\winst\winst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\ProgramData\vshost\vshost.exe
PID 4468 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\ProgramData\vshost\vshost.exe
PID 4468 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\ProgramData\vshost\vshost.exe
PID 4468 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll
PID 4468 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll
PID 4468 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\ProgramData\winst\winst.exe
PID 4468 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\ProgramData\winst\winst.exe
PID 4468 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe C:\ProgramData\winst\winst.exe
PID 1256 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll
PID 1256 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll
PID 4488 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe
PID 4488 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\_discordgenerator.exe"

C:\ProgramData\vshost\vshost.exe

C:\ProgramData\\vshost\\vshost.exe ,.

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll

data32.dll

C:\ProgramData\winst\winst.exe

C:\ProgramData\\winst\\winst.exe bC1jm3ThxSi780xbD20qjKkk4kNslwleuUaLM0KElKp9CjfpNhdMnKXPIX2LIoDw

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.dll

data32.dll

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title Discord Generator ^| coded by Nightfall#2512

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title Discord Generator ^| Proxy: False ^| Threading: False

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 chromedriver.storage.googleapis.com udp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
GB 216.58.201.123:443 chromedriver.storage.googleapis.com tcp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
US 8.8.8.8:53 123.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.gmailnator.com udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

C:\ProgramData\vshost\vshost.exe

MD5 4e6a7ee0e286ab61d36c26bd38996821
SHA1 820674b4c75290f8f667764bfb474ca8c1242732
SHA256 f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512 f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

C:\ProgramData\winst\winst.exe

MD5 59238144771807b1cbc407b250d6b2c3
SHA1 6c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA256 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512 cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

C:\Users\Admin\AppData\Local\Temp\_MEI12562\ucrtbase.dll

MD5 61eb0ad4c285b60732353a0cb5c9b2ab
SHA1 21a1bea01f6ca7e9828a522c696853706d0a457b
SHA256 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA512 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

C:\Users\Admin\AppData\Local\Temp\_MEI12562\python37.dll

MD5 86af9b888a72bdceb8fd8ed54975edd5
SHA1 c9d67c9243f818c0a8cc279267cca44d9995f0cf
SHA256 e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f
SHA512 5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

C:\Users\Admin\AppData\Local\Temp\_MEI12562\base_library.zip

MD5 eb723b4c1b48d3e8969ff3f4d897b79e
SHA1 a03479e7a916d0ee5e3647322307aceb0b1c30b9
SHA256 ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5
SHA512 4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f

C:\Users\Admin\AppData\Local\Temp\_MEI12562\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_ctypes.pyd

MD5 9a69561e94859bc3411c6499bc46c4bd
SHA1 3fa5bc2d4ffc23c4c383252c51098d6211949b99
SHA256 6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c
SHA512 31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

C:\Users\Admin\AppData\Local\Temp\_MEI12562\pywintypes37.dll

MD5 77b6875977e77c4619bbb471d5eaf790
SHA1 f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade
SHA256 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6
SHA512 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

C:\Users\Admin\AppData\Local\Temp\_MEI12562\libssl-1_1.dll

MD5 fe1f3632af98e7b7a2799e3973ba03cf
SHA1 353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA256 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512 a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

C:\Users\Admin\AppData\Local\Temp\_MEI12562\select.pyd

MD5 e1d0d18a0dd8e82f9b677a86d32e3124
SHA1 96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e
SHA256 4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd
SHA512 38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_lzma.pyd

MD5 16fb5a2363ce8dd12a65a9823a517b59
SHA1 59979d9195259f48c678cdaa36b5efee13472ff5
SHA256 bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2
SHA512 d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_hashlib.pyd

MD5 1f77f7a5f36c48e7c596e7031c80e4ff
SHA1 79f86e31203b60b3388047e39a2a26275da411f5
SHA256 30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7
SHA512 b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_queue.pyd

MD5 94b57996008875822a0b13fa089ae513
SHA1 340ab82c3653c7e664f28d2dffb6863f1df20709
SHA256 28136612834be0dd236f085f46c1d9b8a1830b9c073557464e22bc006d81e494
SHA512 aa9db065609dbae700a5c04266afa99ef838a9f5dc58acdca1c9b95c5d845195cfce895b81d718e761e69b5cfaeb71e9e8450fb76c590f991850e67f65b32abe

C:\Users\Admin\AppData\Local\Temp\_MEI12562\unicodedata.pyd

MD5 23bba751c8a182262856eeba20db3341
SHA1 0120468629aa035d92ebdf97f9f32a02085fbccf
SHA256 96eafcb208518f6df0674ef6f1a48f4687eb73f785c87b11cb4a52dcf1ce5c66
SHA512 482fdb6f542be27d6bf3b41bc7aa7d7fda3077cd763f32bb25e0c50cf8ae11ebd8173d18cb0a52126b2150fc737109d384971298e8e2cf8a199ad1f1956d9326

C:\Users\Admin\AppData\Local\Temp\_MEI12562\certifi\cacert.pem

MD5 1ba3b44f73a6b25711063ea5232f4883
SHA1 1b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256 bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA512 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

C:\Users\Admin\AppData\Local\Temp\_MEI12562\selenium\webdriver\remote\isDisplayed.js

MD5 313589fe40cbb546415aec5377da0e7d
SHA1 bc2b6e547b1da94682e379af1ea11579e26de65b
SHA256 c1a04024e5414fca8c1deedb452be77a8b9d13bb3cf67ff4230d5983537a3096
SHA512 bbdfa98ecd07a27f20966b5eb0cdcc0fac6085bebd6868a061563d210262f61d630b823e6eabd3217175b7f01516cda9c162adbfe063130d6510e0a3f4be2f7d

