MALICIOUS DYNAMIC ANALYSIS REPORT # X-Ray Vision for Malware / 118. Classifications: Backdoor Injector

MALICIOUS

Classifications: Backdoor Injector

Threat Names: Mal/Generic-S Gen:Variant.Ursu.773728 Verdict Reason: -

Sample Type Windows Exe (x86-64)

File Name f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe

ID #2658387

MD5 1a7ea27b8eb6ac33cb9f1e5c3b4adffa

SHA1 3b28864fa969b44cae0905f5a5f1b069f61fa89e

SHA256 f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55

File Size 2082.00 KB

Report Created 2021-08-25 15:42 (UTC+2)

Target Environment win10_64_th2_en_mso2016 | exe

X-Ray Vision for Malware - www.vmray.com 1 / 118

OVERVIEW

VMRay Threat Identifiers (21 rules, 25 matches)

Score Category Operation Count Classification

4/5 Injection Writes into the memory of another process 1 Injector

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe modifies memory of (process #5) explorer.exe.

•

4/5 Injection Modifies control flow of another process 1 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe alters context of (process #5) explorer.exe.

•

4/5 Reputation Known malicious file 1 -

Reputation analysis labels the sample itself as "Mal/Generic-S".

•

4/5 Antivirus Malicious content was detected by heuristic scan 1 -

Built-in AV detected the sample itself as "Gen:Variant.Ursu.773728".

•

3/5 Execution Executes code with kernel privileges 2 -

(Process #5) explorer.exe executes code with kernel privileges to perform system level actions.

(Process #23) csrss.exe executes code with kernel privileges to perform system level actions.

•

•

2/5 Discovery Enumerates running processes 2 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe enumerates running processes via WMI.

(Process #5) explorer.exe enumerates running processes.

•

•

2/5 Discovery Executes WMI query 1 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe executes WMI query: Select CommandLine from Win32_Process where Name='explorer.exe'.

•

2/5 Discovery Reads network adapter information 1 -

(Process #5) explorer.exe reads the network adapters' addresses by API.

•

2/5 Persistence Installs kernel driver 1 -

(Process #5) explorer.exe installs kernel driver.

•

2/5 Defense Evasion Sends control codes to connected devices 1 -

(Process #5) explorer.exe controls device "\\.\WinRing0_1_2_0" through API DeviceIOControl.

•

2/5 Anti Analysis Creates an unusually large number of processes 1 -

Above average number of processes were monitored.

•

2/5 Masquerade Creates a new process from a system binary 1 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe creates a new explorer.exe process.

•

2/5 Network Connection Sets up server that accepts incoming connections 1 Backdoor

(Process #5) explorer.exe starts a TCP server listening on port 49711.

•

X-Ray Vision for Malware - www.vmray.com 2 / 118

Score Category Operation Count Classification

1/5 Hide Tracks Creates process with hidden window 1 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe starts (process #5) explorer.exe with a hidden window.

•

1/5 Obfuscation Creates a page with write and execute permissions 1 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.

•

1/5 Privilege Escalation Enables process privilege 1 -

(Process #5) explorer.exe enables process privilege "SeLockMemoryPrivilege".

•

1/5 Network Connection Performs DNS request 1 -

(Process #5) explorer.exe resolves host name "randomxmonero.eu-west.nicehash.com" to IP "172.65.226.105".

•

1/5 Network Connection Connects to remote host 2 -

(Process #5) explorer.exe accepts an incoming TCP connection from host "172.65.226.105:3380".

(Process #5) explorer.exe opens an outgoing TCP connection to host "172.65.226.105:3380".

•

•

1/5 Network Connection Tries to connect using an uncommon port 1 -

(Process #5) explorer.exe tries to connect to TCP port 3380 at 172.65.226.105.

•

1/5 Execution Drops PE file 1 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe drops file "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\WR64.sys".

•

1/5 Obfuscation Resolves API functions dynamically 2 -

(Process #1) f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe resolves 48 API functions by name.

(Process #5) explorer.exe resolves 74 API functions by name.

•

•

- Trusted Known clean file 2 -

File "C:\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\WR64.sys" is a known clean file.

File "c:\users\rdhj0cnfevzx\appdata\local\microsoft\windows\actioncentercache\{ecbc0f6a-ee3b-42c1-9c00-32cc8f2eb092}.png" is a known clean file.

•

•

X-Ray Vision for Malware - www.vmray.com 3 / 118

Mitre ATT&CK Matrix

Initial Access Execution Persistence Privilege Escalation

Defense Evasion

Credential

Access Discovery Lateral

Movement Collection Command

and Control Exfiltration Impact

#T1047 Windows Management Instrumentation

#T1143 Hidden Window

#T1082 System Information

Discovery

#T1065 Uncommonly

Used Port

#T1045 Software Packing

#T1016 System Network Configuration

Discovery

#T1014 Rootkit #T1057

Process Discovery

X-Ray Vision for Malware - www.vmray.com 4 / 118

Sample Information

Analysis Information

ID #2658387

MD5 1a7ea27b8eb6ac33cb9f1e5c3b4adffa

SHA1 3b28864fa969b44cae0905f5a5f1b069f61fa89e

SHA256 f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55

SSDeep 49152:VYLO/uAcEZ9FHUjXfRZtcTYlppoTAKfRf5aCZrJc3/RGXINIWX:VY6/uAfps5ZtcclppYdfRBZraiqI File Name f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe

File Size 2082.00 KB

Sample Type Windows Exe (x86-64)

Has Macros

Creation Time 2021-08-25 15:42 (UTC+2)

Analysis Duration 00:04:00

Termination Reason Timeout

Number of Monitored Processes 100

Execution Successful False

Reputation Enabled

WHOIS Enabled

Built-in AV Enabled

Built-in AV Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of AV Matches 1

YARA Enabled

YARA Applied On Sample Files, PCAP File, Downloaded Files, Dropped Files, Modified Files, Memory Dumps, Embedded Files

Number of YARA Matches 0

X-Ray Vision for Malware - www.vmray.com 5 / 118

X-Ray Vision for Malware - www.vmray.com 6 / 118

X-Ray Vision for Malware - www.vmray.com 7 / 118

NETWORK

General

DNS

HTTP/S

DNS Requests

Type Hostname Response Code Resolved IPs CNames Verdict

652 bytes total sent

320.21 KB total received 1 ports 3380

2 contacted IP addresses

0 URLs extracted 1 files downloaded

0 malicious hosts detected

1 DNS requests for 1 domains 1 nameservers contacted

0 total requests returned errors

0 URLs contacted, 0 servers

0 sessions, 0 bytes sent, 0 bytes received

A randomxmonero.eu-west.nicehash.com, stratum.eu- west.nicehash.com,

ff9f9e9cfc0e498baaf0db4faed2338f.pacloudflare.com NoError 172.65.226.105

stratum.eu- west.nicehash.com, ff9f9e9cfc0e498baaf0db4fae d2338f.pacloudflare.com

