File name:

Gerador_de_Rockstar_Games.exe

Full analysis: https://app.any.run/tasks/ed575c9f-0fb8-402f-ae3d-7687414a4e0b
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 31, 2021, 01:13:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

90875665B8DF23D3545FC078160BC3D1

SHA1:

7EB6A8AB0D1C46F5FADE31ADA12A970C7A87C1C7

SHA256:

59983BF667BBB26743A8D5C51AEE4EBB3CAC4653CA5E6CAE33174D2701CCC6B0

SSDEEP:

49152:LsmhnqAs9pJc0dnKh+Q0N1rs+vIUSg+6+8ohnRh1Na1OKM6nYAKhFQpSH3Oh5gx9:tqXpy05Q0N1rsYSZ6BoXh1kkypSH3Ohc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • RtkBtManServ.exe (PID: 1124)
      • snuvcdsm.exe (PID: 336)
      • winhlp32.exe (PID: 3628)
      • splwow64.exe (PID: 2908)
      • hh.exe (PID: 4000)
      • xwizard.exe (PID: 2764)
      • RtkBtManServ.exe (PID: 3280)
      • snuvcdsm.exe (PID: 3032)
      • splwow64.exe (PID: 3684)
      • hh.exe (PID: 1648)
      • winhlp32.exe (PID: 2160)
      • xwizard.exe (PID: 2200)

    • Drops executable file immediately after starts

      • Gerador_de_Rockstar_Games.exe (PID: 3476)
      • Gerador_de_Rockstar_Games.exe (PID: 3700)

    • Steals credentials from Web Browsers

      • RtkBtManServ.exe (PID: 1124)
      • snuvcdsm.exe (PID: 336)
      • RtkBtManServ.exe (PID: 3280)

    • Actions looks like stealing of personal data

      • RtkBtManServ.exe (PID: 1124)
      • snuvcdsm.exe (PID: 336)
      • xwizard.exe (PID: 2764)
      • RtkBtManServ.exe (PID: 3280)
      • snuvcdsm.exe (PID: 3032)
      • xwizard.exe (PID: 2200)

    • Stealing of credential data

      • RtkBtManServ.exe (PID: 1124)
      • snuvcdsm.exe (PID: 3032)

  • SUSPICIOUS

    • Checks supported languages

      • RtkBtManServ.exe (PID: 1124)
      • Gerador_de_Rockstar_Games.exe (PID: 3476)
      • cmd.exe (PID: 2380)
      • WScript.exe (PID: 1944)
      • cmd.exe (PID: 1332)
      • WScript.exe (PID: 268)
      • snuvcdsm.exe (PID: 336)
      • cmd.exe (PID: 3312)
      • winhlp32.exe (PID: 3628)
      • splwow64.exe (PID: 2908)
      • hh.exe (PID: 4000)
      • WScript.exe (PID: 2792)
      • xwizard.exe (PID: 2764)
      • cmd.exe (PID: 904)
      • cmd.exe (PID: 2468)
      • RtkBtManServ.exe (PID: 3280)
      • Gerador_de_Rockstar_Games.exe (PID: 3700)
      • cmd.exe (PID: 3216)
      • WScript.exe (PID: 2436)
      • cmd.exe (PID: 2852)
      • snuvcdsm.exe (PID: 3032)
      • cmd.exe (PID: 3628)
      • winhlp32.exe (PID: 2160)
      • splwow64.exe (PID: 3684)
      • hh.exe (PID: 1648)
      • WScript.exe (PID: 3136)
      • WScript.exe (PID: 2120)
      • xwizard.exe (PID: 2200)
      • cmd.exe (PID: 3108)
      • cmd.exe (PID: 2124)

    • Starts CHOICE.EXE (used to create a delay)

      • cmd.exe (PID: 2380)
      • cmd.exe (PID: 904)
      • cmd.exe (PID: 3216)
      • cmd.exe (PID: 3108)