C:\Users\Admin\AppData\Local\Temp\_MEI12562\selenium\webdriver\remote\getAttribute.js

MD5 e6b3169414f3b9c47a9b826bb71a0337
SHA1 d22278a492d03863ce51569482dcfb30a0b006e9
SHA256 1198a9999dde24dd2da0d9877cc2e8f8dd70bfdaeee0b5012b24e5474b50e88c
SHA512 bf9e48caf03e19274b5020d5eae6a3d6d75b611676f307346cf28117da71410e6022a72da0f82a8f2c6ca06a2c503c8e6528c6a164c4fb488c5195d6aa3e3819

C:\Users\Admin\AppData\Local\Temp\_MEI12562\lxml\_elementpath.cp37-win_amd64.pyd

MD5 3702f8ff3e1af9be72126683fca3a1ce
SHA1 82e6be08797fcd9558cb3e7759c0e3de2ffcea88
SHA256 28fd0337a5251d409d8d8d27383f682ba63b3d52bd0691a22a90b208e23b4f93
SHA512 d18ffd06d6580b52d07749bd6f2927bc1bc445c3a7c8267288b9e4f00de321ad897959519e1aed199e36ff7008be26cc7af486bab0b2c7433a9c72c349a24713

C:\Users\Admin\AppData\Local\Temp\_MEI12562\lxml\etree.cp37-win_amd64.pyd

MD5 e685bf02d3b11fa4715a94107a7292be
SHA1 b5822fda8f6ae3b7c5117c524584a490c6e95c91
SHA256 04db5dfd6b41b3245b86d4f97e96664d0199ae2af755b71e011a4e0e92124633
SHA512 c6118cf72c6cadb68b33e37197ac64cf5151f3266e8059619e2a30fc7a12bc9176e2b2a2a8257a7b0a68c96665b566c606ab294e8798d578a62957fe34cf65f0

C:\Users\Admin\AppData\Local\Temp\_MEI12562\pyexpat.pyd

MD5 ebf42794afd81d3a158f1d4eb4096483
SHA1 9c49d840a600d126b1d0b3a294218f82c2292c8d
SHA256 0cb9ae2dfd64c291de65aee89a524a0bbfe7755c34c8215e8b47a4f409ef3743
SHA512 28db296525d48e970c40bf267523dfdcd823fbd471e606b97cd61af373af9d42bb72765f846df4bf33457124fd1a039e7e06b5e6e863503a26a3efc9b15078f0

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_elementtree.pyd

MD5 80788d9c36aa4f950d1a71518abfa5fc
SHA1 3bcf2f8df698160d01c74f934ab4c06555ae1f8c
SHA256 75b93ebab7de27022d1d9f468c5051be5ac64b436b6a10928d75b3de19dbcb6b
SHA512 f26187e364c80c5ff423699fbcf62a8035969592a6da339c80fa862185f1f2e674c44325321c6643cb6cb7e2034623e04603a9491d1e8f06a4063efbf85ef48e

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_bz2.pyd

MD5 8b40a68ae537c0aab25a8b30b10ab098
SHA1 1c8ac1f7f5c3697c457dd98f05296c2354ff7f55
SHA256 0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa
SHA512 620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_socket.pyd

MD5 0ea1df6137ee3369546a806a175aecf4
SHA1 95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43
SHA256 6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5
SHA512 6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb

C:\Users\Admin\AppData\Local\Temp\_MEI12562\libcrypto-1_1.dll

MD5 bf83f8ad60cb9db462ce62c73208a30d
SHA1 f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512 ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

C:\Users\Admin\AppData\Local\Temp\_MEI12562\_ssl.pyd

MD5 0e970f3353e65094165edcdfcaf1c299
SHA1 e86d2c4723ae09890f69ab1a6f4a1a935dc0a0e7
SHA256 4fed9f05da139d66e0582b47c20ee91c91be44d379c225f89b22462bedc989d3
SHA512 4621d1add268f9aadf0119055d6cce23739eec969ab031fc0a510c40cf4cce60230a89735fd85c38f28c22ed9dc829ff294ef48590fc56191464e1fec1fa4595

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\libcef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\libcef.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\libcef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

65s

Max time network

54s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\xNet.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\xNet.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vshost\vshost.exe N/A
N/A N/A C:\ProgramData\winst\winst.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Discord Nitro - TZ Cracking.exe"

C:\ProgramData\vshost\vshost.exe

C:\ProgramData\\vshost\\vshost.exe ,.

C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\database32.cfg

database32.cfg

C:\ProgramData\winst\winst.exe

C:\ProgramData\\winst\\winst.exe oe58xMNkKU11UepyEs3u77yYHY7srJMJ4RqUywPyZJuxW9lwiAFxsMPksmoTu3WS

Network

Country Destination Domain Proto
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\ProgramData\vshost\vshost.exe

MD5 4e6a7ee0e286ab61d36c26bd38996821
SHA1 820674b4c75290f8f667764bfb474ca8c1242732
SHA256 f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512 f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

C:\ProgramData\winst\winst.exe

MD5 59238144771807b1cbc407b250d6b2c3
SHA1 6c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA256 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512 cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

65s

Max time network

60s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\libcef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\libcef.exe

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\libcef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 8.8.8.8:53 staekp63472.ddnsgeek.com udp
US 8.8.8.8:53 stlaip578223.ddnsgeek.com udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

101s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.135.233:443 discordapp.com tcp
US 8.8.8.8:53 193.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

memory/5616-0-0x0000000000470000-0x000000000047C000-memory.dmp

memory/5616-1-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/5616-2-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

memory/5616-4-0x00000000750D0000-0x0000000075880000-memory.dmp

memory/5616-5-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

103s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vshost\vshost.exe N/A
N/A N/A C:\ProgramData\winst\winst.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.cfg N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4884 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\ProgramData\vshost\vshost.exe
PID 4884 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\ProgramData\vshost\vshost.exe
PID 4884 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\ProgramData\vshost\vshost.exe
PID 4884 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.cfg
PID 4884 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.cfg
PID 4884 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.cfg
PID 4884 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\ProgramData\winst\winst.exe
PID 4884 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\ProgramData\winst\winst.exe
PID 4884 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe C:\ProgramData\winst\winst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\Token Checker.exe"

C:\ProgramData\vshost\vshost.exe

C:\ProgramData\\vshost\\vshost.exe ,.

