Sample File: MD5 hash: 81230e37278c7fb04ba6c91bc54a1305 SHA1 hash: dc6369bb21e42dbb370f0f11b9a40ce6e254fa73 SHA256 hash: 8b0a43ca23ec8566b090b758fd218a0cc008947ea710e16a38142b8bccca53d0 SSDEEP hash: 3072:cq/2n5Ler/yR5DpQKajNDu1CkBArkxXfPgUm:Be5LoKDpQZqQkCr4XgP Filename(s): INC_4807280588838_XJ.doc Filetype: Word Document Mutex IOCs: Global\.net clr networking Global\I705BA84C Global\M705BA84C Registry Key IOCs: HKEY_CLASSES_ROOT\CLSID HKEY_CLASSES_ROOT\CLSID\{8BD21D50-EC42-11CE-9E0D-00AA006002F3} HKEY_CLASSES_ROOT\CLSID\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\TypeLib HKEY_CLASSES_ROOT\CLSID\{8BD21D50-EC42-11CE-9E0D-00AA006002F3}\Version HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69} HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Control HKEY_CLASSES_ROOT\Clsid\{1C3B4210-F441-11CE-B9EA-00AA006B1A69}\Insertable HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080} HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Control HKEY_CLASSES_ROOT\Clsid\{5CEF5610-713D-11CE-80C9-00AA00611080}\Insertable HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100} HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100}\Control HKEY_CLASSES_ROOT\Clsid\{646BE917-EFED-46C6-AFC9-CA1FBD3C5100}\Insertable HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{82B02373-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{82B02374-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{82B02375-B5BC-11CF-810F-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{8A683C92-BA84-11CF-8110-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074} HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Control HKEY_CLASSES_ROOT\Clsid\{8A683C93-BA84-11CF-8110-00A0C9030074}\Insertable HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F} HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Control HKEY_CLASSES_ROOT\Clsid\{909E0AE0-16DC-11CE-9E98-00AA00574A4F}\Insertable HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4} HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Control HKEY_CLASSES_ROOT\Clsid\{AFC20920-DA4E-11CE-B943-00AA006887B4}\Insertable HKEY_CLASSES_ROOT\Licenses HKEY_CLASSES_ROOT\Licenses\8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CLASSES_ROOT\TypeLib HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9 HKEY_CLASSES_ROOT\TypeLib\{000204EF-0000-0000-C000-000000000046}\4.2\9\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046} HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\0\win64 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\409 HKEY_CLASSES_ROOT\TypeLib\{00020905-0000-0000-C000-000000000046}\8.7\9 HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0 HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0 HKEY_CLASSES_ROOT\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win64 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52} HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0 HKEY_CLASSES_ROOT\TypeLib\{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}\2.8\0\win64 HKEY_CLASSES_ROOT\Typelib HKEY_CLASSES_ROOT\Typelib\{0D452EE1-E08F-101A-852E-02608C4D0BB4} HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Environment\PSMODULEPATH HKEY_CURRENT_USER\Identities HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Username HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\structsstructs HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger HKEY_CURRENT_USER\Software\Microsoft\MessengerService HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Display Name HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Port HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Server HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Use SPA HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Port HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BackGroundCompile HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnAllErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\BreakOnServerErrors HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\CompileOnDemand HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\NotifyUserBeforeStateLoss HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\RequireDeclaration HKEY_CURRENT_USER\Software\Microsoft\VBA\7.1\Common\VbaCapability HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetConnectDisconnect HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsHistory HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RestrictRun HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Network HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER\Software\Yahoo\Pager HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\StackVersion HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current HKEY_LOCAL_MACHINE\Software\Group Mail HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\StackVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH HKEY_PERFORMANCE_DATA Domain IOCs: 189.167.222.95.b.barracudacentral.org 189.167.222.95.bl.mailspike.net 189.167.222.95.spam.abuse.ch 189.167.222.95.spam.dnsbl.sorbs.net 189.167.222.95.zen.spamhaus.org ams-efz.ms-acdc.office.com auth.etcl-bd.com autorepuestosdml.com bechit.com beryllium.cloudhosting.co.uk buero-boehne.de cdg-efz.ms-acdc.office.com cmh.co.ke cpanel59.fastsecurehost.com gmail-smtp-msa.l.google.com grupo-gersa.com hanlinkinvestment.com hps.dsredirect.com imap.1and1.co.uk imap.ge.xfinity.com imap.mail.me.com.akadns.net imap.mail.ru imap.yandex.com.tr mail-2.sslzol.co.zw mail.accordsynergy.com mail.afortiexchange.pl mail.atechserwis.pl mail.bechit.com mail.bizmail.yahoo.com mail.borneo4u.com mail.castejonmultiservicios.com mail.championholiday.com.tr mail.cmh.co.ke mail.comabsaca.com mail.comcast.net mail.ddrac.com mail.digitainteractive.com mail.dswe.pl mail.esaplling.com mail.exteriorconceptsinc.com mail.galaxy-qatar.com mail.gmail.com mail.gmx.net mail.hanlinkinvestment.com mail.hawaiiantel.biz mail.hawaiiantel.biz.cust.b.hostedemail.com mail.hotelcasabarbara.mx mail.hotelcasabarbara.mx.netsolmail.net mail.jvcfranco.com mail.mail.ru mail.montanasky.com mail.okpr.pl mail.organothailand.com mail.permachef.com mail.phoenixfinance.com.bd mail.qwestoffice.net mail.renault-india.com mail.secureserver.net mail.strato.de mail.tecnicentroloscolores.com mail.telkomsa.net mail.templegadsden.com mail.vibrantmotors.com mailsrv3.dondominio.com mx-out03.natrohost.com mxauth.truemail.co.th mymail.brinkster.com outlook.ms-acdc.office.com outlook.office365.com p17-imap.mail.me.com p17-imap.mail.me.com.akadns.net poczta.highliving.pl pop-mail.outlook.com pop.secureserver.net pop3.mweb.co.za r4.supportedns.com rae333.mail.pairserver.com salesmail.unilever.pl secure.emailsrvr.com securepop.t-online.de securesmtp.siteprotect.com serwer1566383.home.pl sfwdallmx.t-online.de smtp.1und1.de smtp.ageatiainc.com smtp.alestra.mail2world.com smtp.alestraune.net.mx smtp.aol.com smtp.aol.g03.yahoodns.net smtp.arnetbiz.com.ar smtp.aspirationimaging.co smtp.bizmail.mail.fy4.b.yahoo.com smtp.bizmail.yahoo.com smtp.cj.net smtp.cs.com smtp.deccandiesels.com smtp.gmail.com smtp.gmx.net smtp.grupozoom.com smtp.impetusit.com smtp.live.com smtp.mail.global.gm0.yahoodns.net smtp.mail.me.com smtp.mail.me.com.akadns.net smtp.mail.yahoo.com smtp.netcologne.de smtp.nexgentooling.com smtp.nexgentooling.com.netsolmail.net smtp.northwestel.net smtp.office365.com smtp.quicknet.ch smtp.rediffmailpro.com smtp.secureserver.net smtp.siteldi.com.mx smtp.wp.pl smtp.yandex.com.tr smtp.yandex.ru smtp1.ntl.sympatico.ca smtp3.netcore.co.in smtpauth.omail.com smtpout.kfsb.ch smtpout.secureserver.net tecnicentroloscolores.com templegadsden.com