Sample File:

	MD5 hash:
		42ffb9ad1b4555f9080fbf94181b6f35

	SHA1 hash:
		46a467d751787c9679c45b0d8f390ad526b75206

	SHA256 hash:
		a54c4c2c87771dde2fa649a4858a1036b3e8dda1756ed4dc3c9c179b9b33549f

	SSDEEP hash:
		96:mCaQGDT4SZEW1FFuefsNXBAv03oAuCmCLGVQ8YYYYYNz:mP8q2Ly8o1Cqa8YYYYYt

	Filename(s):
		documeynt4565.wsf

	Filetype:
		Windows Script File


Mutex IOCs:

		Global\.net clr networking


Registry Key IOCs:

		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout
		HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo
		HKEY_CLASSES_ROOT\.wsf
		HKEY_CLASSES_ROOT\WSFFile\ScriptEngine
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH
		HKEY_CURRENT_USER\Environment
		HKEY_CURRENT_USER\Environment\PSMODULEPATH
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\Library
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\IsMultiInstance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\First Counter
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names
		HKEY_CURRENT_USER
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings


Domain IOCs:

		lotoposols.xyz
		certig.info
		arethatour.icu


IP IOCs:

		185.101.93.139
		31.214.157.14
		8.209.79.239


URL IOCs:

		https://lotoposols.xyz


File IOCs:

	Filenames:
		C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
		C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0
		C:\Windows\System32\WindowsPowerShell\v1.0
		C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml
		C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
		C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
		C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\profile.ps1
		C:\Windows\system32\ipconfig.exe
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
		C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
		C:\Windows\System32\CScript.exe
		C:\
		C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml
		System Paging File
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config
		C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
		C:\Users\5p5NrGJn0jS HALPmcxz
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
		C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\NGHvEOGrPRHHZU.dll
		C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\documeynt4565.wsf
		C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
		C:\Users\5p5NrGJn0jS HALPmcxz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
		C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml
		C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
		C:\Windows\system32
		C:\Windows
		C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml

	MD5 hashes:
		42ffb9ad1b4555f9080fbf94181b6f35
		305d96335a600ea4b97c5629845f4e29

	SHA1 hashes:
		425af28f7c69f96a89d1784724cde4e4c3417d47
		46a467d751787c9679c45b0d8f390ad526b75206

	SHA256 hashes:
		a54c4c2c87771dde2fa649a4858a1036b3e8dda1756ed4dc3c9c179b9b33549f
		dc9bffe02bc22d40ec5dd71efe9c27cdde2bab294fcef9ee5c3cb680760019ba

	SSDEEP hashes:
		24576:AXcfREnkuoLQV0cxhHGvnPra2DIYJJ4tY+ngj6bdW7WzB6:AXcfHCacXWnjJEaiNu6bd7w
		96:mCaQGDT4SZEW1FFuefsNXBAv03oAuCmCLGVQ8YYYYYNz:mP8q2Ly8o1Cqa8YYYYYt