IOC Report
rDetallesdenuev.exe

loading gif

Files

File Path
Type
Category
Malicious
rDetallesdenuev.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe:Zone.Identifier
ASCII text, with CRLF line terminators
modified
malicious

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\rDetallesdenuev.exe
"C:\Users\user\Desktop\rDetallesdenuev.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
malicious
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
malicious
C:\Users\user\Desktop\rDetallesdenuev.exe
"C:\Users\user\Desktop\rDetallesdenuev.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
malicious
C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe
"C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /release
malicious
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
malicious
C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe
"C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe"
malicious
C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe
"C:\Users\user\AppData\Roaming\Nlbdjgdctg.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ipconfig /renew
malicious
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /renew
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 5 hidden processes, click here to show them.

URLs

Name
IP
Malicious
http://afanew.cl/Qjeawwzlrxu.wav
138.255.101.194
malicious
https://github.com/mgravell/protobuf-neti
unknown
https://stackoverflow.com/q/14436606/23354
unknown
https://account.dyn.com/
unknown
https://github.com/mgravell/protobuf-netJ
unknown
http://x1.c.lencr.org/0
unknown
http://x1.i.lencr.org/0
unknown
https://stackoverflow.com/q/11564914/23354;
unknown
https://stackoverflow.com/q/2152978/23354
unknown
http://afanew.cld
unknown
http://ip-api.com
unknown
http://r3.o.lencr.org0
unknown
https://github.com/mgravell/protobuf-net
unknown
http://mail.100demoras.pt
unknown
http://afanew.cl
unknown
http://100demoras.pt
unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
http://r3.i.lencr.org/0)
unknown
http://ip-api.com/line/?fields=hosting
208.95.112.1
There are 9 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
ip-api.com
208.95.112.1
malicious
afanew.cl
138.255.101.194
malicious
100demoras.pt
188.40.116.241
malicious
mail.100demoras.pt
unknown
malicious
206.23.85.13.in-addr.arpa
unknown

IPs

IP
Domain
Country
Malicious
208.95.112.1
ip-api.com
United States
malicious