Sample File: MD5 hash: 5e798794638d40e80c22e539521158ca SHA1 hash: 7b845d0659f80ceb1ebfc85e580c716be3f5eed5 SHA256 hash: a14e514ddfc3a921c5a9e2fc9b931bc734b4927fa9d4b011ab77f9e46da50b34 SSDEEP hash: 3072:MggRr1xBwqdXNuaIMh8bHpX2z3ZlG0s5Zc4s7qZoajik9QAF6fTLimUVSSUk6:Mg0pxvZQaITpGWzljiU6fvimU Filename(s): Order_Payroll_81154032.doc Filetype: Word Document Mutex IOCs: Global\.net clr networking Global\E0B7509842610 Registry Key IOCs: HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\StackVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_PERFORMANCE_DATA System System\PowerShell Windows PowerShell Windows PowerShell\PowerShell Domain IOCs: - None - IP IOCs: 64.44.51.87 185.222.202.79 URL IOCs: HTTPS://185.222.202.79/sat36/YKYD69Q_W617601.2E664EE04488A02C628E0E6CA864C24A/5/spk/ File IOCs: Filenames: C:\ C:\Users C:\Users\aETAdzjz C:\Users\aETAdzjz\AppData\Local\Temp\fulezad.exe C:\Users\aETAdzjz\AppData\Roaming\cleanmem C:\Users\aETAdzjz\AppData\Roaming\cleanmem\fumezad.exe C:\Users\aETAdzjz\Desktop C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 C:\Windows C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config C:\Windows\SysWOW64\WindowsPowerShell\v1.0 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\SysWOW64\ntdll.dll C:\Windows\System32\WindowsPowerShell\v1.0 C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\system32 Data\ MD5 hashes: a748a4e6151f6d75cf93b2f899df23df SHA1 hashes: 08f90b5474ba8e250d9b824602fe4cec6366bc48 SHA256 hashes: 2044fcca53a6dc26425147b78971bee2225f4e8ea3e096100e4edfbad1dac16d SSDEEP hashes: 6144:X11gGxJkPcgfqAAJ6ONxZ4cYjxfaQYf1QbicnRcftAhQgGNxRUc:X11goJkP/NAJEcYd7YfEc+AB