Sample File: MD5 hash: 16f7c7eef220983f255a9d4fce3d55bc SHA1 hash: 6004af991389c178f8c33f30fabd5d48bc2ce4c1 SHA256 hash: 49d9e68dbb6a4bfc5122545b2150adfc3b0ac99f717a1676a5de1e6865c8143b Filename(s): share.cgissid07Ua3Tpfid07Ua3TpfilenameRFQ0332.xlsopenfolderforcedownloadep.xls Filetype: Excel Document Mutex IOCs: Global\.net clr networking Registry Key IOCs: 8804558B-B773-11d1-BC3E-0000F87552E7 HKEY_CURRENT_USER HKEY_CURRENT_USER\Environment HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 HKEY_CURRENT_USER\Software\DownloadManager\Passwords HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Paltalk HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\ODiag\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OSession\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1 HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\1\PowerShellEngine HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment IP IOCs: 164.160.128.121 216.146.43.70 91.198.22.70 216.146.43.71 216.146.38.70 URL IOCs: 3lionsfactory.ga/out/linit.exe checkip.dyndns.org/ File IOCs: Filenames: C:\ C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe C:\Program Files (x86)\Flock\nss3.dll C:\Program Files (x86)\Mozilla Firefox\ C:\Program Files (x86)\Mozilla Firefox\\ C:\Program Files (x86)\Mozilla Firefox\nss3.dll C:\Program Files (x86)\Mozilla Thunderbird\nss3.dll C:\Program Files (x86)\Postbox\nss3.dll C:\Program Files (x86)\SeaMonkey\nss3.dll C:\Program Files (x86)\jDownloader\config\database.script C:\ProgramData\DynDNS\Updater\config.dyndns C:\Users C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat C:\Users\kFT6uTQW C:\Users\kFT6uTQW\AppData C:\Users\kFT6uTQW\AppData\Local\Chromium\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Local\Comodo\Dragon\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Local\Torch\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data C:\Users\kFT6uTQW\AppData\Roaming C:\Users\kFT6uTQW\AppData\Roaming\.purple\accounts.xml C:\Users\kFT6uTQW\AppData\Roaming\CoreFTP\sites.idx C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\ C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\DURA Automotive Systems Inc.exe C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\DURA Automotive Systems Inc.exe.config C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\DURA Automotive Systems Inc.exe:Zone.Identifier C:\Users\kFT6uTQW\AppData\Roaming\FileZilla\recentservers.xml C:\Users\kFT6uTQW\AppData\Roaming\Flock\Browser\profiles.ini C:\Users\kFT6uTQW\AppData\Roaming\Flock\Browser\signons3.txt C:\Users\kFT6uTQW\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\Profiles\p7ap74gw.default\logins.json C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\SeaMonkey\logins.json C:\Users\kFT6uTQW\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini C:\Users\kFT6uTQW\AppData\Roaming\Opera Mail\Opera Mail\wand.dat C:\Users\kFT6uTQW\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\kFT6uTQW\AppData\Roaming\Pocomail\accounts.ini C:\Users\kFT6uTQW\AppData\Roaming\Postbox\profiles.ini C:\Users\kFT6uTQW\AppData\Roaming\Postbox\signons.sqlite C:\Users\kFT6uTQW\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ C:\Users\kFT6uTQW\AppData\Roaming\The Bat! C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\logins.json C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\profiles.ini C:\Users\kFT6uTQW\AppData\Roaming\Thunderbird\signons.sqlite C:\Users\kFT6uTQW\AppData\Roaming\aap6.exe C:\Users\kFT6uTQW\AppData\Roaming\aap6.exe.config C:\Users\kFT6uTQW\Desktop C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config C:\Windows\SysWOW64\WindowsPowerShell\v1.0 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Certificate.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Diagnostics.Format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\FileSystem.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\GetEvent.types.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Help.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Registry.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\WSMan.format.ps1xml C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.config C:\Windows\SysWOW64\WindowsPowerShell\v1.0\types.ps1xml C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll C:\Windows\system32\Ftplist.txt MD5 hashes: d41d8cd98f00b204e9800998ecf8427e SHA1 hashes: da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 hashes: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855