IOC Report
r14836901-5B4A-.exe

loading gif

Files

File Path
Type
Category
Malicious
r14836901-5B4A-.exe
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
initial sample
malicious
C:\Users\user\AppData\Local\Temp\nsv4882.tmp\BgImage.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\nsv4882.tmp\System.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\Temp\nsv4882.tmp\nsExec.dll
PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Fdselsoverskuds.Nsk
ASCII text, with very long lines (65536), with no line terminators
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Foredragsrejsen\forudst.vir
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Foredragsrejsen\illustrated.fin
MacBinary, inited, changed, busy, bozo, system, invisible, locked, comment length 2304, more flags 0x6a, total length 1166475264, Sat Apr 28 09:23:19 2040 INVALID date, modified Mon Feb 6 13:53:20 2040, creator ' ', type '\317', 569830400 bytes "\177^" , at 0x21f6ec80 8978537 bytes resource
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Foredragsrejsen\jenspecialist.nib
TeX font metric data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Gratefullies\smashment.ska
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Gratefullies\throb.bar
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Ichthyodian.eta
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Seventieth\trichosis.kni
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Seventieth\ujordiskes.ric
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Skreddenes.deo
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\Varige.Cra
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\benedikts.raa
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\entermete.cis
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\katalyseret.for
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\kiangs.psy
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\margaric.sil
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\skedehindes.bag
data
dropped
C:\Users\user\AppData\Local\heraldisk\frimanden\forbytningernes\skifer.txt
ASCII text, with CRLF line terminators
dropped
C:\Users\user\Music\legationens.lnk
MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
dropped
There are 13 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\r14836901-5B4A-.exe
"C:\Users\user\Desktop\r14836901-5B4A-.exe"
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x53^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x55^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x43^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x54^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x15^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x14^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x1C^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x75^38"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
malicious
C:\Windows\SysWOW64\cmd.exe
cmd /c set /a "0x4E^38"
malicious