IOC Report
cDouNOFXle.exe

loading gif

Files

File Path
Type
Category
Malicious
cDouNOFXle.exe
PE32 executable (GUI) Intel 80386, for MS Windows
initial sample
malicious
C:\Recovery\ShellExperienceHost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Recovery\conhost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Recovery\explorer.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Recovery\winlogon.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\comproviderRuntimecommon\RuntimeBroker.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\comproviderRuntimecommon\backgroundTaskHost.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\comproviderRuntimecommon\chainsavesref.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe
data
dropped
malicious
C:\Recovery\088424020bedd6
ASCII text, with very long lines, with no line terminators
dropped
C:\Recovery\7a0fd90576e088
ASCII text, with very long lines, with no line terminators
dropped
C:\Recovery\cc11b995f2a76d
ASCII text, with very long lines, with no line terminators
dropped
C:\Recovery\f8c8f1285d826b
ASCII text, with very long lines, with no line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\MrsUvRPGeImAhc.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainsavesref.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Windows\Help\mui\0409\5f7cc7e87d7637
ASCII text, with no line terminators
dropped
C:\Windows\Web\Screen\5f7cc7e87d7637
ASCII text, with very long lines, with no line terminators
dropped
C:\comproviderRuntimecommon\9e8d7a4ca61bd9
ASCII text, with very long lines, with no line terminators
dropped
C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat
ASCII text, with no line terminators
dropped
C:\comproviderRuntimecommon\eddb19405b7ce1
ASCII text, with very long lines, with no line terminators
dropped
There are 13 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\cDouNOFXle.exe
"C:\Users\user\Desktop\cDouNOFXle.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\comproviderRuntimecommon\chainsavesref.exe
C:\comproviderRuntimecommon\chainsavesref.exe
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
malicious
C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f
malicious
C:\Windows\System32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
malicious
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
malicious