NA

X-Ray Vision for Malware - www.vmray.com 8 / 118

BEHAVIOR

Process Graph

Sample Start #1

f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe #5

explorer.exe Modify Memory Modify Control Flow Child Process

#6 System

Created Daemon

#7 services.exe Created Daemon

#22 smss.exe

Child Process

#8 svchost.exe Child Process

#9 svchost.exe Child Process

#10 svchost.exe Child Process

#11 svchost.exe Child Process

#12 svchost.exe Child Process

#13 svchost.exe Child Process

#14 svchost.exe Child Process

#15 svchost.exe Child Process

#16 spoolsv.exe Child Process

#17 svchost.exe Child Process

#18 officeclicktorun.exe Child Process

#19 svchost.exe Child Process

#20 sppsvc.exe Child Process

#21 svchost.exe Child Process

#30 runtimebroker.exe Child Process

#33 skypehost.exe Child Process

#34 shellexperiencehost.exe Child Process

#35 searchui.exe Child Process

#36 dllhost.exe Child Process

#38 backgroundtaskhost.exe Child Process

#106 backgroundtaskhost.exe Child Process

#105 audiodg.exe Child Process

#23 csrss.exe Child Process

#24 wininit.exe Child Process

#25 csrss.exe Child Process

#26 winlogon.exe Child Process

#27 lsass.exe Child Process

#28 dwm.exe Child Process

#31 explorer.exe Child Process

#39 iexplore.exe Child Process

#40 character_employee.exe Child Process

#41 hang_lot_period.exe Child Process

#42 remove-phone.exe Child Process

#43 free-newspaper.exe Child Process

#44 cultural.exe Child Process

#45 pain walk.exe Child Process

#46 shake-service-ability.exe Child Process

#47 recognize.exe Child Process

#48 former_practice_walk.exe Child Process

#49 speech.exe Child Process

#50 customerlawyerstay.exe Child Process

#51 drop_great.exe Child Process

#52 level.exe Child Process

#53 culture.exe Child Process

#54 there_new_security.exe Child Process

#55 voicefailschool.exe Child Process

#56 research_option.exe Child Process

#57 they-take.exe Child Process

#58 more.exe Child Process

#59 training_consider_save.exe Child Process

#60 3dftp.exe Child Process

#61 absolutetelnet.exe Child Process

#62 alftp.exe Child Process

#63 barca.exe Child Process

#64 bitkinex.exe Child Process

#65 coreftp.exe Child Process

#66 far.exe Child Process

#67 filezilla.exe Child Process

#68 flashfxp.exe Child Process

#69 fling.exe Child Process

#70 foxmailincmail.exe Child Process

#71 gmailnotifierpro.exe Child Process

#72 icq.exe Child Process

#73 leechftp.exe Child Process

#74 ncftp.exe Child Process

#75 notepad.exe Child Process

#76 operamail.exe Child Process

#77 trillian.exe Child Process

#78 outlook.exe Child Process

#79 webdrive.exe Child Process

#80 whatsapp.exe Child Process

#81 winscp.exe Child Process

#82 yahoomessenger.exe Child Process

#83 active-charge.exe Child Process

#84 accupos.exe Child Process

#85 afr38.exe Child Process

#86 aldelo.exe Child Process

#87 ccv_server.exe Child Process

#88 centralcreditcard.exe Child Process

#89 creditservice.exe Child Process

#90 scriptftp.exe Child Process

#91 pidgin.exe Child Process

#92 smartftp.exe Child Process

#93 skype.exe Child Process

#94 edcsvr.exe Child Process

#95 fpos.exe Child Process

#96 isspos.exe Child Process

#97 mxslipstream.exe Child Process

#98 omnipos.exe Child Process

#99 spcwin.exe Child Process

#100 spgagentservice.exe Child Process

#101 utg2.exe Child Process

#102 thunderbird.exe Child Process

#103 individual-reality.exe Child Process

#104 iexplore.exe Child Process

X-Ray Vision for Malware - www.vmray.com 9 / 118

Process #1: f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

Host Behavior

Type Count

ID 1

File Name c:\users\rdhj0cnfevzx\desktop\f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe Command Line "C:\Users\RDhJ0CNFevzX\Desktop\f399f4852c2b6d13cc6424cd73d55ae56c4b6be7161f06e0383a18c024f2db55.exe"

Initial Working Directory C:\Users\RDhJ0CNFevzX\Desktop\

Monitor Start Time Start Time: 58354, Reason: Analysis Target Unmonitor End Time End Time: 143716, Reason: Terminated

Monitor duration 85.36s

Return Code 0

PID 728

Parent PID 1744

Bitness 64 Bit

C:

\Users\RDhJ0CNFevzX\AppData\Roaming\Microsoft\Libs\WR64.sys 14.20 KB 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160 ee5

File 27

- 3

Registry 16

Process 1

Module 55

COM 3

- 1

System 1

- 14

- 3

X-Ray Vision for Malware - www.vmray.com 10 / 118

Process #5: explorer.exe

Injection Information (14)

Injection Type Source Process Source / Target TID Address / Name Size Success Count

ID 5

File Name c:\windows\explorer.exe

Command Line C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --...

...h6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --nicehash --cinit-stealth

Initial Working Directory C:\Windows\

Monitor Start Time Start Time: 137588, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 172.46s

Return Code Unknown

PID 2556

Parent PID 728

Bitness 64 Bit

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140000000(5368709120) 0x400 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140001000(5368713216) 0x349200 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x14034b000(5372162048) 0x12e800 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x14047a000(5373403136) 0x11600 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140730000(5376245760) 0x21400 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140752000(5376385024) 0xe00 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140753000(5376389120) 0xa00 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140754000(5376393216) 0x2000 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140756000(5376401408) 0x1200 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140758000(5376409600) 0x200 1

