Sample File:

	MD5 hash:
		ad3b4198ce49b70d8bb804daf9741660

	SHA1 hash:
		5620e52094d75d3d8c47d4daade74fa45301e347

	SHA256 hash:
		d8ef1c4f64a05b1abf100044fcb7048c9526d175a114cb90bd134b80783da146

	Filename(s):
		Secure_Document_Plugin.hta

	Filetype:
		HTML Application


Mutex IOCs:

		- None -


Registry Key IOCs:

		HKEY_CLASSES_ROOT\clsid\{25336920-03f9-11cf-8fd0-00aa00686f13}\InProcServer32
		HKEY_CURRENT_USER\EUDC\1252
		HKEY_CURRENT_USER\Software\Microsoft\Command Processor
		HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ChakraRecycler
		HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\JScriptLegacy
		HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
		HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Script\Features
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
		HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
		HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor
		HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Application Compatibility
		HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\ChakraRecycler
		HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\JScriptLegacy
		HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting


IP IOCs:

		- None -


URL IOCs:

		https://dl6zxn23r8r14.cloudfront.net:443/en-US
		maptile.usnews.com/safebrowsing/rd/ij34Feg034rf4-p34
		asset.wsj.net/safebrowsing/rd/ij34Feg034rf4-p34
		www.reutersmedia.net/safebrowsing/rd/ij34Feg034rf4-p34
		www.reutersmedia.net/safebrowsing/rd/g349f3qf45t5g-k32


File IOCs:

	Filenames:

		C:\Windows\cerCF51.tmp
		C:\Windows\system32
		\\.\pipe\29a7ba79f8
		certutil.exe
		wscript.exe

	MD5 hashes:

		d41d8cd98f00b204e9800998ecf8427e

	SHA1 hashes:

		da39a3ee5e6b4b0d3255bfef95601890afd80709

	SHA256 hashes:

		e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855