us2.smtp.mailhostbox.com IP IOCs: 207.204.50.27 108.177.15.109 213.202.32.8 142.217.192.29 66.96.147.111 212.227.15.154 212.227.15.138 207.7.80.63 136.243.72.235 95.143.242.54 17.36.205.74 192.185.31.105 150.95.29.46 184.106.54.10 87.250.255.123 17.36.205.69 17.36.205.4 46.105.131.69 217.69.139.90 162.244.254.105 192.185.147.81 50.244.173.195 77.88.21.158 163.172.62.32 167.114.113.182 105.187.200.240 96.118.48.203 96.118.48.157 96.118.48.114 96.118.48.180 96.118.48.150 96.118.48.178 96.118.48.172 96.118.48.170 96.118.242.233 96.118.247.153 96.118.242.239 96.118.252.121 96.118.242.204 96.118.242.154 96.118.242.217 96.118.242.218 31.214.176.4 64.90.62.162 64.98.36.5 203.144.173.9 173.201.192.229 173.201.192.101 68.178.252.101 173.201.193.228 173.201.193.101 68.178.252.229 212.227.15.167 212.227.15.183 188.125.73.29 156.67.238.99 173.212.231.135 148.66.134.166 139.99.149.61 50.87.248.109 94.152.10.68 213.168.87.11 66.39.65.155 202.164.213.107 69.49.115.72 193.106.106.119 72.167.218.138 173.201.193.129 68.178.252.117 173.201.193.97 173.201.192.129 97.74.135.143 173.201.192.158 97.74.135.10 148.72.206.152 37.187.164.124 188.125.73.26 212.77.101.1 40.101.137.66 40.101.121.34 40.101.19.162 40.101.80.178 40.101.18.18 40.101.137.98 40.101.137.18 162.241.253.201 59.160.116.25 217.78.1.159 186.4.172.5 64.41.126.158 208.91.198.143 208.91.199.223 208.91.199.225 208.91.199.224 67.225.139.208 203.248.116.206 202.75.45.67 204.152.253.11 194.25.134.110 194.25.134.46 190.226.40.3 198.235.201.1 198.235.201.2 197.96.187.220 64.41.126.110 203.82.48.116 94.100.180.70 217.69.139.70 202.162.229.102 202.162.242.9 74.202.142.33 77.72.0.82 143.95.236.61 128.0.54.35 185.187.198.4 212.227.17.168 212.227.17.190 68.178.213.203 72.167.238.29 68.178.213.37 192.185.41.218 64.26.60.229 202.137.237.24 202.137.236.12 216.211.191.66 85.128.156.230 74.6.141.46 67.195.228.98 98.136.96.83 148.72.192.13 213.142.130.241 89.19.2.235 193.251.214.98 89.161.191.218 197.211.212.76 URL IOCs: 46.105.131.69/ringin/ 186.4.172.5/usbccid/usbccid/glitch/ 186.4.172.5/add/entries/glitch/ 186.4.172.5/teapot/raster/glitch/merge/ 186.4.172.5/enable/ http://185.187.198.4:8080/whoami.php 185.187.198.4/enable/sym/glitch/merge/ 185.187.198.4/cone/ File IOCs: Filenames: C:\ C:\Program Files (x86)\Mozilla Thunderbird C:\Users\ C:\Users\aETAdzjz C:\Users\aETAdzjz\768.exe C:\Users\aETAdzjz\AppData\ C:\Users\aETAdzjz\AppData\Local\ C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount C:\Users\aETAdzjz\AppData\Local\Temp\DAB4.tmp C:\Users\aETAdzjz\AppData\Local\Temp\VBE C:\Users\aETAdzjz\AppData\Local\Temp\Word8.0 C:\Users\aETAdzjz\AppData\Local\examplelanes\examplelanes.exe C:\Users\aETAdzjz\AppData\Local\structsstructs\ C:\Users\aETAdzjz\AppData\Local\structsstructs\structsstructs.exe C:\Users\aETAdzjz\AppData\Local\structsstructs\structsstructs.exe:Zone.Identifier C:\Users\aETAdzjz\AppData\Local\structsstructs\structsstructs_lng.ini C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles C:\Users\aETAdzjz\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 C:\Users\aETAdzjz\Documents\WindowsPowerShell\profile.ps1 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\machine.config C:\Windows\SysWOW64\ntdll.dll C:\Windows\System32\WindowsPowerShell\v1.0 C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.config C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll MD5 hashes: 0b5111a9cc6baab51851f1702403b937 27941d5b5934712bc254135f489eecc2 SHA1 hashes: 72f7b0be037608e0e5d865be60e319c6758616c7 e95885d85bd47cc19e1181b046995ccd975fd59d SHA256 hashes: 62a0536a5b9d1e3cb2af52a5630c330cd30da7398bcddf4a17af0913fc502819 7080e1b236a19ed46ea28754916c43a7e8b68727c33cbf81b96077374f4dc205 SSDEEP hashes: 12288:fr1hcmamspvnwD2WGYkg+N1Az7pjG+jx0:/DdyvnweAz7Tm 3:iJhoFcYBqv1JeOrGq1+N1JRKVJfXmvn:IhobYeOrX+xRoxWvn