    • Executable content was dropped or overwritten

      • RtkBtManServ.exe (PID: 1124)
      • Gerador_de_Rockstar_Games.exe (PID: 3476)
      • chrome.exe (PID: 2768)
      • chrome.exe (PID: 3040)
      • Gerador_de_Rockstar_Games.exe (PID: 3700)
      • RtkBtManServ.exe (PID: 3280)

    • Reads the computer name

      • Gerador_de_Rockstar_Games.exe (PID: 3476)
      • RtkBtManServ.exe (PID: 1124)
      • WScript.exe (PID: 1944)
      • WScript.exe (PID: 268)
      • snuvcdsm.exe (PID: 336)
      • winhlp32.exe (PID: 3628)
      • WScript.exe (PID: 2792)
      • RtkBtManServ.exe (PID: 3280)
      • Gerador_de_Rockstar_Games.exe (PID: 3700)
      • WScript.exe (PID: 2436)
      • winhlp32.exe (PID: 2160)
      • WScript.exe (PID: 3136)
      • snuvcdsm.exe (PID: 3032)
      • WScript.exe (PID: 2120)

    • Starts CMD.EXE for commands execution

      • Gerador_de_Rockstar_Games.exe (PID: 3476)
      • WScript.exe (PID: 1944)
      • WScript.exe (PID: 268)
      • WScript.exe (PID: 2792)
      • RtkBtManServ.exe (PID: 1124)
      • Gerador_de_Rockstar_Games.exe (PID: 3700)
      • WScript.exe (PID: 2436)
      • WScript.exe (PID: 2120)
      • WScript.exe (PID: 3136)
      • RtkBtManServ.exe (PID: 3280)

    • Executes scripts

      • RtkBtManServ.exe (PID: 1124)
      • RtkBtManServ.exe (PID: 3280)

    • Drops a file that was compiled in debug mode

      • RtkBtManServ.exe (PID: 1124)
      • chrome.exe (PID: 3040)
      • chrome.exe (PID: 2768)
      • RtkBtManServ.exe (PID: 3280)

    • Reads Environment values

      • RtkBtManServ.exe (PID: 1124)
      • RtkBtManServ.exe (PID: 3280)

    • Reads the cookies of Mozilla Firefox

      • RtkBtManServ.exe (PID: 1124)
      • RtkBtManServ.exe (PID: 3280)

    • Reads the cookies of Google Chrome

      • winhlp32.exe (PID: 3628)

    • Loads DLL from Mozilla Firefox

      • splwow64.exe (PID: 2908)
      • splwow64.exe (PID: 3684)

    • Creates files in the user directory

      • splwow64.exe (PID: 2908)
      • xwizard.exe (PID: 2764)
      • splwow64.exe (PID: 3684)
      • xwizard.exe (PID: 2200)

    • Drops a file with a compile date too recent

      • chrome.exe (PID: 2768)
      • chrome.exe (PID: 3040)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2768)

  • INFO

    • Checks supported languages

      • choice.exe (PID: 2664)
      • choice.exe (PID: 2996)
      • chrome.exe (PID: 2768)
      • chrome.exe (PID: 1888)
      • chrome.exe (PID: 3796)
      • chrome.exe (PID: 3264)
      • chrome.exe (PID: 3040)
      • chrome.exe (PID: 3800)
      • chrome.exe (PID: 508)
      • chrome.exe (PID: 3180)
      • chrome.exe (PID: 3748)
      • chrome.exe (PID: 344)
      • chrome.exe (PID: 2548)
      • chrome.exe (PID: 2484)
      • chrome.exe (PID: 3672)
      • chrome.exe (PID: 1400)
      • chrome.exe (PID: 2776)
      • chrome.exe (PID: 760)
      • chrome.exe (PID: 572)
      • chrome.exe (PID: 3648)
      • chrome.exe (PID: 1656)
      • chrome.exe (PID: 1432)
      • chrome.exe (PID: 3484)
      • chrome.exe (PID: 3524)
      • chrome.exe (PID: 3504)
      • chrome.exe (PID: 2280)
      • choice.exe (PID: 976)
      • chrome.exe (PID: 2096)
      • chrome.exe (PID: 3468)
      • choice.exe (PID: 3360)

