Sample File: MD5 hash: ef234f23724dc00e693bdb1b1218c1e8 SHA1 hash: 27f0ca2bf23aca5bf4c737480038f23c7eea5b96 SHA256 hash: 5d4e22be32dce5474b61e0df305861f2c07b10ddadbc2dc937481c7d2b736c81 SSDEEP hash: 6144:gzxCyj385/GUCdxzGrGHqveLAS1aP4vAvKhAp081nNVjqKoe:gw8RxSle7AP4oy6nnjqKoe Filename(s): nqmdwcixbxs.exe Filetype: Windows Exe (x86-32) Mutex IOCs: Global\.net clr networking Registry Key IOCs: HKEY_CURRENT_USER HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 HKEY_CURRENT_USER\Software\DownloadManager\Passwords HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites\Host HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load HKEY_CURRENT_USER\Software\Paltalk HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander\UninstallString HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\First Counter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\IsMultiInstance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\Library HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesName \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPW \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPort \HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser Domain IOCs: vacanzaimmobiliare.it www.vacanzaimmobiliare.it IP IOCs: 185.81.4.56 URL IOCs: www.vacanzaimmobiliare.it/testla/WebPanel/post.php File IOCs: Filenames: C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe C:\Program Files (x86)\Flock\ C:\Program Files (x86)\Mozilla Firefox\ C:\Program Files (x86)\Mozilla Thunderbird\ C:\Program Files (x86)\SeaMonkey\ C:\Program Files (x86)\jDownloader\config\database.script C:\ProgramData\DynDNS\Updater\config.dyndns C:\Users C:\Users\5p5NrGJn0jS HALPmcxz C:\Users\5p5NrGJn0jS HALPmcxz\AppData C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Chromium\User Data\Default\Login Data C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Comodo\Dragon\User Data\Default\Login Data C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\\tmpG554.tmp C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\.purple\accounts.xml C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\CoreFTP\sites.idx C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\FileZilla\recentservers.xml C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Flock\Browser\profiles.ini C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Flock\Browser\signons3.txt C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\ C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe:Zone.Identifier C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\silmbjec.default\logins.json C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\SeaMonkey\logins.json C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Mail\Opera Mail\wand.dat C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Pocomail\accounts.ini C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\The Bat! C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\profiles.ini C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\signons.sqlite C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ftplist.txt C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config MD5 hashes: ef234f23724dc00e693bdb1b1218c1e8 SHA1 hashes: 27f0ca2bf23aca5bf4c737480038f23c7eea5b96 SHA256 hashes: 5d4e22be32dce5474b61e0df305861f2c07b10ddadbc2dc937481c7d2b736c81 SSDEEP hashes: 6144:gzxCyj385/GUCdxzGrGHqveLAS1aP4vAvKhAp081nNVjqKoe:gw8RxSle7AP4oy6nnjqKoe