C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\CefSharp.cfg

CefSharp.cfg

C:\ProgramData\winst\winst.exe

C:\ProgramData\\winst\\winst.exe u4bty6QwVuBS0x5H9n42DV5Ms9ZtKJkxoKy4OKYlNIYsCMduDyYR0NkQfinieGBh

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 discordapp.com udp
US 162.159.129.233:443 discordapp.com tcp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\ProgramData\vshost\vshost.exe

MD5 4e6a7ee0e286ab61d36c26bd38996821
SHA1 820674b4c75290f8f667764bfb474ca8c1242732
SHA256 f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512 f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

C:\ProgramData\winst\winst.exe

MD5 59238144771807b1cbc407b250d6b2c3
SHA1 6c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA256 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512 cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

memory/4436-14-0x00000000008B0000-0x00000000008BC000-memory.dmp

memory/4436-15-0x0000000073930000-0x00000000740E0000-memory.dmp

memory/4436-16-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/4436-18-0x0000000073930000-0x00000000740E0000-memory.dmp

memory/4436-19-0x00000000051F0000-0x0000000005200000-memory.dmp

memory/4436-21-0x0000000073930000-0x00000000740E0000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

65s

Max time network

59s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libcef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libcef.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libcef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 8.8.8.8:53 staekp63472.ddnsgeek.com udp
US 8.8.8.8:53 stlaip578223.ddnsgeek.com udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

53s

Max time network

55s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe"

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\data32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 chromedriver.storage.googleapis.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI40802\ucrtbase.dll

MD5 61eb0ad4c285b60732353a0cb5c9b2ab
SHA1 21a1bea01f6ca7e9828a522c696853706d0a457b
SHA256 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd
SHA512 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d

C:\Users\Admin\AppData\Local\Temp\_MEI40802\python37.dll

MD5 86af9b888a72bdceb8fd8ed54975edd5
SHA1 c9d67c9243f818c0a8cc279267cca44d9995f0cf
SHA256 e11aa3893597d7c408349ebb11f47a24e388fd702c4d38b5d6f363f7ad6e8e5f
SHA512 5d8fd9040f466e23af7f17772e3769ad83c5f55f8c70dcc3cfb1f827e105f0f4e6133f0e183fabc67dd44799495c47f931bf92546342b30b9c4a5c2b4aeee7c7

C:\Users\Admin\AppData\Local\Temp\_MEI40802\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI40802\base_library.zip

MD5 eb723b4c1b48d3e8969ff3f4d897b79e
SHA1 a03479e7a916d0ee5e3647322307aceb0b1c30b9
SHA256 ed6356556e3a86b92f9995bce5b1c3182d5df8976a2ca2e400ebf4eaed592ef5
SHA512 4c9902b5698e4e3d8837d594e337a6696ce03d9f6d0d3fc7f5f144c53c2fb7494ac10d303ea597c25c159076f74a7b7c59eb2d29db068878ab6f4bbb510fd13f

C:\Users\Admin\AppData\Local\Temp\_MEI40802\_ctypes.pyd

MD5 9a69561e94859bc3411c6499bc46c4bd
SHA1 3fa5bc2d4ffc23c4c383252c51098d6211949b99
SHA256 6bbde732c5bcb89455f43f370a444bb6bca321825de56f9a1f2e947b0a006f1c
SHA512 31d9e3844f1b8e72ec80acd1e224a94d11039c130e69c498a668e07e0d8bba8d1ed1ebe0b7a16376ca597d0e2b74a0d5e3bf53d1cbadf5bf099d3bf78db659a4

C:\Users\Admin\AppData\Local\Temp\_MEI40802\pywintypes37.dll

MD5 77b6875977e77c4619bbb471d5eaf790
SHA1 f08c3bc5e918c0a197fbfd1b15e7c0491bd5fade
SHA256 780a72ba3215ff413d5a9e98861d8bb87c15c43a75bb81dc985034ae7dcf5ef6
SHA512 783939fc97b2445dfe7e21eb6b71711aba6d85e275e489eddcc4f20c2ed018678d8d14c9e1856f66e3876f318312d69c22cee77f9105a72e56a1be4f3e8a7c2e

C:\Users\Admin\AppData\Local\Temp\_MEI40802\libcrypto-1_1.dll

MD5 bf83f8ad60cb9db462ce62c73208a30d
SHA1 f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512 ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

C:\Users\Admin\AppData\Local\Temp\_MEI40802\_socket.pyd

MD5 0ea1df6137ee3369546a806a175aecf4
SHA1 95fd1ad45892cb9e655bfa62ca1be80a0b9b2d43
SHA256 6fcc31573ae6b380db1d4e23731755465fd2cee0856e7a6c0e396759bcbf73b5
SHA512 6497fdb86ac69f6551a7794c090ca695bf22eb647b7a503fa23d7944ad375f061429f17e2ea043c809460e7cb9fc3df77c7bfe0b64f00ddd65de1aa744d3adcb