    • Reads settings of System Certificates

      • RtkBtManServ.exe (PID: 1124)
      • chrome.exe (PID: 3040)
      • RtkBtManServ.exe (PID: 3280)

    • Checks Windows Trust Settings

      • WScript.exe (PID: 1944)
      • WScript.exe (PID: 268)
      • WScript.exe (PID: 2792)
      • chrome.exe (PID: 2768)
      • WScript.exe (PID: 2436)
      • WScript.exe (PID: 2120)
      • WScript.exe (PID: 3136)

    • Manual execution by user

      • chrome.exe (PID: 2768)
      • Gerador_de_Rockstar_Games.exe (PID: 3700)

    • Reads the computer name

      • chrome.exe (PID: 1888)
      • chrome.exe (PID: 2768)
      • chrome.exe (PID: 3040)
      • chrome.exe (PID: 3180)
      • chrome.exe (PID: 2548)
      • chrome.exe (PID: 3648)
      • chrome.exe (PID: 1432)
      • chrome.exe (PID: 2280)
      • chrome.exe (PID: 2096)
      • chrome.exe (PID: 3468)

    • Application launched itself

      • chrome.exe (PID: 2768)

    • Reads the hosts file

      • chrome.exe (PID: 2768)
      • chrome.exe (PID: 3040)

    • Reads the date of Windows installation

      • chrome.exe (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

AssemblyVersion: 1.0.0.0
ProductVersion: 1.0.0.0
ProductName: Rockstar Games
OriginalFileName: Gerador de Rockstar Games.exe
LegalCopyright:
InternalName: Gerador de Rockstar Games.exe
FileVersion: 1.0.0.0
FileDescription: Gerador de Rockstar Games
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 4
EntryPoint: 0x2d86be
UninitializedDataSize: -
InitializedDataSize: 39936
CodeSize: 2975744
LinkerVersion: 11
PEType: PE32
TimeStamp: 2021:12:25 08:48:20+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Dec-2021 07:48:20
Debug artifacts:
  • c:\Users\vinic\AppData\Local\Temp\bin_copy\obj\Debug\Gerador de Rockstar Games.pdb
FileDescription: Gerador de Rockstar Games
FileVersion: 1.0.0.0
InternalName: Gerador de Rockstar Games.exe
LegalCopyright: -
OriginalFilename: Gerador de Rockstar Games.exe
ProductName: Rockstar Games
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 25-Dec-2021 07:48:20
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00002000
0x002D66C4
0x002D6800
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
7.99851
.rsrc
0x002DA000
0x00009900
0x00009A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.84828
.reloc
0x002E4000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.10191

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST
2
7.92699
34102
UNKNOWN
UNKNOWN
RT_ICON
3
7.83478
1797
UNKNOWN
UNKNOWN
RT_ICON
4
7.6888
1012
UNKNOWN
UNKNOWN
RT_ICON
5
7.27983
465
UNKNOWN
UNKNOWN
RT_ICON
32512
2.29402
62
UNKNOWN
UNKNOWN
RT_GROUP_ICON