X-Ray Vision for Malware - www.vmray.com 11 / 118

Injection Type Source Process Source / Target TID Address / Name Size Success Count

Host Behavior

Type Count

Network Behavior

Type Count

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x140759000(5376413696) 0x600 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x14075a000(5376417792) 0x8a00 1

Modify Memory

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 0x3d7010(4026384) 0x8 1

Modify Control Flow

#1: c:

\users\rdhj0cnfevzx\desktop

\f399f4852c2b6d13cc6424cd 73d55ae56c4b6be7161f06e0 383a18c024f2db55.exe

0x7f0 / 0x1388 0x7ffb2d21c230(140716770

705968) - 1

Module 122

File 8

System 457

Environment 1

User 12

- 3

Process 4690

- 6

- 1

DNS 1

TCP 1

X-Ray Vision for Malware - www.vmray.com 12 / 118

Process #6: System

ID 6

File Name System

Command Line -

Initial Working Directory -

Monitor Start Time Start Time: 146463, Reason: Created Daemon Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 4

Parent PID 18446744073709551615

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 13 / 118

Process #7: services.exe

ID 7

File Name c:\windows\system32\services.exe

Command Line C:\Windows\system32\services.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Created Daemon Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 520

Parent PID 432

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 14 / 118

Process #8: svchost.exe

ID 8

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k DcomLaunch

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 616

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 15 / 118

Process #9: svchost.exe

ID 9

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k RPCSS

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 648

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 16 / 118

Process #10: svchost.exe

ID 10

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 876

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 17 / 118

Process #11: svchost.exe

Dropped Files (10)

File Name File Size SHA256 YARA Match

ID 11

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 900

Parent PID 520

Bitness 64 Bit

- 1028.00 KB 03f7b1b09ee995895e91e999877b32ce9054dc54bbc911d0f007a82d205

901a7

- 68.00 KB 4e339ce5cdf0f4985ea4e0b59578a4808bebee8dc671eb19d186bba617a

5a43f

- 1092.00 KB 3d899e1f22cffdbab3c941fb12eea1217ad9c1d35c642ae390b418cd2f091

cfb

- 1092.00 KB a4c4c7f8fbe3c90c3eae95e6241233d1014e7569ee72d969b98f93c8c9b3

a4d2

- 68.00 KB 9f8a1832bc67947c02ef57619b3004f3f9d5f0165ba8b015818017f822154

320

- 68.00 KB 5de3d02ea0e625855b8fceab5bf6884132619d0038b8a30c68a556bbe30

d23a2

- 68.00 KB d624d665b479aee248f7a2b17dd4b216254adcea88a935eb14fc41c44c0

7289a

- 1028.00 KB 5703a15cd52ae05dc4f60c2172a8d570ddeda2ae9c5c96155cc6027fc27

448b6

- 1028.00 KB 9e7ea415a4e3c0eea3db0ed86f1216725f29833a9502ff543f427fa0e059d

cc9

- 2116.00 KB a10036d42660eb419a73356bcfe20415af05ea9dd9278f16be06aa687351

6bd3

X-Ray Vision for Malware - www.vmray.com 18 / 118

Process #12: svchost.exe

ID 12

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 916

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 19 / 118

Process #13: svchost.exe

ID 13

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k LocalService

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 992

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 20 / 118

Process #14: svchost.exe

ID 14

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 316

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 21 / 118

Process #15: svchost.exe

ID 15

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k NetworkService

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 1116

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 22 / 118

Process #16: spoolsv.exe

ID 16

File Name c:\windows\system32\spoolsv.exe

Command Line C:\Windows\System32\spoolsv.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 1280

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 23 / 118

Process #17: svchost.exe

ID 17

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\system32\svchost.exe -k appmodel

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 1644

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 24 / 118

Process #18: officeclicktorun.exe

ID 18

File Name c:\program files\common files\microsoft shared\clicktorun\officeclicktorun.exe

Command Line "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 1912

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 25 / 118

Process #19: svchost.exe

ID 19

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 2760

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 26 / 118

Process #20: sppsvc.exe

ID 20

File Name c:\windows\system32\sppsvc.exe

Command Line C:\Windows\system32\sppsvc.exe

Initial Working Directory C:\Windows

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 3780

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 27 / 118

Process #21: svchost.exe

ID 21

File Name c:\windows\system32\svchost.exe

Command Line C:\Windows\System32\svchost.exe -k wsappx

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146464, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.59s

