Sample File: MD5 hash: 5584cd3c99cde56e459f30eec3bb470b SHA1 hash: 6b22373f655d9d25b3fd474597ac5933c2b4248c SHA256 hash: 4e38fd97f1d64237659653a6f82e1d144636e69671c7e07ca7137bc59823c4d3 SSDEEP hash: 12288:oTc5UVeRDe9L7KNpQZ8QYlSTyAkQ4T3Wy81rh9aI:oQEB7KlQDmAUDJ81j Filename(s): nrpswgral.exe Filetype: Windows Exe (x86-32) Mutex IOCs: Registry Key IOCs: HKEY_CURRENT_USER HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 HKEY_CURRENT_USER\Software\DownloadManager\Passwords HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\Host HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\OpenVPN-GUI\configs HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER\Software\RimArts\B2\Settings HKEY_LOCAL_MACHINE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\HWRPortReuseOnSocketBind HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\RequireCertificateEKUs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchSendAuxRecord HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SchUseStrongCrypto HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.SchSendAuxRecord HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\SystemDefaultTlsVersions HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\WMIDisableCOMSecurity HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesName \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPW \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPort \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser Domain IOCs: checkip.amazonaws.com checkip.check-ip.aws.a2z.com checkip.us-east-1.prod.check-ip.aws.a2z.com smtp.yandex.ru IP IOCs: 213.180.204.38 77.88.21.38 93.158.134.38 87.250.250.38 213.180.193.38 52.55.255.113 52.44.169.135 34.196.181.158 3.224.145.145 18.204.189.102 18.205.71.63 URL IOCs: http://checkip.amazonaws.com/ File IOCs: Filenames: C:\%insfolder%\%insname% C:\FTP Navigator\Ftplist.txt C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe C:\Program Files (x86)\jDownloader\config\database.script C:\Storage\ C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat C:\Users\FD1HVy\AppData\Local\360Chrome\Chrome\User Data C:\Users\FD1HVy\AppData\Local\7Star\7Star\User Data C:\Users\FD1HVy\AppData\Local\Amigo\User Data C:\Users\FD1HVy\AppData\Local\BraveSoftware\Brave-Browser\User Data C:\Users\FD1HVy\AppData\Local\CatalinaGroup\Citrio\User Data C:\Users\FD1HVy\AppData\Local\CentBrowser\User Data C:\Users\FD1HVy\AppData\Local\Chedot\User Data C:\Users\FD1HVy\AppData\Local\Chromium\User Data C:\Users\FD1HVy\AppData\Local\CocCoc\Browser\User Data C:\Users\FD1HVy\AppData\Local\Comodo\Dragon\User Data C:\Users\FD1HVy\AppData\Local\Coowon\Coowon\User Data C:\Users\FD1HVy\AppData\Local\Elements Browser\User Data C:\Users\FD1HVy\AppData\Local\Epic Privacy Browser\User Data C:\Users\FD1HVy\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\ C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Cookies C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\Cookies C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\FD1HVy\AppData\Local\Google\Chrome\User Data\Login Data C:\Users\FD1HVy\AppData\Local\Iridium\User Data C:\Users\FD1HVy\AppData\Local\Kometa\User Data C:\Users\FD1HVy\AppData\Local\MapleStudio\ChromePlus\User Data C:\Users\FD1HVy\AppData\Local\Orbitum\User Data C:\Users\FD1HVy\AppData\Local\QIP Surf\User Data C:\Users\FD1HVy\AppData\Local\Sputnik\Sputnik\User Data C:\Users\FD1HVy\AppData\Local\Temp\\tmpG451.tmp C:\Users\FD1HVy\AppData\Local\Tencent\QQBrowser\User Data C:\Users\FD1HVy\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage C:\Users\FD1HVy\AppData\Local\Torch\User Data C:\Users\FD1HVy\AppData\Local\UCBrowser\ C:\Users\FD1HVy\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\ C:\Users\FD1HVy\AppData\Local\VirtualStore\Program Files\Foxmail\mail\ C:\Users\FD1HVy\AppData\Local\Vivaldi\User Data C:\Users\FD1HVy\AppData\Local\Yandex\YandexBrowser\User Data C:\Users\FD1HVy\AppData\Local\falkon\profiles\profiles.ini C:\Users\FD1HVy\AppData\Local\liebao\User Data C:\Users\FD1HVy\AppData\Local\uCozMedia\Uran\User