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
108
Monitored processes
60
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
drop and start start drop and start gerador_de_rockstar_games.exe rtkbtmanserv.exe cmd.exe no specs choice.exe no specs wscript.exe no specs cmd.exe no specs snuvcdsm.exe wscript.exe no specs cmd.exe no specs winhlp32.exe no specs splwow64.exe no specs hh.exe no specs wscript.exe no specs cmd.exe no specs xwizard.exe cmd.exe no specs choice.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs gerador_de_rockstar_games.exe rtkbtmanserv.exe cmd.exe no specs choice.exe no specs chrome.exe no specs wscript.exe no specs cmd.exe no specs snuvcdsm.exe wscript.exe no specs cmd.exe no specs winhlp32.exe no specs splwow64.exe no specs hh.exe no specs wscript.exe no specs cmd.exe no specs xwizard.exe chrome.exe no specs cmd.exe no specs choice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
268"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\compile.vbs" C:\Windows\System32\WScript.exeRtkBtManServ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft � Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
336C:\Users\admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\admin\AppData\Local\Temp\admin_Passwords.txt"C:\Users\admin\AppData\Local\Temp\snuvcdsm.exe
cmd.exe
User:
admin
Company:
NirSoft
Integrity Level:
MEDIUM
Description:
Web Browser Password Viewer
Exit code:
0
Version:
2.06
Modules
Images
c:\users\admin\appdata\local\temp\snuvcdsm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
344"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=972,9282375425415817184,17280803956627504806,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
508"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,9282375425415817184,17280803956627504806,131072 --enable-features=PasswordImport --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
572"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=972,9282375425415817184,17280803956627504806,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3704 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
760"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=972,9282375425415817184,17280803956627504806,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\86.0.4240.198\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\api-ms-win-downlevel-shell32-l1-1-0.dll
c:\windows\system32\shell32.dll
904"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe"C:\Windows\System32\cmd.exeRtkBtManServ.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
976choice /C Y /N /D Y /T 3 C:\Windows\system32\choice.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Offers the user a choice
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\choice.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
1124"C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs6xkwOmyAP2TsWKLrAD7sIFhXFzxtDhsY9PuBQTQ9be72UeRXoeSXuj4ddZpFGyjp7Gxj0ZSa56uFMR3qTG3XayQy23JTF4OiIcWfKI15l6g32EjbRvvmKf55OHxq9tkOU=C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe
Gerador_de_Rockstar_Games.exe
User:
admin
Integrity Level:
MEDIUM
Description:
RtkBtManServ
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\users\admin\appdata\local\temp\rtkbtmanserv.exe
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1332"C:\Windows\System32\cmd.exe" /c compile.batC:\Windows\System32\cmd.exeWScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
25 533
Read events
25 268
Write events
263
Delete events
2

Modification events

(PID) Process:(3476) Gerador_de_Rockstar_Games.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3476) Gerador_de_Rockstar_Games.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3476) Gerador_de_Rockstar_Games.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3476) Gerador_de_Rockstar_Games.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1124) RtkBtManServ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RtkBtManServ_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1124) RtkBtManServ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RtkBtManServ_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1124) RtkBtManServ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RtkBtManServ_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1124) RtkBtManServ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RtkBtManServ_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1124) RtkBtManServ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RtkBtManServ_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(1124) RtkBtManServ.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RtkBtManServ_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
Executable files
18
Suspicious files
179
Text files
133
Unknown types
18

