Sample File:

	MD5 hash:
		431399e17aee53fa70c23ac550792769

	SHA1 hash:
		562899367b8212c2aca639f6f6a68d5294971c94

	SHA256 hash:
		3692f99b76663e864b3fae22828ab01021dcc50c33f5ec041aa3b055478a4ab2

	SSDEEP hash:
		3072:a57WssAb0KJ7vnVMIZRfw8z8N5Ygaw/ZX/PcSJqDmO6KQcsj1u:a1zsw7yIZJEYgaw/ZXM0kmtKQcsxu

	Filename(s):
		receipt_FedEX_4028873.doc

	Filetype:
		Word Document


Mutex IOCs:

		Global\.net clr networking
		Global\E0B7509842600
		gcc-shmem-tdm2-_pthread_cancelling_shmem
		gcc-shmem-tdm2-_pthread_key_dest_shmem
		gcc-shmem-tdm2-_pthread_key_lock_shmem
		gcc-shmem-tdm2-_pthread_key_max_shmem
		gcc-shmem-tdm2-_pthread_key_sch_shmem
		gcc-shmem-tdm2-_pthread_tls_once_shmem
		gcc-shmem-tdm2-_pthread_tls_shmem
		gcc-shmem-tdm2-cond_locked_shmem_rwlock
		gcc-shmem-tdm2-fc_key
		gcc-shmem-tdm2-idListCnt_shmem
		gcc-shmem-tdm2-idListMax_shmem
		gcc-shmem-tdm2-idListNextId_shmem
		gcc-shmem-tdm2-idList_shmem
		gcc-shmem-tdm2-mtx_pthr_locked_shmem
		gcc-shmem-tdm2-mutex_global_shmem
		gcc-shmem-tdm2-mutex_global_static_shmem
		gcc-shmem-tdm2-mxattr_recursive_shmem
		gcc-shmem-tdm2-once_global_shmem
		gcc-shmem-tdm2-once_obj_shmem
		gcc-shmem-tdm2-pthr_root_shmem
		gcc-shmem-tdm2-rwl_global_shmem
		gcc-shmem-tdm2-sjlj_once
		gcc-shmem-tdm2-use_fc_key


Registry Key IOCs:

		HKEY_CLASSES_ROOT\CLSID\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\DesignerFeatures
		HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32
		HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\InprocServer32\ThreadingModel
		HKEY_CLASSES_ROOT\Clsid\{C62A69F0-16DC-11CE-9E98-00AA00574A4F}\Instance CLSID
		HKEY_CLASSES_ROOT\Licenses
		HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7
		HKEY_CLASSES_ROOT\TypeLib
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
		HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}
		HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2
		HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9
		HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9
		HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}
		HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0
		HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0
		HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64
		HKEY_CLASSES_ROOT\Typelib
		HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}
		HKEY_CURRENT_USER
		HKEY_CURRENT_USER\Environment
		HKEY_CURRENT_USER\Environment\PSMODULEPATH
		HKEY_CURRENT_USER\Environment\path
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AlignToGrid
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackgroundProjectLoad
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CollapseWindows
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CtlsShowSelected
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Designers
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Dock
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\DsnShowSelected
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FolderView
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\GridHeight
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\GridWidth
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\MainWindow
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\MdiMaximized
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\PropertiesWindow
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ReadOnlyMode
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\SaveBeforeRun
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ShowGrid
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ShowToolTips
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\Tool
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\ToolboxControls
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\UI
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\UpgradeVBX
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability
		HKEY_CURRENT_USER\Software\Microsoft\VBA\VBE\6.0\Addins64
		HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\PipelineMaxStackSizeMB
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion
		HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
		HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
		HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\ApplicationBase
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\StackVersion
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\StackVersion
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\path
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH
		HKEY_PERFORMANCE_DATA
		System
		System\PowerShell
		Windows PowerShell
		Windows PowerShell\PowerShell


Domain IOCs:

		46.173.218.240
		icanhazip.com


IP IOCs:

		46.173.218.240
		147.75.40.2
		182.253.20.66
		193.187.172.11
		2.16.100.179


URL IOCs:

		http://46.173.218.240/uncle_sam.php
		http://46.173.218.240/lisa.abc
		HTTP://icanhazip.com/


File IOCs:

	Filenames:

		"C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat"
		C:\
		C:\Users
		C:\Users\aETAdzjz
		C:\Users\aETAdzjz\AppData\Local\Temp\FAQ
		C:\Users\aETAdzjz\AppData\Local\Temp\tmp1971.bat
		C:\Users\aETAdzjz\AppData\Local\Temp\tmp6149.exe
		C:\Users\aETAdzjz\AppData\Roaming\WinDefrag
		C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.exe
		C:\Users\aETAdzjz\AppData\Roaming\WinDefrag\tmp7149.tmp
		C:\Users\aETAdzjz\Desktop
		C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
		C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1
		C:\Windows
		C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0
		C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config
		C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml
		C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
		C:\Windows\system32
		Data\

	MD5 hashes:

		6281f5c42be41eaf431acc826cb8f1bf
		94df3603fba467e0fff637c55c8b6d1b

	SHA1 hashes:

		75d4aa452b5c232a2f1d9e74ccd7d616d6d66171
		93f6cd1834a402f78497d2978d3a3a58ec3bfd66

	SHA256 hashes:

		4f9eb9ef4ef021679de344f227bc6e162f1e5bcc6950d63ee870718380c58016
		e2a20c742f2100307b7bc99b92cab49a3821bb1cef322284c3440a040a991de2

	SSDEEP hashes:

		12288:mw4zMV6fcJUCT+ZiO852/Ico+/fT3aBtYg:P8fcJUCTjOy2eGT36tx
		12:ssHARPuwtosKMzr+GCrSF2q0Fiiefh7Meiw1r9KMzrl:tHgPuwa6zrfCFi9h7H9zrl