C:\Users\Admin\AppData\Local\Temp\_MEI40802\select.pyd

MD5 e1d0d18a0dd8e82f9b677a86d32e3124
SHA1 96a00541d86d03529b55c1ac5ff1c6cfb5e91d1e
SHA256 4595675949851bd0ff65521e936647fcc5c8d2f32f0ac2641a262fb6323896dd
SHA512 38e3b6b23ebcbdc60eeeed0bf3dddc69004a1ccd4a2486f3a9f8c0d4624b690e2e5704e3fe05bf1bf2c900bf4f5bc9439f45f3c02fd4c67783056b3da15e0f56

C:\Users\Admin\AppData\Local\Temp\_MEI40802\_bz2.pyd

MD5 8b40a68ae537c0aab25a8b30b10ab098
SHA1 1c8ac1f7f5c3697c457dd98f05296c2354ff7f55
SHA256 0b86ef4810d53e79f1d934b427fdbacf3792eebb37ed241bc89148238af763fa
SHA512 620ad61ff05c73adee4ac8f4b88a3880c11893eaac77ccca4e88edb29b492366a5bcf813d18628f005730f7e45ce373af9275776ea768b67b8d0e3bc62949229

C:\Users\Admin\AppData\Local\Temp\_MEI40802\_hashlib.pyd

MD5 1f77f7a5f36c48e7c596e7031c80e4ff
SHA1 79f86e31203b60b3388047e39a2a26275da411f5
SHA256 30dfbd97883b1545513ca5bb857a9aad6e9bf4b8b4272569818346eaf25033f7
SHA512 b647e820ae4854921839a6cc92610fd63ef79623d442fd17503a39ca145dfd6cde3719c50473c0c74fe487f980b12e90bd3d3beb5729fa5498a357d44f81809c

C:\Users\Admin\AppData\Local\Temp\_MEI40802\_queue.pyd

MD5 94b57996008875822a0b13fa089ae513
SHA1 340ab82c3653c7e664f28d2dffb6863f1df20709
SHA256 28136612834be0dd236f085f46c1d9b8a1830b9c073557464e22bc006d81e494
SHA512 aa9db065609dbae700a5c04266afa99ef838a9f5dc58acdca1c9b95c5d845195cfce895b81d718e761e69b5cfaeb71e9e8450fb76c590f991850e67f65b32abe

C:\Users\Admin\AppData\Local\Temp\_MEI40802\unicodedata.pyd

MD5 23bba751c8a182262856eeba20db3341
SHA1 0120468629aa035d92ebdf97f9f32a02085fbccf
SHA256 96eafcb208518f6df0674ef6f1a48f4687eb73f785c87b11cb4a52dcf1ce5c66
SHA512 482fdb6f542be27d6bf3b41bc7aa7d7fda3077cd763f32bb25e0c50cf8ae11ebd8173d18cb0a52126b2150fc737109d384971298e8e2cf8a199ad1f1956d9326

C:\Users\Admin\AppData\Local\Temp\_MEI40802\certifi\cacert.pem

MD5 1ba3b44f73a6b25711063ea5232f4883
SHA1 1b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256 bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA512 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

C:\Users\Admin\AppData\Local\Temp\_MEI40802\selenium\webdriver\remote\isDisplayed.js

MD5 313589fe40cbb546415aec5377da0e7d
SHA1 bc2b6e547b1da94682e379af1ea11579e26de65b
SHA256 c1a04024e5414fca8c1deedb452be77a8b9d13bb3cf67ff4230d5983537a3096
SHA512 bbdfa98ecd07a27f20966b5eb0cdcc0fac6085bebd6868a061563d210262f61d630b823e6eabd3217175b7f01516cda9c162adbfe063130d6510e0a3f4be2f7d

C:\Users\Admin\AppData\Local\Temp\_MEI40802\selenium\webdriver\remote\getAttribute.js

MD5 e6b3169414f3b9c47a9b826bb71a0337
SHA1 d22278a492d03863ce51569482dcfb30a0b006e9
SHA256 1198a9999dde24dd2da0d9877cc2e8f8dd70bfdaeee0b5012b24e5474b50e88c
SHA512 bf9e48caf03e19274b5020d5eae6a3d6d75b611676f307346cf28117da71410e6022a72da0f82a8f2c6ca06a2c503c8e6528c6a164c4fb488c5195d6aa3e3819

C:\Users\Admin\AppData\Local\Temp\_MEI40802\_lzma.pyd

MD5 16fb5a2363ce8dd12a65a9823a517b59
SHA1 59979d9195259f48c678cdaa36b5efee13472ff5
SHA256 bb78ca0dd1478027e2e9f06f56fc7c3cc6f157b4151562d58a7f6646e463fcc2
SHA512 d9801cdd8cc9809781b79882a226ee7a56d93eac0181295c80cb1f088f0fbf46e3eb35c7d8ff208dbd5a3e93a190a04c48fd254c9971a3740b020547973683e1

C:\Users\Admin\AppData\Local\Temp\_MEI40802\libssl-1_1.dll

MD5 fe1f3632af98e7b7a2799e3973ba03cf
SHA1 353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA256 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512 a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

C:\Users\Admin\AppData\Local\Temp\_MEI40802\_ssl.pyd

MD5 0e970f3353e65094165edcdfcaf1c299
SHA1 e86d2c4723ae09890f69ab1a6f4a1a935dc0a0e7
SHA256 4fed9f05da139d66e0582b47c20ee91c91be44d379c225f89b22462bedc989d3
SHA512 4621d1add268f9aadf0119055d6cce23739eec969ab031fc0a510c40cf4cce60230a89735fd85c38f28c22ed9dc829ff294ef48590fc56191464e1fec1fa4595

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

89s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\database32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\database32.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\database32.exe"

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

65s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\libcef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\libcef.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\libcef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 staekp63472.ddnsgeek.com udp
US 8.8.8.8:53 stlaip578223.ddnsgeek.com udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

