Sample File: MD5 hash: f4e23cf5d4eb9068e7e3ba617cae9088 SHA1 hash: 3b55440f396b9c688c1724181e1780098c95bddc SHA256 hash: b22d7b196ca03b43f9b140732a3d317f328e5d5f53379c2520a0f05a17d6e617 SSDEEP hash: 384:/imtTYZvzQagj1JYfXfosEOWJIJwMlH7lVqsLWqUoWCtqRK+A8yC2jBJv3:/L20dj1IPnEOtH7aqUzCtqRK+UCE33 Filename(s): CV gui PVN vv y kien cua UB ve gia han.doc Filetype: Word Document Mutex IOCs: Global\.net clr networking Registry Key IOCs: HKEY_CLASSES_ROOT\.js HKEY_CLASSES_ROOT\JSFile\ScriptEngine HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoIndent HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoQuickTips2 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoStatement2 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\AutoValueTips2 HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CodeBackColors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CodeForeColors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\DragDropInEditor HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\EndProcLine HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FontCharSet HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FontFace HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FontHeight HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\FullModuleView HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\IndicatorBar HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\IndicatorColors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\OBGroupMembers HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\OBSearchHeight HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\SyntaxChecking HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\TabWidth HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\DisableOrpcDebugging7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Log File Max Size HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\Software\Microsoft\COM3 HKEY_LOCAL_MACHINE\Software\Microsoft\COM3\COM+Enabled HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_PERFORMANCE_DATA Domain IOCs: 154.16.37.122 IP IOCs: 154.16.37.122 URL IOCs: http://154.16.37.122/GoogleUpdate/Update.php http://154.16.37.122/GoogleUpdate/Google.php?Mac=VVVJRCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCg0KNzQ1QUQwQUYtRDM0NS0yMUQ3LUYxQTMtMkY0NUI5NzI0QjFEICANCg0KDQoNCg==?Data=DQpXaW5kb3dzIElQIENvbmZpZ3VyYXRpb24NCg0KICAgSG9zdCBOYW1lIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogWUt5ZDY5cQ0KICAgUHJpbWFyeSBEbnMgU3VmZml4ICAuIC4gLiAuIC4gLiAuIDogDQogICBOb2RlIFR5cGUgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gOiBIeWJyaWQNCiAgIElQIFJvdXRpbmcgRW5hYmxlZC4gLiAuIC4gLiAuIC4gLiA6IE5vDQogICBXSU5TIFByb3h5IEVuYWJsZWQuIC4gLiAuIC4gLiAuIC4gOiBObw0KDQpFdGhlcm5ldCBhZGFwdGVyIExvY2FsIEFyZWEgQ29ubmVjdGlvbjoNCg0KICAgQ29ubmVjdGlvbi1zcGVjaWZpYyBETlMgU3VmZml4ICAuIDogDQogICBEZXNjcmlwdGlvbiAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gOiBJbnRlbChSKSBQUk8vMTAwMCBNVCBOZXR3b3JrIENvbm5lY3Rpb24NCiAgIFBoeXNpY2FsIEFkZHJlc3MuIC4gLiAuIC4gLiAuIC4gLiA6IDAwLTFGLTUxLUY2LUIxLThDDQogICBESENQIEVuYWJsZWQuIC4gLiAuIC4gLiAuIC4gLiAuIC4gOiBZZXMNCiAgIEF1dG9jb25maWd1cmF0aW9uIEVuYWJsZWQgLiAuIC4gLiA6IFllcw0KICAgTGluay1sb2NhbCBJUHY2IEFkZHJlc3MgLiAuIC4gLiAuIDogZmU4MDo6ZDRhYTo2YjQzOmIyZTM6ZGIwMSUxMShQcmVmZXJyZWQpIA0KICAgSVB2NCBBZGRyZXNzLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogMTkyLjE2OC4wLjEwNShQcmVmZXJyZWQpIA0KICAgU3VibmV0IE1hc2sgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogMjU1LjI1NS4yNTUuMA0KICAgTGVhc2UgT2J0YWluZWQuIC4gLiAuIC4gLiAuIC4gLiAuIDogVHVlc2RheSwgSmFudWFyeSAwOCwgMjAxOSAxMjozOTo1NiBQTQ0KICAgTGVhc2UgRXhwaXJlcyAuIC4gLiAuIC4gLiAuIC4gLiAuIDogVHVlc2RheSwgSmFudWFyeSAwOCwgMjAxOSAxOjM5OjU1IFBNDQogICBEZWZhdWx0IEdhdGV3YXkgLiAuIC4gLiAuIC4gLiAuIC4gOiAxOTIuMTY4LjAuMQ0KICAgREhDUCBTZXJ2ZXIgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogMTkyLjE2OC4wLjENCiAgIERIQ1B2NiBJQUlEIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA6IDIzNDkwNTY1Ng0KICAgREhDUHY2IENsaWVudCBEVUlELiAuIC4gLiAuIC4gLiAuIDogMDAtMDEtMDAtMDEtMjAtRTgtMkUtRjAtMDAtNjAtMzgtOUItQkEtMDENCiAgIEROUyBTZXJ2ZXJzIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA6IDE5Mi4xNjguMC4xDQogICBOZXRCSU9TIG92ZXIgVGNwaXAuIC4gLiAuIC4gLiAuIC4gOiBFbmFibGVkDQoNClR1bm5lbCBhZGFwdGVyIGlzYXRhcC57NDhGRjdGNEYtQkUzQS00OTMwLUFBMDMtMkREQzA4QTQxODA2fToNCg0KICAgTWVkaWEgU3RhdGUgLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogTWVkaWEgZGlzY29ubmVjdGVkDQogICBDb25uZWN0aW9uLXNwZWNpZmljIEROUyBTdWZmaXggIC4gOiANCiAgIERlc2NyaXB0aW9uIC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA6IE1pY3Jvc29mdCBJU0FUQVAgQWRhcHRlcg0KICAgUGh5c2ljYWwgQWRkcmVzcy4gLiAuIC4gLiAuIC4gLiAuIDogMDAtMDAtMDAtMDAtMDAtMDAtMDAtRTANCiAgIERIQ1AgRW5hYmxlZC4gLiAuIC4gLiAuIC4gLiAuIC4gLiA6IE5vDQogICBBdXRvY29uZmlndXJhdGlvbiBFbmFibGVkIC4gLiAuIC4gOiBZZXMNCg0KVHVubmVsIGFkYXB0ZXIgVGVyZWRvIFR1bm5lbGluZyBQc2V1ZG8tSW50ZXJmYWNlOg0KDQogICBNZWRpYSBTdGF0ZSAuIC4gLiAuIC4gLiAuIC4gLiAuIC4gOiBNZWRpYSBkaXNjb25uZWN0ZWQNCiAgIENvbm5lY3Rpb24tc3BlY2lmaWMgRE5TIFN1ZmZpeCAgLiA6IA0KICAgRGVzY3JpcHRpb24gLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogVGVyZWRvIFR1bm5lbGluZyBQc2V1ZG8tSW50ZXJmYWNlDQogICBQaHlzaWNhbCBBZGRyZXNzLiAuIC4gLiAuIC4gLiAuIC4gOiAwMC0wMC0wMC0wMC0wMC0wMC0wMC1FMA0KICAgREhDUCBFbmFibGVkLiAuIC4gLiAuIC4gLiAuIC4gLiAuIDogTm8NCiAgIEF1dG9jb25maWd1cmF0aW9uIEVuYWJsZWQgLiAuIC4gLiA6IFllcw0K File IOCs: Filenames: C:\ C:\Users\aETAdzjz C:\Users\aETAdzjz\Desktop C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config C:\Windows\Tasks\Chrome.js C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\system32\wbem\\texttable.xsl MD5 hashes: c98b305f90a412362e54fd297afb3674 SHA1 hashes: 4705c1151fe5db668f2a3e9f84d78bf63a018555 SHA256 hashes: 31467c1f93ba3f47e5343d5c4b3899533d3270bee868831016b8c4aee3e6cc6f SSDEEP hashes: 48:XPlZP0/tdyoNWbdmjpQ11gC9WlB4lLdyTlpL+JKyfNayAT7W1nM7jlcqKJqmTdzq:XPySoQUjpQ1Uam7wKyf8Z/EwjRadu