Return Code Unknown

PID 748

Parent PID 520

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 28 / 118

Process #22: smss.exe

ID 22

File Name c:\windows\system32\smss.exe

Command Line \SystemRoot\System32\smss.exe

Initial Working Directory C:\Windows

Monitor Start Time Start Time: 146500, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 300

Parent PID 4

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 29 / 118

Process #23: csrss.exe

ID 23

File Name c:\windows\system32\csrss.exe

Command Line %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146500, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 372

Parent PID 18446744073709551615

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 30 / 118

Process #24: wininit.exe

ID 24

File Name c:\windows\system32\wininit.exe

Command Line wininit.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146500, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 432

Parent PID 18446744073709551615

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 31 / 118

Process #25: csrss.exe

ID 25

File Name c:\windows\system32\csrss.exe

Command Line %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146500, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 444

Parent PID 18446744073709551615

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 32 / 118

Process #26: winlogon.exe

ID 26

File Name c:\windows\system32\winlogon.exe

Command Line winlogon.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146500, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 496

Parent PID 18446744073709551615

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 33 / 118

Process #27: lsass.exe

ID 27

File Name c:\windows\system32\lsass.exe

Command Line C:\Windows\system32\lsass.exe

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146500, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 528

Parent PID 432

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 34 / 118

Process #28: dwm.exe

ID 28

File Name c:\windows\system32\dwm.exe

Command Line "dwm.exe"

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 792

Parent PID 496

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 35 / 118

Process #30: runtimebroker.exe

ID 30

File Name c:\windows\system32\runtimebroker.exe

Command Line C:\Windows\System32\RuntimeBroker.exe -Embedding

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 1584

Parent PID 616

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 36 / 118

Process #31: explorer.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

ID 31

File Name c:\windows\explorer.exe

Command Line C:\Windows\Explorer.EXE

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 1744

Parent PID 18446744073709551615

Bitness 64 Bit

- 2.56 KB 2d3c9cc4880e5a8d8bb583c6be6f5826de19291405734ec9e3899eaee78

e431a

X-Ray Vision for Malware - www.vmray.com 37 / 118

Process #33: skypehost.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

ID 33

File Name c:\program files\windowsapps\microsoft.messaging_1.10.22012.0_x86__8wekyb3d8bbwe\skypehost.exe

Command Line "C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\SkypeHost.exe" -ServerName:SkypeHost.ServerServer

Initial Working Directory C:\Program Files\WindowsApps\Microsoft.Messaging_1.10.22012.0_x86__8wekyb3d8bbwe\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 2476

Parent PID 616

Bitness 32 Bit

- 82.88 KB e6168fc282a3e82d146e306d2649e959343a4801fe7e73f5d511bd82553f

9879

X-Ray Vision for Malware - www.vmray.com 38 / 118

Process #34: shellexperiencehost.exe

ID 34

File Name c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe

Command Line "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca

Initial Working Directory C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 2528

Parent PID 616

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 39 / 118

Process #35: searchui.exe

ID 35

File Name c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe

Command Line "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

Initial Working Directory C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 2676

Parent PID 616

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 40 / 118

Process #36: dllhost.exe

Dropped Files (1)

File Name File Size SHA256 YARA Match

ID 36

File Name c:\windows\system32\dllhost.exe

Command Line C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 2944

Parent PID 616

Bitness 64 Bit

- 10240.00 KB d1bb2c10c190e447e638a103bc9e074b8a6fa53b7dbcf97cbefcd09bd20a

0952

X-Ray Vision for Malware - www.vmray.com 41 / 118

Process #38: backgroundtaskhost.exe

ID 38

File Name c:\windows\system32\backgroundtaskhost.exe

Command Line "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXxvhvn6ehwwvd45ff6nj38q861axw5h5g.mca

Initial Working Directory C:\Program Files\WindowsApps\Microsoft.CommsPhone_1.10.15000.0_x64__8wekyb3d8bbwe\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 1800

Parent PID 616

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 42 / 118

Process #39: iexplore.exe

ID 39

File Name c:\program files\internet explorer\iexplore.exe

Command Line "C:\Program Files\Internet Explorer\iexplore.exe" about:blank

Initial Working Directory C:\Windows\system32\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 3332

