Sample File: MD5 hash: 0775ab1d8ea570f56344263c51490c30 SHA1 hash: 97a0258bf8243cd12f2051d54ca36db8cf85842e SHA256 hash: ef1613f88744acec36908126b21bcba9ba775f8af25a1e86988e36985dd6f6fb SSDEEP hash: 12288:NvJizcvoTukIxDxM35re7ObN8F6qlfNUqIFzGRIF6nj1K20XdDixi8B7xDFCiZbz:K0o6kIxDi5B2 Filename(s): order ref ftp.exe Filetype: Windows Exe (x86-32) Mutex IOCs: 35649757-3aea-40a9-acdb-9f15f973090c Global\.net clr networking Registry Key IOCs: HKEY_CURRENT_USER HKEY_CURRENT_USER\Identities HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8} HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\Identities\{CA8CA1BB-F2A6-4E9C-B7CC-FB56671763E8}\Username HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_CURRENT_USER\Software\Beyluxe Messenger HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts HKEY_CURRENT_USER\Software\IncrediMail\Identities HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger HKEY_CURRENT_USER\Software\Microsoft\MessengerService HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\03fea8ae12202041b643a9691e5b323c HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\09917dd29831004f89474b112e58e0ab HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\5b59a51e8457564ab95b73c6194dc831 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\626dbd3f36ef4b4b9263a867695919ec HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\8503020000000000c000000000000046 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Display Name HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Port HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Server HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Use SPA HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Port HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP User HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9907df9e4a472f499f281fc91ee2bca1 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\b4c13fbaf5f22f44b93e8bdd93521484 HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\dc184acfc7e1614eb31843d1abdfd43e HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine HKEY_CURRENT_USER\Software\Yahoo\Pager HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\LegacyWPADSupport HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 53.0.3\bin\PathToExe HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\First Counter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\IsMultiInstance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance\Library HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\CategoryOptions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\Counter Names HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance\FileMappingSize HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current HKEY_LOCAL_MACHINE\Software\Group Mail HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\InstallationType HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird Domain IOCs: afdo-tas-offload.trafficmanager.net client-office365-tas.msedge.net config.edge.skype.com ftp.r2v2.co.uk s-0001.s-msedge.net vip5.afdorigin-prod-am02.afdogw.com IP IOCs: 216.37.42.30 13.107.3.128 52.232.69.150 157.56.120.207 157.56.120.208 URL IOCs: - None - File IOCs: Filenames: C:\Program Files (x86)\Mozilla Firefox\nss3.dll C:\Program Files (x86)\Mozilla Thunderbird C:\Program Files (x86)\Sea Monkey\nss3.dll C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Subresource Filter\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\Subresource Filter\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\pnacl\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Google\Chrome\User Data\pnacl\Web Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\877de498-eb87-4352-dee0-40eac252a007 C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp3B59.tmp C:\Users\CIiHmnxMn6Ps\AppData\Local\Temp\tmp53A0.tmp C:\Users\CIiHmnxMn6Ps\AppData\Local\Vivaldi\User Data\Default\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Roaming\.minecraft\lastlogin C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Apple Computer\Preferences\keychain.plist C:\Users\CIiHmnxMn6Ps\AppData\Roaming\CoreFTP\sites.idx C:\Users\CIiHmnxMn6Ps\AppData\Roaming\FileZilla C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\history.dat C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\logins.json C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\places.sqlite C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons.sqlite C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons.txt C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons2.txt C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\Profiles\8i341t8m.default\signons3.txt C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\Profiles C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera Software\Opera Stable\Login Data C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera\Opera7\profile\wand.dat C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Opera\Opera\wand.dat C:\Users\CIiHmnxMn6Ps\AppData\Roaming\Thunderbird\Profiles C:\Users\CIiHmnxMn6Ps\Desktop\order ref ftp.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini MD5 hashes: 93c8c3c8da84285107aa86444a095500 f06baf5a7b83c0b0e0d432f74350f836 f3b25701fe362ec84616a93a45ce9998 SHA1 hashes: 7a3d1679d6f83ff26b858213c85e80ece939b5a4 d62636d8caec13f04e28442a0a6fa1afeb024bbb f01b6bdefe99aa2fdbfb1e185982ad75af771892 SHA256 hashes: 3a3befb2cb000dea163bda67223b26b2ff0c232e2cdc0e42be3f7bdd8b110fb5 5ace779e0b61dfefc47ee45d84ff79fc3fa77c0e3d853e75126fc38f6f3b50b8 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 SSDEEP hashes: 3:Lg67SJRhfdF/QC4Vom:j74xdSC4Vom 3:Qn:Qn 6:QAX61qU8ezSOGbXYRADAwzRIj2SOG2AmYezRSJcnDWUiBnDWAwb:QrD8hOGTYRADzRI5OG2Ge9SJgyPlyAwb