53s

Max time network

58s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\database32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\database32.exe

"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\database32.exe"

Network

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

65s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\bin32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\bin32.exe

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\bin32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\database32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\database32.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\database32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.57:443 www.bing.com tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

138s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libGLESV2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libGLESV2.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\libGLESV2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 23.62.61.177:443 www.bing.com tcp
US 8.8.8.8:53 177.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

143s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Qt5Core.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Qt5Core.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\Qt5Core.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

143s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe"

C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\data.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI16402\python37.dll

MD5 5d8c22938d89077f64537a9d09cf6fd5
SHA1 15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4
SHA256 8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69
SHA512 dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31

C:\Users\Admin\AppData\Local\Temp\_MEI16402\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI16402\base_library.zip

MD5 770e57194dd00a1819d4397ab3a99a01
SHA1 dbe4fe0a51cab572e5e39cdfd47289a9a3258342
SHA256 90899a12994ee4b850d2119a7a5f947b3baca07500568e9385c9f160139fbbf7
SHA512 cb4e992c1da0a9dde1549e7eaf85d9725b9d395e97f4934ad215d934a6c8d0c7ab705a948c5e97d9338fc535a531dea31d3f4a30f07fffc70bf3598996a1b223

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_ctypes.pyd

MD5 bf9d0771209cfbeb520c9e093d105d18
SHA1 72551b0f452bb144e528513033cbd755ab3e07ed
SHA256 d8b8cd706d524ab152d1f8f44f239487b89ee9c32bc692f6d2bdc84073ba56a0
SHA512 a94f99052058c1c2e1e680acae7167d3e5fd9aea18983ab6daac59878c3f7c33205ecf2ac69aa5db25af18654fc0141a569175b0c5c60d5fb469c011c6fb81f2

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_ssl.pyd

MD5 3f332e60605790a55cc349fe04ec6c10
SHA1 e33b47855a3e2f8b2a0aa2d15de1e0cd3d668667
SHA256 ddd2a2734b1fb2d3881a8c05ad578cf9121549a8616b7d9fafb529c92597548e
SHA512 f403f300a849d82bc10f4d72d0c32cf10d037bce46f2c8434f8a5f7b8d8bb873ad0be0bcefb2dce97de23b54365e4ad7decfed76e8b064f5a9c8ffb104ae01f3

C:\Users\Admin\AppData\Local\Temp\_MEI16402\libcrypto-1_1.dll

MD5 925b0753ee5a1ffafe647f988683b0a2
SHA1 7f1862d04c8c8d7c69f9865b462f0e995e25aab5
SHA256 95e3e9a86da6de563340b419962fc05f59038f32924b79d59e121bdd5e260a3a
SHA512 1e06e5d0177789175fb3f9bcac5a85a8caf1cc1609797ef823a56f420a01904b4cde240aabe0df42c57a0f3f6c69385f16539f01cf54632bd2894cd56f956bfb

C:\Users\Admin\AppData\Local\Temp\_MEI16402\libssl-1_1.dll

MD5 90e6e4d388505d86eaf094ade0ab080c
SHA1 22b437a1702e4c45a8771ea4aae7b12f58f04769
SHA256 0c9573ee96059fb5746769163f445e936b780090d17b0d1ef415e9e837434dc1
SHA512 dcf8e1c8c79a4484056d546b38bed20445c8d87858298d9e0362e2f1acb42921282e35ebdd854ec98cd339d6304d0e6654c60c821542d16d5ee75bbf21e25e3c

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_socket.pyd

MD5 cfb4527e80439fd4b20164f8a2e2b6e4
SHA1 93bb7f5bbc90f7c09e72ed3087fffc72985a5254
SHA256 b6f45e053997359f1932b0bd10cd46ff02f84b85d0ecc93dea97430693683c7e
SHA512 800417aba1e4524e06ef12be654048e17d699cd2733143d3e5f1a9f700268f181922525940537ab526b7d924a2e9db5d3282b4ef8adf49d314fa1bd055e6d652

C:\Users\Admin\AppData\Local\Temp\_MEI16402\select.pyd

MD5 7867a50c9bb0c3d2aa9e9cc05fdb54ff
SHA1 6d7d895673b9b4ad2f8dfae34e001be1d5f270f2
SHA256 e9b612e38e6a1b6af89253a6ce5f63d85f9d7d98c940bb63fba5ce99d2f31071
SHA512 6959544b0c2d0701f4d4414f07b8a6c100dd2985b3ccddabcb724842b322078ee07a607783e2649c00db20fc65897dd9222bf84b7c3082f61269fc2c8bc4e144

memory/4440-44-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_hashlib.pyd

MD5 7391051923fee611c474fcfbf3f7f548
SHA1 5f284a87c18900515606a952bf2476e0c42066ad
SHA256 02753c507c95d2d434fa6499cfd6390ec98bffac6799d664148297334ea25575
SHA512 a3567bad9dc165af0359076f13ba1d0da68c9105e6555589a433a74644eebd082ce508d444a701d2a89910ed2a09adeff15f144f43075174f77ccb29ce8d4ff3

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_bz2.pyd

MD5 f8770b9ea04aeb0b98eb1fab2a1bde84
SHA1 7ac83db9bbc35231e917d522e1140bbacb855aa1
SHA256 18e66c3a2104da1c338c40d7e249382f054e1e76e5a85e481d13052fd62c6cd9
SHA512 7803517b89bfdc027691e495be089466f3aa80bb1efb770ec4619740b9f30ece28ca8bc2d8efabdafbf04fae68a3e24fffa7b4c5e91e3a0a07b1909065ce3924

