Sample File:

	MD5 hash:
		800bbc469213a096ca2756a8ffd795b2

	SHA1 hash:
		14e05f21dc89b493c287c479422f57fcbd52f756

	SHA256 hash:
		08fc0df9273e8860da43897a2b9ae7a989c47c1a27ef93126e3ffd2615f26ff8

	SSDEEP hash:
		48:w8HzYE/14NASLDiscaYwnhGkJoq1j2s4g9Q892qAcZczwcLEbRFUdHaAGs7GSq:ZzYE/1PULaANb3xZmwcwbRFUdHaY7Jq

	Filename(s):
		gymhei.rtf

	Filetype:
		RTF Document


Mutex IOCs:

		OytkuFnNtwYSuu
		c0a7917d-51d4-4342-b9d4-3e877f7af0ef
		Global\.net clr networking


Registry Key IOCs:

		HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework
		HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting
		HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger
		HKEY_PERFORMANCE_DATA
		HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe
		HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine
		HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current
		HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
		HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
		HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes
		HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
		HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
		HKEY_CURRENT_USER\Identities
		HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}
		HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Username
		HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts
		HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
		HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
		HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\189cba75c69c634996739bac92103ebb
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1a8bd43e654f65418fbafadeef063a57
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\1cfb96c6c96b454ebff73da2e9f63f51
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\467888fc50a6c6448d6cc0cf7b5307d6
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\48dea081c9634a43a6861907855add5c
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\55aad8d134512d438564aa678cb92d66
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\71b0295bef58e344911262b243f005ac
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Server
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Display Name
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Port
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Port
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Use SPA
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP User
		HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001
		HKEY_CURRENT_USER\Software\IncrediMail\Identities
		HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
		HKEY_LOCAL_MACHINE\Software\Group Mail
		HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger
		HKEY_CURRENT_USER\Software\Microsoft\MessengerService
		HKEY_CURRENT_USER\Software\Yahoo\Pager
		HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL
		HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
		HKEY_CURRENT_USER\Software\Beyluxe Messenger
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
		HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\Library
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\IsMultiInstance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\First Counter
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize
		HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names
		HKEY_CURRENT_USER
		HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
		HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings


Domain IOCs:

		robotrade.com.vn


IP IOCs:

		103.74.123.3


URL IOCs:

		http://robotrade.com.vn/wp-content/images/views/A3nBEySMVDPuHZJ.exe


File IOCs:

	Filenames:
		C:\Users\aETAdzjz\AppData\Roaming\poiuytrewsdfghjk.exe
		C:\Users\aETAdzjz\AppData\Local\Vivaldi\User Data\Default\Login Data
		C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini
		C:\Users\aETAdzjz\AppData\Local\Temp\tmp118.tmp
		C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera\wand.dat
		C:\Users\aETAdzjz\AppData\Local\Temp\tmp139F.tmp
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data
		C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\Profiles
		C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\history.dat
		C:\Users\aETAdzjz\AppData\Local\Temp\32f4c789-19cd-4310-170a-5756ff13bdf0
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012020030920200310\index.dat
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017071220170713\index.dat
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
		C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini
		C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data
		C:\Users\aETAdzjz\AppData\Roaming\Opera\Opera7\profile\wand.dat
		C:\Program Files (x86)\Sea Monkey\nss3.dll
		C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key4.db
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
		C:\Program Files (x86)\Mozilla Thunderbird
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
		C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data
		C:\Users\aETAdzjz\AppData\Roaming\.minecraft\lastlogin
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data
		C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config
		C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\key4.db
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data
		C:\Program Files (x86)\Adobe\Reader 10.0\Reader\reader_sl.exe
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
		C:\Users\aETAdzjz\AppData\Local\Temp\tmp915.tmp
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
		C:\Users\aETAdzjz\AppData\Roaming\urhatNqflNdYH.config
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data
		C:\Users\aETAdzjz\Desktop\gymhei.rtf
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012020021720200224\index.dat
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\pnacl\Login Data
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data
		C:\Users\aETAdzjz\AppData\Roaming\urhatNqflNdYH.exe
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data
		C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\places.sqlite
		C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
		C:\Users\aETAdzjz\AppData\Roaming\CoreFTP\sites.idx
		C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
		C:\Users\aETAdzjz\AppData\Roaming\poiuytrewsdfghjk.config
		C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data
		C:\Users\aETAdzjz\AppData\Roaming\Apple Computer\Preferences\keychain.plist
		C:\Windows\SysWOW64\schtasks.exe
		C:\Users\aETAdzjz\AppData\Local\Temp\d2b24b39-a0dd-85cb-81d9-1a92584567e6
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
		C:\Users\aETAdzjz\AppData\Local\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db
		C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Profiles
		Equation3_1
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
		C:\Users\aETAdzjz\AppData\Roaming\FileZilla
		C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070320170710\index.dat
		C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg
		C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data