Dropped files

PID
Process
Filename
Type
3476Gerador_de_Rockstar_Games.exeC:\Users\admin\AppData\Local\Temp\whysosadtext
MD5:FC3C88C2080884D6C995D48E172FBC4F
SHA256:1637CE704A463BD3C91A38AA02D1030107670F91EE3F0DD4FA13D07A77BA2664
3476Gerador_de_Rockstar_Games.exeC:\Users\admin\AppData\Local\Temp\configbinary
MD5:1BA367D0F9AAC0F650E65AB7401776C0
SHA256:68C4EC552C98F3B5A4744E4EEFADD6364DC8075C2E718B7BCBFC76625AA60D03
1124RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\bfsvc.cfgtext
MD5:5242530A2B65089696F3CF8E5EE02FF7
SHA256:239A1D9844DDBD0E650F8E5DE69A2A40067106A79878FA4948A8039F1573B781
1124RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\xwizard.cfgtext
MD5:AE8EED5A6B1470AEC0E7FECE8B0669EF
SHA256:3F6CA2BC068C8436044DAAB867F8FF8F75060048B29882CB2AC9FDEF1800DF9E
1124RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\bfsvc.exeexecutable
MD5:899D3ED011EB58459B8A4FC2B81F0924
SHA256:5E3F311AE67F046B56435067BCDD39FBF836FA0421FBC8C8B0E43E8E47524954
1124RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\hh.exeexecutable
MD5:4D4C98ECA32B14AEB074DB34CD0881E4
SHA256:4182172A01BDFC08C5CF7E8652F7D9D81858345A770E2B6B507840E4C1C7764F
1124RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\xwizard.exeexecutable
MD5:DF991217F1CFADD9ACFA56F878DA5EE7
SHA256:DEB1246347CE88E8CDD63A233A64BC2090B839F2D933A3097A2FD8FD913C4112
3476Gerador_de_Rockstar_Games.exeC:\Users\admin\AppData\Local\Temp\RtkBtManServ.exeexecutable
MD5:88AB0BB59B0B20816A833BA91C1606D3
SHA256:F4FB42C8312A6002A8783E2A1AB4571EB89E92CD192B1A21E8C4582205C37312
1124RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\winhlp32.exeexecutable
MD5:A776E68F497C996788B406A3DC5089EB
SHA256:071E26DDF5323DD9ED6671BCDE89DF73D78BAC2336070E6CB9E3E4B93BDE78D1
1124RtkBtManServ.exeC:\Users\admin\AppData\Local\Temp\costura.costura.dll.compressedbinary
MD5:9AB99399CB17964E3E30B7DDEB6BB8B9
SHA256:BDFED3E39A17DBC95D43FC5141904414A62E8B459F338F65A2F1C3D1FACDDD2F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
35
DNS requests
24
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3040
chrome.exe
GET
200
173.194.160.71:80
http://r2---sn-1gi7znes.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=85.203.45.13&mm=28&mn=sn-1gi7znes&ms=nvh&mt=1640912897&mv=m&mvi=2&pl=24&rmhost=r1---sn-1gi7znes.gvt1.com&shardbypass=yes&smhost=r2---sn-1gi7znek.gvt1.com
US
crx
242 Kb
whitelisted
3040
chrome.exe
GET
302
142.250.181.238:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
592 b
whitelisted
3040
chrome.exe
GET
403
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
text
37 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3040
chrome.exe
142.250.186.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3040
chrome.exe
172.217.16.142:443
clients2.google.com
Google Inc.
US
whitelisted
3040
chrome.exe
142.250.185.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3040
chrome.exe
142.250.186.67:443
www.gstatic.com
Google Inc.
US
whitelisted
3040
chrome.exe
142.250.185.67:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3040
chrome.exe
142.250.185.78:443
apis.google.com
Google Inc.
US
whitelisted
3040
chrome.exe
142.250.186.131:443
update.googleapis.com
Google Inc.
US
whitelisted
3040
chrome.exe
34.104.35.123:80
edgedl.me.gvt1.com
US
whitelisted
3040
chrome.exe
142.250.181.238:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3040
chrome.exe
172.217.18.99:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
itroublvehacker.gq
whitelisted
discord.com
  • 162.159.128.233
  • 162.159.138.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.135.232
whitelisted
clientservices.googleapis.com
  • 142.250.186.99
whitelisted
www.google.com
  • 142.250.185.196
malicious
clients2.google.com
  • 172.217.16.142
whitelisted
accounts.google.com
  • 142.250.74.205
shared
fonts.googleapis.com
  • 142.250.185.234
whitelisted
www.gstatic.com
  • 142.250.186.67
whitelisted
fonts.gstatic.com
  • 142.250.185.67
whitelisted
apis.google.com
  • 142.250.185.78
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Gerador_de_Rockstar_Games.exe