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_lzma.pyd

MD5 e5fa638b1374685dbaf5beb12f67d71a
SHA1 1a7d171f66e88da4686f51d25094d85f2dd1577f
SHA256 d58fc7163b58d96a7718733dec3562eb998a17100982bf7453782d01ca27ffd9
SHA512 be71f7050834c631ee12e32f78542156e09f8dfb6b8aa425db9a7267b45175caceb56805db382d85cff80ea9633bcc2c52ac7175cdd33a85002458650c399812

C:\Users\Admin\AppData\Local\Temp\_MEI16402\unicodedata.pyd

MD5 653d4fbd3a4e8364a37cddf09fd327c3
SHA1 b7b6fc5c4d17ba6c25ed7a06602bfab817ff3732
SHA256 a235b80e70280472c399e42453e35c7c29ae82c6ae54884d7263411b1c350969
SHA512 1672a497a69b80b2fa192422d5879f04a6674541cb1dcc4c95618739a9d845e63513c635c6bfb74163dbb4e7bc213cf6569daadc9f908cd09d997844c0dc4675

C:\Users\Admin\AppData\Local\Temp\_MEI16402\certifi\cacert.pem

MD5 edd513e1d62ca2b059821b8380c19d19
SHA1 7e785afc6a7174f008b8b6e775c91c018d72aee3
SHA256 870068ef78059c5d012a23f715029f1b7db19060e1c65e12c024221f6ac32abd
SHA512 31450f875b46bbbb8e8d2f2e075f82ab4cfe175dadd966be22c66206d5dc2517a870a8cfc46f2f094b6810c09b447bd46354b67c128843b997957522d3cf4f5f

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_queue.pyd

MD5 6fbcd906dcec9ea5b0de160e596c8435
SHA1 974b49881702642415588d0a3c814396262cdf4b
SHA256 fd0be33a0851c8a89adb694358ca7c064aac4454471bf57033f24a91f03e6f4c
SHA512 d8b67d90f38d5488ab9f6c2ea50646f37f8f126d6d2aef6ed4eba5ad7552c8813e33e43ef84d95ac972d4c58c5536ff4c6ae5d9cb5d3b350df6ff48efce169b5

memory/4440-102-0x00007FFDE0000000-0x00007FFDE0001000-memory.dmp

memory/4440-101-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-99-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-97-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-95-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-93-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-91-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-89-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-81-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-79-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-77-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-75-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-73-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-48-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-46-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-42-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-41-0x000001BBBD860000-0x000001BBBD861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16402\pytransform.key

MD5 2bcf75f492f791ef1a45b9e54cbe3170
SHA1 8df4c5ccceda7bebdad76902ea9ca6604d5cfde9
SHA256 59449650714f8f34cbbceb9c4e4ac8070ba77b8b2ba42c18e8945b82de594455
SHA512 185576d8aba1e147ccfaeee4c99ee6d90c1a7aa73a1c14a0aaf9e8f9eef8aeec1f31b7c9c92136f5ab003ec4de64806816c276d5180464cc76416fd24da574f9

C:\Users\Admin\AppData\Local\Temp\_MEI16402\_pytransform.dll

MD5 6aecb4a764836d156e4d6f6ea7cbaa9d
SHA1 42e2386843550b36bee70e46ccc8ce5c8628c50a
SHA256 8414c81dd8bc12f80dbce1126f3bd83df136d886589ea4bc89c05bb494df2eab
SHA512 42968102be12601883f3cd116cfc1f3750930b685bde128f52abd18d3db9255ce56a4527af2a286360d6f7ae2e7acb4b96414ce1d8a7f13ca7f094dbcdb21481

memory/4440-71-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-69-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI16402\license.lic

MD5 320aa573435cfbac84163504b9abf0a6
SHA1 e1ddf425400f081fc4c4b9acf0951c412f9c2f06
SHA256 0814d8054e2897cec2bcb92d9b38350f0a873dd1754e9f94c172033bf6853d71
SHA512 331b182b32cd8370ceca2cc2ce7488b198f6c45171cf448eba8419caa8b2bb9b990779ce5c178ae517528614a8b36525e047ae2357a947042feaa1035e7661c7

memory/4440-60-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-58-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-56-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-54-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-52-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-50-0x000001BBBD870000-0x000001BBBD871000-memory.dmp

memory/4440-114-0x0000000070A00000-0x0000000070ABE000-memory.dmp

memory/4440-115-0x0000000070A00000-0x0000000070ABE000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vshost\vshost.exe N/A
N/A N/A C:\ProgramData\winst\winst.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\ProgramData\vshost\vshost.exe
PID 636 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\ProgramData\vshost\vshost.exe
PID 636 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\ProgramData\vshost\vshost.exe
PID 636 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib
PID 636 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib
PID 636 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\ProgramData\winst\winst.exe
PID 636 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\ProgramData\winst\winst.exe
PID 636 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe C:\ProgramData\winst\winst.exe
PID 1020 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib
PID 1020 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib
PID 3496 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib C:\Windows\system32\cmd.exe
PID 3496 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe

"C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Discord Backup.exe"

C:\ProgramData\vshost\vshost.exe

C:\ProgramData\\vshost\\vshost.exe ,.

