IOC Report
inquiry.pdf.exe

loading gif

Files

File Path
Type
Category
Malicious
inquiry.pdf.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
initial sample
 malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\inquiry.pdf.exe.log
ASCII text, with CRLF line terminators
dropped
 malicious
C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
 malicious
C:\Users\user\AppData\Roaming\glonkjhg.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
 malicious
C:\Users\user\AppData\Roaming\glonkjhg.exe:Zone.Identifier
ASCII text, with CRLF line terminators
modified
 malicious
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jhFFFffkl.exe.log
ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Temp\jhFFFffkl.txt
ASCII text, with CRLF line terminators
dropped
\Device\Null
ASCII text, with CRLF line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\inquiry.pdf.exe
C:\Users\user\Desktop\inquiry.pdf.exe
 malicious
C:\Windows\SysWOW64\cmd.exe
cmd" /c ping 127.0.0.1 -n 7 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,
malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 7
malicious
C:\Windows\SysWOW64\cmd.exe
cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\user\Desktop\inquiry.pdf.exe" "C:\Users\user\AppData\Roaming\glonkjhg.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\user\AppData\Roaming\glonkjhg.exe
malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
malicious
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\user\AppData\Roaming\glonkjhg.exe,"
 malicious
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
malicious
C:\Users\user\AppData\Roaming\glonkjhg.exe
C:\Users\user\AppData\Roaming\glonkjhg.exe
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
 malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
 malicious
C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
malicious
C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
malicious
C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
malicious
C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe
"C:\Users\user\AppData\Local\Temp\jhFFFffkl.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
There are 6 hidden processes, click here to show them.

URLs

Name
IP
Malicious
hannoyputa.giize.com
malicious
http://www.fontbureau.com/designersG
unknown
http://www.founder.com.cn/cnQ
unknown
http://www.fontbureau.com/designers/?
unknown
http://www.carterandcone.comize
unknown
http://www.founder.com.cn/cn/bThe
unknown
http://www.fontbureau.com/designers?
unknown
http://www.founder.com.cn/cnT
unknown
http://www.tiro.com
unknown
http://www.fontbureau.com/designers
unknown
http://www.fontbureau.com/designersZ
unknown
http://www.goodfont.co.kr
unknown
http://www.carterandcone.com
unknown
http://www.fontbureau.comrz
unknown
http://www.sajatypeworks.com
unknown
http://www.fontbureau.com/designers/frere-jones.html4j-
unknown
http://www.founder.com.cn/cnt-b
unknown
http://www.typography.netD
unknown
https://www.google.com
unknown
http://www.fontbureau.comony/O
unknown
http://www.founder.com.cn/cn/cThe
unknown
http://www.jiyu-kobo.co.jp/Y0f
unknown