Sample File: MD5 hash: 5a51e63d898736046b20e5b7bbab88ae SHA1 hash: 6872e4301bba24de600600cbbb2434b244537134 SHA256 hash: 3985bc09caa13dadf70187a20d271303c272a41404beb497ac6116a5722a05d1 Filename(s): 022543.doc Filetype: Word Document Mutex IOCs: Global\.net clr networking Global\I78B0A7D7 Global\M78B0A7D7 Global\Nx357ECDE7 PEMA08 PEMB40 PEMB50 PEMB64 Registry Key IOCs: 8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\Identities HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger HKEY_CURRENT_USER\Software\Microsoft\MessengerService HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\Visual Basic\6.0 HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\29091b5932ee0f48aec4673270b08577 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\349c13b2d278c3458833b7862c0157f4 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\882b4247eb9feb478bcaf90664ec624c HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dfc6f427732b824da2ca53fc3cafb157 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Reminders HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER\Software\Yahoo\Pager HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current HKEY_LOCAL_MACHINE\Software\Clients\Mail\Microsoft Outlook HKEY_LOCAL_MACHINE\Software\Group Mail HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Mozilla Firefox 25.0\bin Mozilla Firefox\bin IP IOCs: 184.168.46.18 190.196.2.210 197.245.46.11 216.46.44.93 94.70.244.227 190.213.248.219 URL IOCs: www.icb.cl/ZxavoDe/ 197.245.46.11 216.46.44.93 http://94.70.244.227:80/whoami.php 94.70.244.227 File IOCs: Filenames: C:\ C:\Program Files (x86)\Mozilla Firefox\mozsqlite3.dll C:\Program Files (x86)\Mozilla Firefox\nss3.dll C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll C:\Program Files (x86)\Mozilla Thunderbird C:\Program Files (x86)\Sea Monkey\nss3.dll C:\ProgramData\FAQ C:\ProgramData\oyvGkGw.exe C:\Users C:\Users\kFT6uTQW C:\Users\kFT6uTQW\AppData\ C:\Users\kFT6uTQW\AppData\Local\ C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\pnacl\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\pnacl\Web Data C:\Users\kFT6uTQW\AppData\Local\Microsoft\ C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\ C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018062620180627\index.dat C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack.exe:Zone.Identifier C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_.exe C:\Users\kFT6uTQW\AppData\Local\Microsoft\Windows\syncpack_lng.ini C:\Users\kFT6uTQW\AppData\Local\Temp\280.exe C:\Users\kFT6uTQW\AppData\Local\Temp\D3A3.tmp C:\Users\kFT6uTQW\AppData\Local\Temp\D3D3.tmp C:\Users\kFT6uTQW\AppData\Local\Temp\D3D4.tmp C:\Users\kFT6uTQW\AppData\Local\Temp\VBE C:\Users\kFT6uTQW\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Roaming\Apple Computer\Preferences\keychain.plist C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\history.dat C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\logins.json C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\places.sqlite C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\signons.sqlite C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Profiles C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini C:\Users\kFT6uTQW\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\kFT6uTQW\AppData\Roaming\Opera\Opera7\profile\wand.dat C:\Users\kFT6uTQW\AppData\Roaming\Opera\Opera\wand.dat C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\Profiles C:\Users\kFT6uTQW\AppData\Roaming\tarutils C:\Users\kFT6uTQW\AppData\Roaming\tarutils\oyvHkHw.exe C:\Users\kFT6uTQW\Desktop C:\Users\kFT6uTQW\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 C:\Users\kFT6uTQW\Documents\WindowsPowerShell\profile.ps1 C:\Windows\Help\.HLP C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config C:\Windows\SysWOW64\WindowsPowerShell\v1.0 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowersHell.config C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\profile.ps1 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\system32 C:\Windows\system32\.HLP C:\Windows\system32\alg.exe MD5 hashes: bc1a4dc38f3236982d47496a1151f33f cbe11e9a9e71737f15e8f1c606ad8d8c d41d8cd98f00b204e9800998ecf8427e SHA1 hashes: 2d4575457d337753a57b7941d13ac9665342641a d112719238664d7996048614d75db8a67fc50fc5 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 hashes: 6e143481553f9ae7566d2245450f6fe65734b465df03e43905f0fb19f812b343 85f328a811ca9f10ad82bc3c68d3c348cb069d8378400bf191bb515a6aa63473 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855