Sample File:

	MD5 hash:
		69b046782afb1da41bdffdbef2be687c

	SHA1 hash:
		6c6640eac6437b0f5835be4ad2c1b74718b422f6

	SHA256 hash:
		e6ba4bd149bfa84ab57c7926c7635e162e459d0e9e419bb3c8d8af8e41c043c9

	SSDEEP hash:
		3072:9Ed93LpGo0aQLkaReAkQz4P56rkR6i+Pidf+le0I1nR3:9Ed2VZj7cPEi66f+7I1nR3

	Filename(s):
		sample.doc

	Filetype:
		Word Document


Mutex IOCs:

		Global\.net clr networking
		Global\I705BA84C
		Global\M705BA84C
		PEM45C
		PEM474
		PEM514
		PEM53C
		PEM584
		PEM88C
		PEM89C
		PEMA78
		PEMB3C
		PEMB48


Registry Key IOCs:

		HKEY_CLASSES_ROOT\Licenses
		HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7
		HKEY_CLASSES_ROOT\TypeLib
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0
		HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409
		HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0
		HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64
		HKEY_CURRENT_USER
		HKEY_CURRENT_USER\Environment
		HKEY_CURRENT_USER\Environment\PSMODULEPATH
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zipwcs
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration
		HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion
		HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\First Counter
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\IsMultiInstance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\Library
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine
		HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase
		HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting
		HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level
		HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment
		HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH
		HKEY_PERFORMANCE_DATA


Domain IOCs:

		64.19.74.49:8080
		96.20.172.107:8443
		99.139.140.129
		geestdriftnu.com
		matex.biz
		neumaticosutilizados.com
		whiskyshipper.com


IP IOCs:

		109.237.222.235
		68.183.118.18
		185.182.56.77
		46.242.164.79
		96.20.172.107
		64.19.74.49
		99.139.140.129


URL IOCs:

		http://neumaticosutilizados.com/1TI81PRQLORR
		http://neumaticosutilizados.com/1TI81PRQLORR/
		http://whiskyshipper.com/wp-content/A8BRS9sLl8i_P8DBsLho
		http://whiskyshipper.com/wp-content/A8BRS9sLl8i_P8DBsLho/
		http://geestdriftnu.com/gqXb3ghkRZJ6tjL8_Y
		http://geestdriftnu.com/gqXb3ghkRZJ6tjL8_Y/
		http://matex.biz//RQR0RaohiR_P
		http://matex.biz/RQR0RaohiR_P/
		HTTP://96.20.172.107
		http://96.20.172.107:8443/
		HTTP://64.19.74.49
		http://64.19.74.49:8080/
		HTTP://99.139.140.129
		http://99.139.140.129/


File IOCs:

	Filenames:

		C:\
		C:\Users\
		C:\Users\aETAdzjz
		C:\Users\aETAdzjz\629.exe
		C:\Users\aETAdzjz\AppData\
		C:\Users\aETAdzjz\AppData\Local\
		C:\Users\aETAdzjz\AppData\Local\mddefwmerged\mddefwmerged.exe
		C:\Users\aETAdzjz\AppData\Local\zipwcs\
		C:\Users\aETAdzjz\AppData\Local\zipwcs\ushHer04rO2OqyUQI7w.exe
		C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe
		C:\Users\aETAdzjz\AppData\Local\zipwcs\zipwcs.exe:Zone.Identifier
		C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
		C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1
		C:\Windows
		C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config
		C:\Windows\System32\WindowsPowerShell\v1.0
		C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml
		C:\Windows\System32\WindowsPowerShell\v1.0\powersheLl.config
		C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1
		C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml
		C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll
		C:\Windows\system32

	MD5 hashes:

		b922796295147cdde8292ece2ccf8c2e
		d41d8cd98f00b204e9800998ecf8427e

	SHA1 hashes:

		89309f2c3118c33d8608a5bd698e84cff3f311d4
		da39a3ee5e6b4b0d3255bfef95601890afd80709

	SHA256 hashes:

		2dc18b533e82b6bfe4ca849a61197806714d541d8a77ad8feeb02342baa83854
		e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

	SSDEEP hashes:

		1536:ZxmjQOuNIovctrkyZD+ZQOkPn73i+i2DEcZJhW2lJFBclDS0+7GFU6Vxsik5docW:iWCovctrd+UPn7y+rE85lJF8Uq6WnLf
		3::