Parent PID 1744

Bitness 64 Bit

X-Ray Vision for Malware - www.vmray.com 43 / 118

Process #40: character_employee.exe

ID 40

File Name c:\program files\windows defender\character_employee.exe Command Line "C:\Program Files\Windows Defender\character_employee.exe"

Initial Working Directory C:\Program Files\Windows Defender\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 2208

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 44 / 118

Process #41: hang_lot_period.exe

ID 41

File Name c:\program files\windows journal\hang_lot_period.exe Command Line "C:\Program Files\Windows Journal\hang_lot_period.exe"

Initial Working Directory C:\Program Files\Windows Journal\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 440

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 45 / 118

Process #42: remove-phone.exe

ID 42

File Name c:\program files (x86)\windows nt\remove-phone.exe Command Line "C:\Program Files (x86)\Windows NT\remove-phone.exe"

Initial Working Directory C:\Program Files (x86)\Windows NT\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 3008

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 46 / 118

Process #43: free-newspaper.exe

ID 43

File Name c:\program files (x86)\windows multimedia platform\free-newspaper.exe Command Line "C:\Program Files (x86)\Windows Multimedia Platform\free-newspaper.exe"

Initial Working Directory C:\Program Files (x86)\Windows Multimedia Platform\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 2192

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 47 / 118

Process #44: cultural.exe

ID 44

File Name c:\program files (x86)\windows multimedia platform\cultural.exe Command Line "C:\Program Files (x86)\Windows Multimedia Platform\cultural.exe"

Initial Working Directory C:\Program Files (x86)\Windows Multimedia Platform\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 636

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 48 / 118

Process #45: pain walk.exe

ID 45

File Name c:\program files (x86)\windows multimedia platform\pain walk.exe Command Line "C:\Program Files (x86)\Windows Multimedia Platform\pain walk.exe"

Initial Working Directory C:\Program Files (x86)\Windows Multimedia Platform\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 3012

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 49 / 118

Process #46: shake-service-ability.exe

ID 46

File Name c:\program files (x86)\windowspowershell\shake-service-ability.exe Command Line "C:\Program Files (x86)\WindowsPowerShell\shake-service-ability.exe"

Initial Working Directory C:\Program Files (x86)\WindowsPowerShell\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 3500

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 50 / 118

Process #47: recognize.exe

ID 47

File Name c:\program files (x86)\internet explorer\recognize.exe Command Line "C:\Program Files (x86)\Internet Explorer\recognize.exe"

Initial Working Directory C:\Program Files (x86)\Internet Explorer\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4100

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 51 / 118

Process #48: former_practice_walk.exe

ID 48

File Name c:\program files (x86)\windows nt\former_practice_walk.exe Command Line "C:\Program Files (x86)\Windows NT\former_practice_walk.exe"

Initial Working Directory C:\Program Files (x86)\Windows NT\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4108

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 52 / 118

Process #49: speech.exe

ID 49

File Name c:\program files (x86)\reference assemblies\speech.exe Command Line "C:\Program Files (x86)\Reference Assemblies\speech.exe"

Initial Working Directory C:\Program Files (x86)\Reference Assemblies\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4116

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 53 / 118

Process #50: customerlawyerstay.exe

ID 50

File Name c:\program files (x86)\windows defender\customerlawyerstay.exe Command Line "C:\Program Files (x86)\Windows Defender\customerlawyerstay.exe"

Initial Working Directory C:\Program Files (x86)\Windows Defender\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4152

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 54 / 118

Process #51: drop_great.exe

ID 51

File Name c:\program files\windows media player\drop_great.exe Command Line "C:\Program Files\Windows Media Player\drop_great.exe"

Initial Working Directory C:\Program Files\Windows Media Player\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4160

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 55 / 118

Process #52: level.exe

ID 52

File Name c:\program files\windows media player\level.exe Command Line "C:\Program Files\Windows Media Player\level.exe"

Initial Working Directory C:\Program Files\Windows Media Player\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4176

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 56 / 118

Process #53: culture.exe

ID 53

File Name c:\program files\windows media player\culture.exe Command Line "C:\Program Files\Windows Media Player\culture.exe"

Initial Working Directory C:\Program Files\Windows Media Player\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4184

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 57 / 118

Process #54: there_new_security.exe

ID 54

File Name c:\program files (x86)\windows mail\there_new_security.exe Command Line "C:\Program Files (x86)\Windows Mail\there_new_security.exe"

Initial Working Directory C:\Program Files (x86)\Windows Mail\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4196

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 58 / 118

Process #55: voicefailschool.exe

ID 55

File Name c:\program files (x86)\common files\voicefailschool.exe Command Line "C:\Program Files (x86)\Common Files\voicefailschool.exe"

Initial Working Directory C:\Program Files (x86)\Common Files\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4204

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 59 / 118

Process #56: research_option.exe

ID 56

File Name c:\program files (x86)\windows defender\research_option.exe Command Line "C:\Program Files (x86)\Windows Defender\research_option.exe"

Initial Working Directory C:\Program Files (x86)\Windows Defender\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4216

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 60 / 118

Process #57: they-take.exe

ID 57

File Name c:\program files (x86)\internet explorer\they-take.exe Command Line "C:\Program Files (x86)\Internet Explorer\they-take.exe"

Initial Working Directory C:\Program Files (x86)\Internet Explorer\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4240

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 61 / 118

Process #58: more.exe

ID 58

File Name c:\program files (x86)\windows portable devices\more.exe Command Line "C:\Program Files (x86)\Windows Portable Devices\more.exe"

Initial Working Directory C:\Program Files (x86)\Windows Portable Devices\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4248

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 62 / 118

Process #59: training_consider_save.exe

ID 59

File Name c:\program files\msbuild\training_consider_save.exe Command Line "C:\Program Files\MSBuild\training_consider_save.exe"

Initial Working Directory C:\Program Files\MSBuild\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4256

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 63 / 118

Process #60: 3dftp.exe

ID 60

File Name c:\program files\reference assemblies\3dftp.exe Command Line "C:\Program Files\Reference Assemblies\3dftp.exe"

Initial Working Directory C:\Program Files\Reference Assemblies\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4280

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 64 / 118

Process #61: absolutetelnet.exe

ID 61

File Name c:\program files\windowspowershell\absolutetelnet.exe Command Line "C:\Program Files\WindowsPowerShell\absolutetelnet.exe"

Initial Working Directory C:\Program Files\WindowsPowerShell\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4288

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 65 / 118

Process #62: alftp.exe

ID 62

File Name c:\program files\windows journal\alftp.exe Command Line "C:\Program Files\Windows Journal\alftp.exe"

Initial Working Directory C:\Program Files\Windows Journal\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4308

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 66 / 118

Process #63: barca.exe

ID 63

File Name c:\program files (x86)\windows mail\barca.exe Command Line "C:\Program Files (x86)\Windows Mail\barca.exe"

Initial Working Directory C:\Program Files (x86)\Windows Mail\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4316

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 67 / 118

Process #64: bitkinex.exe

ID 64

File Name c:\program files\internet explorer\bitkinex.exe Command Line "C:\Program Files\Internet Explorer\bitkinex.exe"

Initial Working Directory C:\Program Files\Internet Explorer\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4328

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 68 / 118

Process #65: coreftp.exe

ID 65

File Name c:\program files\uninstall information\coreftp.exe Command Line "C:\Program Files\Uninstall Information\coreftp.exe"

Initial Working Directory C:\Program Files\Uninstall Information\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4336

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 69 / 118

Process #66: far.exe

ID 66

File Name c:\program files\uninstall information\far.exe Command Line "C:\Program Files\Uninstall Information\far.exe"

Initial Working Directory C:\Program Files\Uninstall Information\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4356

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 70 / 118

Process #67: filezilla.exe

ID 67

File Name c:\program files (x86)\internet explorer\filezilla.exe Command Line "C:\Program Files (x86)\Internet Explorer\filezilla.exe"

Initial Working Directory C:\Program Files (x86)\Internet Explorer\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4368

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 71 / 118

Process #68: flashfxp.exe

ID 68

File Name c:\program files\windows mail\flashfxp.exe Command Line "C:\Program Files\Windows Mail\flashfxp.exe"

Initial Working Directory C:\Program Files\Windows Mail\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4376

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 72 / 118

Process #69: fling.exe

ID 69

File Name c:\program files (x86)\common files\fling.exe Command Line "C:\Program Files (x86)\Common Files\fling.exe"