	MD5 hashes:
		7fae1c43adaa0a17dc380f77a12b9f9d
		7309330e2e9f3800b1b198992a42e7a5
		b391a4276a7d3334241ca08aaab6da7c
		d41d8cd98f00b204e9800998ecf8427e
		9947dc3e3a67dab6084121064fb9b1aa
		800bbc469213a096ca2756a8ffd795b2
		ed0cd55fefc80ba825fdd94096cfe6aa
		f3b25701fe362ec84616a93a45ce9998
		c6795ee2cc5cc8629cd344567b97de12

	SHA1 hashes:
		96722dcd09001cfa1d2e9bd9e9b03a2fda6e8e27
		d35a5ffa0e94adc8a7434f16cccdb6413c69d877
		d62636d8caec13f04e28442a0a6fa1afeb024bbb
		a3ef1a0f4001dc5c031c2725a13ff4849bc1f776
		33c97692a8c630b85c5fa8cdbfbc8abde8b3f8e4
		897a666aa994781d5f64ea746d19ec1876aea5ad
		083322c6b4e404d7ba22ec2e9d8b5bd65a355bb7
		da39a3ee5e6b4b0d3255bfef95601890afd80709
		14e05f21dc89b493c287c479422f57fcbd52f756

	SHA256 hashes:
		6d4aed382eb9502afe06035735ea7f8cfc71b73320627c76d461c3babf88231f
		1a99743dfb94e5e6373af54817d5cf6844cd646e901127087b81908bfecafe08
		daac75df0b8e08e4007f3424e99dbbfedaa87ed8981c9ca04c77baf217a66e53
		bd59c6f189c3eaa095055c67110df28fa18d36bb69659c62bb5c3c0fb55f6824
		b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
		d8f83b29f6cc094a4a96ea6c28763ae1412128394d7a2c0cbb1afb68b33d55b8
		7b4f483fec4fa044ae212932fc903e2c0a47a1b7bd4167fddef463fd4308df8e
		08fc0df9273e8860da43897a2b9ae7a989c47c1a27ef93126e3ffd2615f26ff8
		e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

	SSDEEP hashes:
		3::
		24:UKhp7Puwewm5mGUlN/IYqXZMDEMc1TPr+umWOfEK5JO+Nm:vr7uwewm5P2N/7Kz+EK5JO+Nm
		6:QAXyNqU8eTpvPADAwzRIj0FSAbkdBGezRSPMMPpnDWm2cnDWAwb:Qjb8CvPADzRIn1BGe9SxPtyeyAwb
		3:4aRrWhd6xYwpYFm3wiXk/CX:prUaYwpFh9X
		3:Qn:Qn
		24576:EGfkkY5HlsfC03+a8RT9HNmuTeOQBduDOi3yU:kdH+fCYTONmketSDZ
		48:w8HzYE/14NASLDiscaYwnhGkJoq1j2s4g9Q892qAcZczwcLEbRFUdHaAGs7GSq:ZzYE/1PULaANb3xZmwcwbRFUdHaY7Jq
		24:2dH4+SEqCH7wlNMFo/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBJBtn:cbhH7wlNQo/rydbz9I3YODOLNdq3vT
		3:4aRrWhd6xYzuwsjJ1RWc1W0P:prUaYi71T1T