Sample File: MD5 hash: ff014dad028864b1571707f83bf65a46 SHA1 hash: 93a1c9b846e5aeed825a8d62c38e3a9e0958519c SHA256 hash: 6ce1abc4a205179447e264a05e9f3a04e2fd4009b7a59bc7054fd78c6f15914f SSDEEP hash: 12288:nP6jkBPIkcIan7FKIPef7a8oFu+PUyxdtGmjsHkDnN74q6n1cgPJWaLETi:nP6xF/nZeTfxnOKknV/6nugJYTi Filename(s): CMG 4 263 PAYMENT ADVICE.xlsx Filetype: Excel Document Mutex IOCs: Startup_shellcode_006 frenchy_shellcode_006 Registry Key IOCs: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER\Software\RimArts\B2\Settings HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Impersonation Level HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting\Default Namespace Domain IOCs: workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com IP IOCs: 23.249.165.218 URL IOCs: http://workbigfinetonychuckgoodallarefinezynovaexploitgood.warzonedns.com/bigb/win32.exe File IOCs: Filenames: C:\%insfolder%\%insname% C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe C:\Storage\ C:\Users\Public\vbc.exe C:\Users\Public\vbc.exe.config C:\Users\aETAdzjz\AppData\Local\360Chrome\Chrome\User Data C:\Users\aETAdzjz\AppData\Local\7Star\7Star\User Data C:\Users\aETAdzjz\AppData\Local\Amigo\User Data C:\Users\aETAdzjz\AppData\Local\BraveSoftware\Brave-Browser\User Data C:\Users\aETAdzjz\AppData\Local\CatalinaGroup\Citrio\User Data C:\Users\aETAdzjz\AppData\Local\CentBrowser\User Data C:\Users\aETAdzjz\AppData\Local\Chedot\User Data C:\Users\aETAdzjz\AppData\Local\Chromium\User Data C:\Users\aETAdzjz\AppData\Local\CocCoc\Browser\User Data C:\Users\aETAdzjz\AppData\Local\Comodo\Dragon\User Data C:\Users\aETAdzjz\AppData\Local\Coowon\Coowon\User Data C:\Users\aETAdzjz\AppData\Local\Elements Browser\User Data C:\Users\aETAdzjz\AppData\Local\Epic Privacy Browser\User Data C:\Users\aETAdzjz\AppData\Local\Fenrir Inc\Sleipnir5\setting\modules\ChromiumViewer C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\ C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\aETAdzjz\AppData\Local\Google\Chrome\User Data\Login Data C:\Users\aETAdzjz\AppData\Local\Iridium\User Data C:\Users\aETAdzjz\AppData\Local\Kometa\User Data C:\Users\aETAdzjz\AppData\Local\MapleStudio\ChromePlus\User Data C:\Users\aETAdzjz\AppData\Local\Orbitum\User Data C:\Users\aETAdzjz\AppData\Local\QIP Surf\User Data C:\Users\aETAdzjz\AppData\Local\Sputnik\Sputnik\User Data C:\Users\aETAdzjz\AppData\Local\Temp\637041562706118000_5a486d91-5e81-407c-a6d9-16017ea3a659.db C:\Users\aETAdzjz\AppData\Local\Temp\637041563908370000_d3625fbb-19c3-4284-a122-f008796776d0.db C:\Users\aETAdzjz\AppData\Local\Tencent\QQBrowser\User Data C:\Users\aETAdzjz\AppData\Local\Tencent\QQBrowser\User Data\Default\EncryptedStorage C:\Users\aETAdzjz\AppData\Local\Torch\User Data C:\Users\aETAdzjz\AppData\Local\VirtualStore\Program Files (x86)\Foxmail\mail\ C:\Users\aETAdzjz\AppData\Local\VirtualStore\Program Files\Foxmail\mail\ C:\Users\aETAdzjz\AppData\Local\Vivaldi\User Data C:\Users\aETAdzjz\AppData\Local\Yandex\YandexBrowser\User Data C:\Users\aETAdzjz\AppData\Local\falkon\profiles\profiles.ini C:\Users\aETAdzjz\AppData\Local\liebao\User Data C:\Users\aETAdzjz\AppData\Local\uCozMedia\Uran\User Data C:\Users\aETAdzjz\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Claws-mail C:\Users\aETAdzjz\AppData\Roaming\Claws-mail\clawsrc C:\Users\aETAdzjz\AppData\Roaming\Comodo\IceDragon\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Flock\Browser\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\K-Meleon\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe.config C:\Users\aETAdzjz\AppData\Roaming\Moonchild Productions\Pale Moon\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key3.db C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\key4.db C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\logins.json C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\Profiles\3y2joh8o.default\signons.sqlite C:\Users\aETAdzjz\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Mozilla\icecat\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Opera Mail\Opera Mail\wand.dat C:\Users\aETAdzjz\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\aETAdzjz\AppData\Roaming\Pocomail\accounts.ini C:\Users\aETAdzjz\AppData\Roaming\Postbox\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\The Bat! C:\Users\aETAdzjz\AppData\Roaming\Thunderbird\profiles.ini C:\Users\aETAdzjz\AppData\Roaming\Trillian\users\global\accounts.dat C:\Users\aETAdzjz\AppData\Roaming\Waterfox\profiles.ini C:\Users\aETAdzjz\s.exe C:\Users\aETAdzjz\s.exe:Zone.Identifier C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe.Config C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Windows\system32\Folder.lst C:\mail\ \??\C:\Users\Public\vbc.exe \??\C:\Users\aETAdzjz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe MD5 hashes: 478eeafbb12c55cbec0cbeafb984fed6 83153cdead58be81d90ffb518a1c87fe f32e6ea47c60aec3a322cd5aa60a3c8d SHA1 hashes: 147bfddeb74a93227e90f058b5d075b4343a37c8 519dcf5eb793527b93b1af82548ed9aa8fbeb5b6 af89c8ae9e9299eed5b57e0267b579b63d251614 SHA256 hashes: 270e56e60bab1c286c06f71fcf3b9b5a1b6b17d3acfb1f939d6b988400ddea7a 9239ca0e958d9d9d846202cf7636291130782a02dcbb77eb80a71eeb5574ab82 bc446ae5c3e86e73e8c008f9e61a8d749f94b74914d7740b9b129d01012e30ea SSDEEP hashes: 12288:IS49pgN6PiNfCZL3Bv1X1/SI1wJyJYfVYMLvMXZG+k:LiihCV9NtALLEJz 192:nMHTDKtQQXKahc9mLqhf/Tgk6aS3FLQMYl:nG8iahAHTI/LQMq 3:Lt/hV/plfltt/lE9lllnldlHGltdl/l8/V0V6CVgnG5YRgRzW3Wq3VhjluPjqwod:5X9cvVmXy/VcRK3Xhj03tDiSgJH0cLD