Sample File: MD5 hash: 8292efeed21c16d4833e2933a41fab82 SHA1 hash: 4ae82c4536463c25b31736503308b32f5a42ff59 SHA256 hash: 76917b219ad5a1ff8229a75eb23c34a9ad1ce98264257d3cca538ac59c49a15f SSDEEP hash: 3:LyUyDzKT7gQmUHyUQ:LSDmYQnHo Filename(s): 29082018_64943.iqy Filetype: Excel Document Mutex IOCs: Global\.net clr networking Name Registry Key IOCs: HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Restore HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell\path HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysTracer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000 HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\Device Description HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\ApplicationBase HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\ApplicationBase HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\StackVersion HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\path HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_PERFORMANCE_DATA System System\PowerShell Windows PowerShell Windows PowerShell\PowerShell Domain IOCs: localhost ms365box.com IP IOCs: 31.202.128.249 URL IOCs: http://ms365box.com/update.2 http://ms365box.com/inv http://ms365box.com/ http://ms365box.com/update.1 File IOCs: Filenames: *(JIGFODHy8t9ij3g89eiw C:\ C:\Users C:\Users\ADU0VK~1 C:\Users\ADU0VK~1\AppData C:\Users\ADU0VK~1\AppData\Local C:\Users\ADU0VK~1\AppData\Local\Temp\ C:\Users\ADU0VK~1\AppData\Local\Temp\1.bat C:\Users\ADU0VK~1\AppData\Local\Temp\nsdFD9F.tmp C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\ C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\System.dll C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\UserInfo.dll C:\Users\ADU0VK~1\AppData\Local\Temp\nstFDB0.tmp\nsExec.dll C:\Users\ADU0VK~1\AppData\Local\Temp\total.exe C:\Users\aDU0VK IWA5kLS C:\Users\aDU0VK IWA5kLS\AppData\Local\Temp\total.exe C:\Users\aDU0VK IWA5kLS\AppData\Roaming\B.cab C:\Users\aDU0VK IWA5kLS\AppData\Roaming\winpoint.exe C:\Users\aDU0VK IWA5kLS\Desktop C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config C:\Windows\System32\WindowsPowerShell\v1.0 C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\WSMan.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll NUL c:\bin\AHookMonitor.dll c:\cwsandbox\cwsandbox.ini c:\test\vmversion.txt MD5 hashes: 23241a6021334635dc512f3bfd812f1c 2b495afa839e2073388f86180a04dce3 b0c77267f13b2f87c084fd86ef51ccfc SHA1 hashes: 309b0af9198bacbe61f45106fa77bb4011fae25a c70bf8abb2c0adad8696cb688b13155fa26f0e5b f7543f9e9b4f04386dfbf33c38cbed1bf205afb3 SHA256 hashes: 05f630aad1741d54768ad8eaf7fd9e1e8666f38af55e88bac892853bb72758ae 8a674c5b1324ceb20ac3a93982268cd777f9abc6fe9ec7310be4dbe7bf8aad3e a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77 SSDEEP hashes: 12288:/8sRQCBnr44sUPCOSVBgDpSnw7oKVnq0PVGanIkxxkgUqFCy61J79Yqk:0uQCBr4rAmVWNJJVnqK+UxnUqEyAJ6q 192:4PtkiQJr7jHYT87RfwXQ6YSYtOuVDi7IsFW14Ll8CO:H78TQIgGCDp14LGC 24576:SdeUKz6LtsChewe/tOYhJvo+Ihjr5ZFAtleyP:PUZts2eweNhJvtIRtile6