Sample File: MD5 hash: e7fb10b7ba0d4f761ad323b88ed69689 SHA1 hash: 047d9e57f88c84c019f9112bae8d562bdc83aadd SHA256 hash: c5e3ea84d2367239a3edff9074158e7af13b95edbc87d576c8d97e2536f3ba3a SSDEEP hash: 1536:YE+km4OrZTPVbJhr1TBL602MCspTZsxEtjPOtioVjDGUU1qfDlaGGx+cL2Qn+O1I:YE+km4OrZbVbJhr1TBL602MCspTZsxEG Filename(s): 3D_5684_DOC20181101014.xls_.xls Filetype: Excel Document Mutex IOCs: Global\.net clr networking Registry Key IOCs: HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9 HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0 HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\409 HKEY_CLASSES_ROOT\TypeLib\{00020813-0000-0000-C000-000000000046}\1.9\9 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Log File Max Size HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wbem\CIMOM\Logging Directory HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\ApplicationBase HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_PERFORMANCE_DATA System System\PowerShell Windows PowerShell Windows PowerShell\PowerShell Domain IOCs: images2.imgbox.com images2.imgbox.com.sds.rncdn7.com IP IOCs: 66.254.122.100 66.254.122.102 66.254.122.104 URL IOCs: - None - File IOCs: Filenames: C:\Users\aETAdzjz\Desktop C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config C:\Windows\System32\WindowsPowerShell\v1.0 C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\poWerSHell.config C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll WMIC.exe MD5 hashes: SHA1 hashes: SHA256 hashes: SSDEEP hashes: