IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Orden de Compra -SA765443,pdf.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\tmp62E7.tmp
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
data
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de Compra -SA765443,pdf.exe.log
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
data
dropped
clean
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
ASCII text, with no line terminators
dropped
clean

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
"C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe"
malicious
C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe" /create /f /tn "DHCP Monitor" /xml "C:\Users\user\AppData\Local\Temp\tmp62E7.tmp
malicious
C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
"C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe" 0
malicious
C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
C:\Users\user\Desktop\Orden de Compra -SA765443,pdf.exe
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
clean

URLs

Name
IP
Malicious
wealthgod1234.ddns.net
malicious
127.0.0.1
malicious
http://www.apache.org/licenses/LICENSE-2.0
unknown
clean
http://www.fontbureau.com
unknown
clean
http://www.fontbureau.com/designersG
unknown
clean
http://www.fontbureau.com/designers/?
unknown
clean
http://www.founder.com.cn/cn/bThe
unknown
clean
http://www.fontbureau.com/designers?
unknown
clean
http://www.tiro.com
unknown
clean
http://www.fontbureau.com/designers
unknown
clean
http://www.goodfont.co.kr
unknown
clean
http://www.carterandcone.coml
unknown
clean
http://www.sajatypeworks.com
unknown
clean
http://www.typography.netD
unknown
clean
http://www.fontbureau.com/designers/cabarga.htmlN
unknown
clean
http://www.founder.com.cn/cn/cThe
unknown
clean
http://www.galapagosdesign.com/staff/dennis.htm
unknown
clean
http://fontfabrik.com
unknown
clean
http://www.founder.com.cn/cn
unknown
clean
http://www.fontbureau.com/designers/frere-jones.html
unknown
clean
http://www.jiyu-kobo.co.jp/
unknown
clean
http://www.galapagosdesign.com/DPlease
unknown
clean
http://www.fontbureau.com/designers8
unknown
clean
http://www.fonts.com
unknown
clean
http://www.sandoll.co.kr
unknown
clean
http://www.urwpp.deDPlease
unknown
clean
http://www.zhongyicts.com.cn
unknown
clean
http://www.chinhdo.com
unknown
clean
http://www.sakkal.com
unknown
clean
There are 19 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
wealthgod1234.ddns.net
185.140.53.12
malicious

IPs

IP
Domain
Country
Malicious
185.140.53.12
wealthgod1234.ddns.net
Sweden
malicious

Memdumps

Base Address
Regiontype
Protect
Malicious
3001000
unkown
page read and write
malicious
2CA1000
unkown
page read and write
malicious
4239000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
66B0000
unkown image
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
4209000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
3CA9000
unkown
page read and write
malicious
402000
unkown
page execute and read and write
malicious
402000
unkown
page execute and read and write
malicious
404D000
unkown
page read and write
malicious
3231000
unkown
page read and write
malicious
2CDE000
unkown
page read and write
malicious
3201000
unkown
page read and write
malicious