Sample File:

	MD5 hash:
		2db17f4f44b20ac1204a100d1ba2d10f

	SHA1 hash:
		509ed3828b80661a418d2f7d4f9e366d46eb7ef5

	SHA256 hash:
		0d4e21cec341cd742aa47f3f3bd4b7a903ab558a646ddd2c55b153bbf7dc5b6c

	SSDEEP hash:
		3072:pyEl9CvErmcEVq47NQSjIcNVPTnX+PualOg7OtY4LeNzxy9:f6ErBObNQTeVPTXSlOg7OtY4LeN0

	Filename(s):
		orden de pedido 05.xlsx

	Filetype:
		Excel Document


Mutex IOCs:

		1159BD3
		I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441


Registry Key IOCs:

		HKEY_CLASSES_ROOT\.vbs
		HKEY_CLASSES_ROOT\VBSFile\ScriptEngine
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441
		HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
		HKEY_CURRENT_USER\Software\Borland\Locales
		HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0
		HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0\AllowUnsafeObjectPassing
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UACDisableNotify
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441
		HKEY_LOCAL_MACHINE\Software\Borland\Locales
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER


Domain IOCs:

		23.249.167.158


IP IOCs:

		23.249.167.158
		46.183.220.14


URL IOCs:

		http://23.249.167.158/file/doc/scvhost.exe


File IOCs:

	Filenames:

		C:\Users\aETAdzjz\AppData\Local\Temp\aETAdzjz.bmp
		C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT
		C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe
		C:\Users\aETAdzjz\AppData\Roaming\DOCUMENT\Document.exe:ZoneIdentifier
		C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441
		C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441.exe
		C:\Users\aETAdzjz\AppData\Roaming\I5E1S5G4-F4T3-T1Y3-B4I3-K5W2V3B0V441\ut
		C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DOCUMENT.vbs
		C:\Users\aETAdzjz\AppData\Roaming\svchost.exe
		C:\Windows\Help\.HLP
		C:\Windows\system32\.HLP

	MD5 hashes:

		343fa15c150a516b20cc9f787cfd530e
		6fe3ecd814abef913dd5064746ad05bc
		7cd1dbbd8457d59274642c9a6e3e60dd
		a634cb7eb39b833d885186b5ba1023f2
		d41d8cd98f00b204e9800998ecf8427e

	SHA1 hashes:

		369e8ac39d762e531d961c58b8c5dc84d19ba989
		3b34e363b79ae598e50f01e1da1523fbd9c2252d
		536cb57f4568328db82d729ab34f0753ab45e0a2
		c12e1a24fe39d4017ca8bade72dce2f128ca1f46
		da39a3ee5e6b4b0d3255bfef95601890afd80709

	SHA256 hashes:

		0cc3133bbc266693fc23810fb99e57e99b4d1a110f174970aeea79c66d569ce7
		8806d6fd705d67f18eaa6c95806d405cd3a3a56e41636958a408973f602daebf
		d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524
		e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
		eaf5fa6489fc6913be7dc196d71f0c22e36f8a8a48899be71a366d1e1112b141

	SSDEEP hashes:

		12288:ohSu1Z/EMlJIkTnz6sDsh+zZzuw1aoSqntqtH4qgSBDeiN2:EHzE2Jvi+17wo9nUVgCDeI2
		3::
		3:DG0VRmnwzFTUXoLqgBPN9lLenoJxzp4EaKC5NupEl0dAH2:DjinwtfPBPNCo/zpJaZ5NupE7W
		768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscD:wjE+132lhisKZdltWeks9Ru6nsQscD
		768:wjof+RdBZJ2g653hvqs+Rcb+SBMdK4tztHDyecRa6Xs9X/jPlu6tKvUfsQscL:wjE+132lhisKZdltWeks9Ru6nsQscL