Sample File: MD5 hash: 02b6f049f4d8246ee982d8c34a160311 SHA1 hash: 088ed5abd0edda72a846ddcec24fceeafe394188 SHA256 hash: a7aae83573aa9a682ce9733468882e841564f41ec4aa004cb795b98fd4834d15 SSDEEP hash: 6144:F4onJC0hW+WeUu34wHH63enY8mti3o9QFXiNb0ejUFp:qStQSv/2e9mtIOQ1iNTE Filename(s): SS BRAID PO.doc.rtf Filetype: RTF Document Mutex IOCs: - None - Registry Key IOCs: HKEY_CURRENT_USER HKEY_CURRENT_USER\Identities HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Username HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger HKEY_CURRENT_USER\Software\Microsoft\MessengerService HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER\Software\Yahoo\Pager HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time\MUI_Display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time\MUI_Dlt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time\MUI_Std HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Greenwich Standard Time\TZI HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current HKEY_LOCAL_MACHINE\Software\Group Mail HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird HKEY_PERFORMANCE_DATA Mozilla Firefox 25.0\bin Mozilla Firefox 25.0\bin\PathToExe Mozilla Firefox\bin Domain IOCs: afdo-tas-offload.trafficmanager.net client-office365-tas.msedge.net config.edge.skype.com crl-symcprod.digicert.com crl.globalsign.com crl.verisign.com cs9.wac.phicdn.net e-0009.e-msedge.net global.prd.cdn.globalsign.com ocos-office365-s2s-msedge-net.e-0009.e-msedge.net ocos-office365-s2s.msedge.net ocsp2.globalsign.com prod.globalsign.map.fastly.net rollboat.tk s-0001.s-msedge.net smtp.gmail.com vip5.afdorigin-prod-mwh02.afdogw.com whatismyipaddress.com ykyd69q IP IOCs: 89.40.14.229 104.16.17.96 104.16.20.96 104.16.18.96 104.16.19.96 104.16.16.96 64.233.166.108 64.233.166.109 151.101.114.133 13.107.5.88 51.141.166.104 13.107.3.128 93.184.220.29 URL IOCs: http://rollboat.tk/new/kc.exe http://whatismyipaddress.com/ http://ocsp2.globalsign.com/gscodesignsha2g2/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQpEOCqbmTiQA9OjY%2F%2Ft2aa8NSkuwQUGUq4WuRNMaUU5V7sL6Mc%2BoCMMmsCEhEhr0NghltULzlkczOf0L9mqQ%3D%3D http://crl.globalsign.com/gs/gscodesignsha2g2.crl http://crl.verisign.com/tss-ca.crl File IOCs: Filenames: C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll C:\Program Files (x86)\Mozilla Firefox\nss3.dll C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll C:\Program Files (x86)\Mozilla Thunderbird C:\Program Files (x86)\Sea Monkey\nss3.dll C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018090520180906\index.dat C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat C:\Users\aETAdzjz\AppData\Local\Temp\ C:\Users\aETAdzjz\AppData\Local\Temp\holdermail.txt C:\Users\aETAdzjz\AppData\Local\Temp\holderwb.txt C:\Users\aETAdzjz\AppData\Local\Temp\wallet.dat C:\Users\aETAdzjz\AppData\Roaming\.minecraft\lastlogin C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles C:\Users\aETAdzjz\AppData\Roaming\bitcoin\wallet.dat C:\Users\aETAdzjz\AppData\Roaming\jagex_cache\regPin\YKYD69Q_Pin0.jpeg C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe.config C:\Users\aETAdzjz\AppData\Roaming\jsjhdhdhdhjfjhhf.exe:Zone.Identifier C:\Users\aETAdzjz\AppData\Roaming\pid.txt C:\Users\aETAdzjz\AppData\Roaming\pidloc.txt C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\config\machine.config C:\Windows\system32\26 C:\Windows\system32\28 MD5 hashes: 320722549d1751cf3f247855f937b982 87819f6ce8eada938d45a0a19258bb58 e2c7b5d78675bbccc85af58db4711648 SHA1 hashes: 28cab071479d4d2ebeda3662a66b58f220ecf7f6 7fdec83a2662ffe53af456402cbaeafa380b15b4 f9865f7d0fa19d942aa9be0a57580af0c7ad07f1 SHA256 hashes: 3d1d10f3d9b4de9aefc08608f20c0c0c789bf430b73cb2fa0d20b8b575075aa7 411ad7a95a34da04211b3887c3c2ab4b08359363fb1c4baf22fb323af6d9e408 88820462180e5c893eff2ed73f4ec33e205d1cd5acc4d17fa7b2bca2495d3448 SSDEEP hashes: 12288:7KrQPt9tEZjhY8LbbEjLQvJ2o/X8FMidEdwccqA5LboI5dg7taDncJGM:2EtkbwjaMo/sFDdewV5t5duADcJGM 3:QV:QV 3:oNJxzp4EaKC5uhDPfQC:oN/zpJaZ5uiC