C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib

Qt5Core.lib

C:\ProgramData\winst\winst.exe

C:\ProgramData\\winst\\winst.exe u4bty6QwVuBS0x5H9n42DV5Ms9ZtKJkxoKy4OKYlNIYsCMduDyYR0NkQfinieGBh

C:\Users\Admin\AppData\Local\Temp\Discord-Account-Backup\Qt5Core.lib

Qt5Core.lib

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c title [Discord Account Backup Bot] - Main Menu

Network

Country Destination Domain Proto
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
US 8.8.8.8:53 canary.discordapp.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 162.159.134.233:443 canary.discordapp.com tcp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
NL 23.62.61.138:443 www.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

C:\ProgramData\vshost\vshost.exe

MD5 4e6a7ee0e286ab61d36c26bd38996821
SHA1 820674b4c75290f8f667764bfb474ca8c1242732
SHA256 f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3
SHA512 f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

C:\ProgramData\winst\winst.exe

MD5 59238144771807b1cbc407b250d6b2c3
SHA1 6c9f87cca7e857e888cb19ea45cf82d2e2d29695
SHA256 8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b
SHA512 cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

C:\Users\Admin\AppData\Local\Temp\_MEI10202\python38.dll

MD5 26ba25d468a778d37f1a24f4514d9814
SHA1 b64fe169690557656ede3ae50d3c5a197fea6013
SHA256 2f3e368f5bcc1dda5e951682008a509751e6395f7328fd0f02c4e1a11f67c128
SHA512 80471bfeeab279ce4adfb9ee1962597fb8e1886b861e31bdff1e3aa0df06d93afeb3a3398e9519bab7152d4bd7d88fa9b328a2d7eb50a91eb60fead268912080

C:\Users\Admin\AppData\Local\Temp\_MEI10202\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI10202\base_library.zip

MD5 e1315e6d33e2300bc1d691ed76bc6bf1
SHA1 401075f435707c77904be8915a8c83a422cfe0ee
SHA256 52bd4ea66e4ece6bf404c3617d0c9723966adb9206c507fda8a2850d3c194ad0
SHA512 a1f7172dfa320976da468f9dab24678ae471904ed390b9721f16e7a86db7a11be7664013ef1125fe9f9c35501eb70c758fb9c20babcaf712af0ba9f5b3293e2c

C:\Users\Admin\AppData\Local\Temp\_MEI10202\python3.DLL

MD5 c9f0b55fce50c904dff9276014cef6d8
SHA1 9f9ae27df619b695827a5af29414b592fc584e43
SHA256 074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e
SHA512 8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

C:\Users\Admin\AppData\Local\Temp\_MEI10202\_ctypes.pyd

MD5 291a0a9b63bae00a4222a6df71a22023
SHA1 7a6a2aad634ec30e8edb2d2d8d0895c708d84551
SHA256 820e840759eed12e19f3c485fd819b065b49d9dc704ae3599a63077416d63324
SHA512 d43ef6fc2595936b17b0a689a00be04968f11d7c28945af4c3a74589bd05f415bf4cb3b4e22ac496490daff533755999a69d5962ccffd12e09c16130ed57fd09

C:\Users\Admin\AppData\Local\Temp\_MEI10202\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI10202\_socket.pyd

MD5 4827652de133c83fa1cae839b361856c
SHA1 182f9a04bdc42766cfd5fb352f2cb22e5c26665e
SHA256 87832a3b89e2ada8f704a8f066013660d591d9ce01ce901cc57a3b973f0858ba
SHA512 8d66d68613fdba0820257550de3c39b308b1dce659dca953d10a95ff2cf89c31afe512d30ed44422b31117058dc9fa15279e5ac84694da89b47f99b0ad7e338a

C:\Users\Admin\AppData\Local\Temp\_MEI10202\select.pyd

MD5 e21cff76db11c1066fd96af86332b640
SHA1 e78ef7075c479b1d218132d89bf4bec13d54c06a
SHA256 fcc2e09a2355a5546922874fb4cac92ee00a33c0ed6adbc440d128d1e9f4ec28
SHA512 e86dba2326ca5ea3f5ef3af2abd3c23d5b29b6211acc865b6be5a51d5c8850b7cda8c069e6f631ac62f2047224c4b675bbe6ac97c7ba781de5b8016ebaffd46f

C:\Users\Admin\AppData\Local\Temp\_MEI10202\_ssl.pyd

MD5 d4dfd8c2894670e9f8d6302c09997300
SHA1 c3a6cc8d8079a06a4cac8950e0baba2b43fb1f8e
SHA256 0a721fc230eca278a69a2006e13dfa00e698274281378d4df35227e1f68ea3e0
SHA512 1422bf45d233e2e3f77dce30ba0123625f2a511f73dfdf42ee093b1755963d9abc371935111c28f0d2c02308c5e82867de2546d871c35e657da32a7182026048

C:\Users\Admin\AppData\Local\Temp\_MEI10202\libcrypto-1_1.dll

MD5 89511df61678befa2f62f5025c8c8448
SHA1 df3961f833b4964f70fcf1c002d9fd7309f53ef8
SHA256 296426e7ce11bc3d1cfa9f2aeb42f60c974da4af3b3efbeb0ba40e92e5299fdf
SHA512 9af069ea13551a4672fdd4635d3242e017837b76ab2815788148dd4c44b4cf3a650d43ac79cd2122e1e51e01fb5164e71ff81a829395bdb8e50bb50a33f0a668

C:\Users\Admin\AppData\Local\Temp\_MEI10202\libssl-1_1.dll

MD5 50bcfb04328fec1a22c31c0e39286470
SHA1 3a1b78faf34125c7b8d684419fa715c367db3daa
SHA256 fddd0da02dcd41786e9aa04ba17ba391ce39dae6b1f54cfa1e2bb55bc753fce9
SHA512 370e6dfd318d905b79baf1808efbf6da58590f00006513bdaaed0c313f6fa6c36f634ea3b05f916cee59f4db25a23dd9e6f64caf3c04a200e78c193027f57685

C:\Users\Admin\AppData\Local\Temp\_MEI10202\_hashlib.pyd

MD5 5e5af52f42eaf007e3ac73fd2211f048
SHA1 1a981e66ab5b03f4a74a6bac6227cd45df78010b
SHA256 a30cf1a40e0b09610e34be187f1396ac5a44dcfb27bc7ff9b450d1318b694c1b
SHA512 bc37625005c3dad1129b158a2f1e91628d5c973961e0efd61513bb6c7b97d77922809afca8039d08c11903734450bc098c6e7b63655ff1e9881323e5cfd739fd

C:\Users\Admin\AppData\Local\Temp\_MEI10202\_queue.pyd

MD5 dd146e2fa08302496b15118bf47703cf
SHA1 d06813e2fcb30cbb00bb3893f30c2661686cf4b7
SHA256 67e4e888559ea2c62ff267b58d7a7e95c2ec361703b5aa232aa8b2a1f96a2051
SHA512 5b93a782c9562370fc5b3f289ca422b4d1a1c532e81bd6c95a0063f2e3889ecf828003e42b674439fc7cd0fa72f64ad607bab6910abe9d959a4fb9fb08df263c

C:\Users\Admin\AppData\Local\Temp\_MEI10202\_bz2.pyd

MD5 a49c5f406456b79254eb65d015b81088
SHA1 cfc2a2a89c63df52947af3610e4d9b8999399c91
SHA256 ce4ef8ed1e72c1d3a6082d500a17a009eb6e8ed15022bf3b68a22291858feced
SHA512 bbafeff8c101c7425dc9b8789117fe4c5e516d217181d3574d9d81b8fec4b0bd34f1e1fe6e406ae95584dc671f788cd7b05c8d700baf59fbf21de9c902edf7ae

C:\Users\Admin\AppData\Local\Temp\_MEI10202\_lzma.pyd

MD5 cf9fd17b1706f3044a8f74f6d398d5f1
SHA1 c5cd0debbde042445b9722a676ff36a0ac3959ad
SHA256 9209ccc60115727b192bf7771551040ca6fdd50f9bf8c3d2eacbfd424e8245e4
SHA512 5fe922c00c6f7fd3cd9bc56fc51de1f44adffbdb0afc0583f1bb08008be628b9ac16f8560b0c3ba16138e1cdcaf1c525ef24241bed804804cdeb5961aed6385a

C:\Users\Admin\AppData\Local\Temp\_MEI10202\certifi\cacert.pem

MD5 3dcd08b803fbb28231e18b5d1eef4258
SHA1 b81ea40b943cd8a0c341f3a13e5bc05090b5a72a
SHA256 de2fa17c4d8ae68dc204a1b6b58b7a7a12569367cfeb8a3a4e1f377c73e83e9e
SHA512 9cc7106e921fbcf8c56745b38051a5a56154c600e3c553f2e64d93ec988c88b17f6d49698bdc18e3aa57ae96a79ee2c08c584c7c4c91cc6ea72db3dca6ccc2f5

C:\Users\Admin\AppData\Local\Temp\_MEI10202\unicodedata.pyd

MD5 601aee84e12b87ca66826dfc7ca57231
SHA1 3a7812433ca7d443d4494446a9ced24b6774ceca
SHA256 d8091e62c74e1b2b648086f778c3c41ce01f09661a75ea207d3fea2cf26a8762
SHA512 7c2d64623c6cfd66d6729f59909c90aa944e810ff6514c58b2b3142ee90e8660b7ddf7fa187389dd333e47efe8b19e935dd4e9119c15375b69b4880d043877d7

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

90s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\libcef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\libcef.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\libcef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
NL 23.62.61.104:443 www.bing.com tcp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
NL 23.62.61.104:443 www.bing.com tcp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Qt5Core.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Qt5Core.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\Qt5Core.exe"

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.193:443 www.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 193.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

53s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Checker by xPolish\lib32.exe"

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp

Files

memory/4020-0-0x0000000000300000-0x0000000000308000-memory.dmp

memory/4020-1-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/4020-2-0x00000000750B0000-0x0000000075860000-memory.dmp

memory/4020-4-0x00000000750B0000-0x0000000075860000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

65s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.exe

"C:\Users\Admin\AppData\Local\Temp\DiscoBot v2 By Psy\database32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

memory/5200-0-0x0000000000DD0000-0x0000000000E5E000-memory.dmp

memory/5200-1-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/5200-2-0x0000000005F00000-0x00000000064A4000-memory.dmp

memory/5200-3-0x0000000005830000-0x00000000058C2000-memory.dmp

memory/5200-4-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/5200-5-0x0000000005900000-0x000000000590A000-memory.dmp

memory/5200-6-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/5200-7-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/5200-8-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/5200-9-0x00000000057D0000-0x00000000057E0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\bin32.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\bin32.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Agora's Token Checker\bin32.exe"

Network

Country Destination Domain Proto
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 139.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

139s

Max time network

128s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\DXCore.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 3600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3720 wrote to memory of 3600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3720 wrote to memory of 3600 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\DXCore.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Discord Token Checker ULTRA by zoony\DXCore.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3600 -ip 3600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3600 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.59:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 59.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:19

Platform

win10v2004-20240419-en

Max time kernel

142s

Max time network

56s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\chromedriver.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\chromedriver.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Account Generator v2\chromedriver.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-01 13:15

Reported

2024-05-01 13:23

Platform

win10v2004-20240426-en

Max time kernel

321s

Max time network

326s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\libcef.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\libcef.exe

"C:\Users\Admin\AppData\Local\Temp\Discord Nitro - TZCracking\libcef.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
NL 23.62.61.139:443 www.bing.com tcp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 139.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 206.242.216.162.in-addr.arpa udp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
NL 23.62.61.139:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 98.224.247.185.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 stlaip74566.ddnsgeek.com udp
US 162.216.242.206:80 stlaip74566.ddnsgeek.com tcp
US 8.8.8.8:53 stlaep34621.ddnsgeek.com udp
RO 185.247.224.98:443 stlaep34621.ddnsgeek.com tcp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp

Files

N/A