Data C:\Users\FD1HVy\AppData\Roaming C:\Users\FD1HVy\AppData\Roaming\8pecxstudios\Cyberfox\ C:\Users\FD1HVy\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Claws-mail C:\Users\FD1HVy\AppData\Roaming\Claws-mail\clawsrc C:\Users\FD1HVy\AppData\Roaming\Comodo\IceDragon\ C:\Users\FD1HVy\AppData\Roaming\Comodo\IceDragon\profiles.ini C:\Users\FD1HVy\AppData\Roaming\CoreFTP\sites.idx C:\Users\FD1HVy\AppData\Roaming\FTPGetter\servers.xml C:\Users\FD1HVy\AppData\Roaming\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer C:\Users\FD1HVy\AppData\Roaming\FileZilla\recentservers.xml C:\Users\FD1HVy\AppData\Roaming\Flock\Browser\ C:\Users\FD1HVy\AppData\Roaming\Flock\Browser\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini C:\Users\FD1HVy\AppData\Roaming\K-Meleon\ C:\Users\FD1HVy\AppData\Roaming\K-Meleon\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Moonchild Productions\Pale Moon\ C:\Users\FD1HVy\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\ C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\cookies.sqlite C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\logins.json C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\Profiles\w7cr0hor.default\signons.sqlite C:\Users\FD1HVy\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Mozilla\SeaMonkey\ C:\Users\FD1HVy\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Mozilla\icecat\ C:\Users\FD1HVy\AppData\Roaming\Mozilla\icecat\profiles.ini C:\Users\FD1HVy\AppData\Roaming\NETGATE Technologies\BlackHawk\ C:\Users\FD1HVy\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Opera Mail\Opera Mail\wand.dat C:\Users\FD1HVy\AppData\Roaming\Opera Software\Opera Stable C:\Users\FD1HVy\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\FD1HVy\AppData\Roaming\Pocomail\accounts.ini C:\Users\FD1HVy\AppData\Roaming\Postbox\ C:\Users\FD1HVy\AppData\Roaming\Postbox\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Psi+\profiles C:\Users\FD1HVy\AppData\Roaming\Psi\profiles C:\Users\FD1HVy\AppData\Roaming\The Bat! C:\Users\FD1HVy\AppData\Roaming\Thunderbird\ C:\Users\FD1HVy\AppData\Roaming\Thunderbird\profiles.ini C:\Users\FD1HVy\AppData\Roaming\Trillian\users\global\accounts.dat C:\Users\FD1HVy\AppData\Roaming\Waterfox\ C:\Users\FD1HVy\AppData\Roaming\Waterfox\profiles.ini C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h.zip C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\Chrome C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\Chrome\Default C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\Chrome\Default\Cookies C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\Firefox C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\FirefoxProfiles\w7cr0hor.default\cookies.sqlite C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\Firefox\Profiles C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\Firefox\Profiles\w7cr0hor.default C:\Users\FD1HVy\AppData\Roaming\hdqye3l4.01h\Firefox\Profiles\w7cr0hor.default\cookies.sqlite C:\Users\FD1HVy\Desktop\Folder.lst C:\Users\FD1HVy\Desktop\nrpswgral.exe C:\Users\FD1HVy\Desktop\nrpswgral.exe.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrcompression.dll C:\cftp\Ftplist.txt C:\mail\ MD5 hashes: 123bb0d96e2bf3342a462c70cf2695ad 164f4ab18544aae9d15a13d4515bd3dc 5584cd3c99cde56e459f30eec3bb470b c20e15d79cdbb0f0f9bc21c06670d09b SHA1 hashes: 6b22373f655d9d25b3fd474597ac5933c2b4248c 78c8d3bdd34ba554fd077b0a126f01c6e877b1ae 9b525c3b7d2a95603a1f251572ff020170471b14 fa8091697602b9f748a1b3ca7b28b2c1be34f1dd SHA256 hashes: 2434f6f5c2143b8bab6161fc1e5bed97282fdad54d7deb409248029a750de268 3cd70c88732d682b19998725e9d77877582950460f5501ba272127aa9cecd983 4e38fd97f1d64237659653a6f82e1d144636e69671c7e07ca7137bc59823c4d3 fcbf28e532103aee92e2e1d0ca8e96e7c1387fb6654566078362623a0c893129 SSDEEP hashes: 12288:oTc5UVeRDe9L7KNpQZ8QYlSTyAkQ4T3Wy81rh9aI:oQEB7KlQDmAUDJ81j 192:0RfWMCXMa1xBMJEbWiqDMomvsQZeTfnOEcf8:01WMHa3aEbZomv4n 192:VD/ApAhREKxiHpWXC1elNknfedN2F887O988ymwCtQMABwC7p:VDopgREIcrelKfe3WZmsM0p 48:T1L/ecVTgPOpEveoJZFrU1cQBAxPsuNfRlc9:FHSNDJAAvfbc