Initial Working Directory C:\Program Files (x86)\Common Files\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4396

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 73 / 118

Process #70: foxmailincmail.exe

ID 70

File Name c:\program files\windows defender\foxmailincmail.exe Command Line "C:\Program Files\Windows Defender\foxmailincmail.exe"

Initial Working Directory C:\Program Files\Windows Defender\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4404

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 74 / 118

Process #71: gmailnotifierpro.exe

ID 71

File Name c:\program files\windows mail\gmailnotifierpro.exe Command Line "C:\Program Files\Windows Mail\gmailnotifierpro.exe"

Initial Working Directory C:\Program Files\Windows Mail\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4416

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 75 / 118

Process #72: icq.exe

ID 72

File Name c:\program files\windows portable devices\icq.exe Command Line "C:\Program Files\Windows Portable Devices\icq.exe"

Initial Working Directory C:\Program Files\Windows Portable Devices\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4428

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 76 / 118

Process #73: leechftp.exe

ID 73

File Name c:\program files\msbuild\leechftp.exe

Command Line "C:\Program Files\MSBuild\leechftp.exe"

Initial Working Directory C:\Program Files\MSBuild\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4440

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 77 / 118

Process #74: ncftp.exe

ID 74

File Name c:\program files (x86)\internet explorer\ncftp.exe Command Line "C:\Program Files (x86)\Internet Explorer\ncftp.exe"

Initial Working Directory C:\Program Files (x86)\Internet Explorer\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4460

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 78 / 118

Process #75: notepad.exe

ID 75

File Name c:\program files\microsoft office 15\notepad.exe Command Line "C:\Program Files\Microsoft Office 15\notepad.exe"

Initial Working Directory C:\Program Files\Microsoft Office 15\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4472

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 79 / 118

Process #76: operamail.exe

ID 76

File Name c:\program files (x86)\reference assemblies\operamail.exe Command Line "C:\Program Files (x86)\Reference Assemblies\operamail.exe"

Initial Working Directory C:\Program Files (x86)\Reference Assemblies\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4484

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 80 / 118

Process #77: trillian.exe

ID 77

File Name c:\program files\windows mail\trillian.exe Command Line "C:\Program Files\Windows Mail\trillian.exe"

Initial Working Directory C:\Program Files\Windows Mail\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4496

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 81 / 118

Process #78: outlook.exe

ID 78

File Name c:\program files\microsoft office 15\outlook.exe Command Line "C:\Program Files\Microsoft Office 15\outlook.exe"

Initial Working Directory C:\Program Files\Microsoft Office 15\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4504

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 82 / 118

Process #79: webdrive.exe

ID 79

File Name c:\program files (x86)\windows defender\webdrive.exe Command Line "C:\Program Files (x86)\Windows Defender\webdrive.exe"

Initial Working Directory C:\Program Files (x86)\Windows Defender\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4512

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 83 / 118

Process #80: whatsapp.exe

ID 80

File Name c:\program files\reference assemblies\whatsapp.exe Command Line "C:\Program Files\Reference Assemblies\whatsapp.exe"

Initial Working Directory C:\Program Files\Reference Assemblies\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4520

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 84 / 118

Process #81: winscp.exe

ID 81

File Name c:\program files (x86)\windows mail\winscp.exe Command Line "C:\Program Files (x86)\Windows Mail\winscp.exe"

Initial Working Directory C:\Program Files (x86)\Windows Mail\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4528

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 85 / 118

Process #82: yahoomessenger.exe

ID 82

File Name c:\program files (x86)\reference assemblies\yahoomessenger.exe Command Line "C:\Program Files (x86)\Reference Assemblies\yahoomessenger.exe"

Initial Working Directory C:\Program Files (x86)\Reference Assemblies\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4536

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 86 / 118

Process #83: active-charge.exe

ID 83

File Name c:\program files\internet explorer\active-charge.exe Command Line "C:\Program Files\Internet Explorer\active-charge.exe"

Initial Working Directory C:\Program Files\Internet Explorer\

Monitor Start Time Start Time: 146501, Reason: Child Process Unmonitor End Time End Time: 310052, Reason: Terminated by Timeout

Monitor duration 163.55s

Return Code Unknown

PID 4544

Parent PID 1744

Bitness 32 Bit

X-Ray Vision for Malware - www.vmray.com 87 / 118