Sample File:

	MD5 hash:
		5c3f96ade0ea67eef9d25161c64e6f3e

	SHA1 hash:
		524f2c9f62703027b1ebbf1fc16a4a7506d6ff20

	SHA256 hash:
		513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8

	SSDEEP hash:
		768:+Vp5c6cJjgv820s9i3FwEUddPwZS9BAgVx6SsfG2f/:+X5ncxgv8KWYGQ9HYSUf/

	Filename(s):
		=UTF-8B2KfZhNmB2YfYp9ix2LMueGxzbQ===.xls

	Filetype:
		Excel Document


Mutex IOCs:

		- None -


Registry Key IOCs:

		HKEY_CLASSES_ROOT\.dll
		HKEY_CLASSES_ROOT\Licenses
		HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7
		HKEY_CLASSES_ROOT\TypeLib
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
		HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}
		HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9
		HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0
		HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64
		HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409
		HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64
		HKEY_CLASSES_ROOT\dllfile
		HKEY_CLASSES_ROOT\dllfile\AutoRegister
		HKEY_CURRENT_USER\Environment
		HKEY_CURRENT_USER\Environment\PSMODULEPATH
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability
		HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
		HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
		HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\COM+Enabled
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
		HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH


Domain IOCs:

		- None -


IP IOCs:

		88.221.117.88


URL IOCs:

		- None -


File IOCs:

	Filenames:

		C:\
		C:\Users
		C:\Users\aETAdzjz
		C:\Users\aETAdzjz\AppData\Local\Temp\OfficeUpdateService.exe
		C:\Users\aETAdzjz\AppData\Local\Temp\WINDOWSTEMP.ps1
		C:\Users\aETAdzjz\Desktop
		C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
		C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0
		C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config
		C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml
		C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
		CONIN$

	MD5 hashes:

		d41d8cd98f00b204e9800998ecf8427e
		e6d55fffc72e853d24440ef89e216611

	SHA1 hashes:

		293a8817bc2e35ad4db630dd58dc8229523ac252
		da39a3ee5e6b4b0d3255bfef95601890afd80709

	SHA256 hashes:

		93a530e6d04e88730fd787d31f9a8e69fcbae3a14ba650008d1b5712ecb2cfb2
		e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

	SSDEEP hashes:

		384:LOi5Zg5RQ60lRrUbLmagfOypXquFGRawwha5gCvZQ28kS4n:Lh57lRruLm1dGRNw05gAZR86n
		3::