Sample File: MD5 hash: 7bafd5f76166ab14d8f649f5ce1598eb SHA1 hash: f38c3bcca561cd47d214dd5a4cf7aeabdfa855e3 SHA256 hash: 6dd9d1ae591aa1c238d27b7d29b4d16775e02350637efc7659a7de6b062aa9d7 SSDEEP hash: 768:AmkOAXVucRFoqkp59YBvLdTv9ReVi4eFov5UHRFBn+1ooSA8xNhHhvWmXl3fkZN:gOAXocn1kp59gxBK85fBn+aogvVMb Filename(s): Documento.doc Filetype: Word Document Mutex IOCs: Global\I705BA84C Global\M705BA84C PEMB08 PEMBC8 Registry Key IOCs: HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_PERFORMANCE_DATA Domain IOCs: 47.32.209.86 lifewithdogmovie.com IP IOCs: 67.212.232.33 72.48.172.106 201.120.89.60 47.32.209.86 13.107.5.88 URL IOCs: http://lifewithdogmovie.com/0K3jRwA http://lifewithdogmovie.com/0K3jRwA/ HTTP://72.48.172.106 HTTP://201.120.89.60 HTTP://47.32.209.86 http://47.32.209.86/ File IOCs: Filenames: C:\ C:\Users\ C:\Users\aETAdzjz\ C:\Users\aETAdzjz\AppData\ C:\Users\aETAdzjz\AppData\Local\ C:\Users\aETAdzjz\AppData\Local\Microsoft\ C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\ C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\TXCuQB4avHqPTPy.exe C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\cofiretlnt.exe:Zone.Identifier C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\orangeneed.exe C:\Users\aETAdzjz\AppData\Local\Temp\\jtA.exe C:\Users\aETAdzjz\AppData\Local\Temp\jtA.exe C:\Users\aETAdzjz\Desktop C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll MD5 hashes: 912807d798d35323a534fdb59399a9b0 SHA1 hashes: 2060d9f147311fdeec4de5f5d940b7a6f849846d SHA256 hashes: 78ccba1d9e5d32658ce4cd4b2f8a8be65c6aa6a4f4eec2016777afb3a50ac843 SSDEEP hashes: 3072:ePsv/P6gmhkFDDQKSZ4k5AF6xIsawMlkgu866:S9QD+zyF6xIsaFXP