Sample File: MD5 hash: 8bd1629331740f9a2bb0c2a5934844ff SHA1 hash: 413a9890eb88ef44c4d420933a104e54c335d3fa SHA256 hash: b3fcafa6d8b16ff280ad480b4f8da6775de02d34846e708c073abce41b793505 SSDEEP hash: 12288:7MOLngfkP85sYwNuri5T61wVRvyj3v0Iq3pTGn9aITG64F0icn:BL0kP8SY0T61wfaQlGbRecn Filename(s): v5vYBIG3hWD7d5JW.exe Filetype: Windows Exe (x86-32) Mutex IOCs: Global\.net data provider for sqlserver wFeODqeBxkJvqrVbN Registry Key IOCs: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for SqlServer\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for SqlServer\Performance\Library HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for SqlServer\Performance\IsMultiInstance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET Data Provider for SqlServer\Performance\First Counter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net data provider for sqlserver\Performance HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net data provider for sqlserver\Performance\CategoryOptions HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net data provider for sqlserver\Performance\FileMappingSize HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net data provider for sqlserver\Performance\Counter Names HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\TZI HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST\FirstEntry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST\LastEntry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST\2007 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\Dynamic DST\2008 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\MUI_Display HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\MUI_Std HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\AUS Eastern Standard Time\MUI_Dlt HKEY_LOCAL_MACHINE\Software\Microsoft\MSSQLServer\Client\SuperSocketNetLib HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgJITDebugLaunchSetting HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\DbgManagedDebugger HKEY_PERFORMANCE_DATA HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ZO6KLPO6XJ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ZO6KLPO6XJ\inst HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\Images HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Images HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid HKEY_CURRENT_USER\Software\Microsoft\Office\15.0Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Account Name HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Account Name HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Account Name HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003\IMAP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\Account Name HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\Email HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\POP3 Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\POP3 User HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\SMTP Server HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\POP3 Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\SMTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\HTTP Password HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004\IMAP Password HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\thunderbird.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe\Path HKEY_CURRENT_USER\software\Aerofox\FoxmailPreview Domain IOCs: work2020.ddns.net IP IOCs: 79.134.225.78 URL IOCs: - None - File IOCs: Filenames: C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ut族的z行RX的h氏i\images.exe_Url_v52zdyq4zjgafwcwfazlwkurkeqjdgxc\0.0.0.0\user.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\images.exe:Zone.Identifier C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles/silmbjec.default\logins.json C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Ut族的z行RX的h氏i\ChFIQxtpqP.exe_Url_pgtlqwziabthte2s3uiljvbc1p4ofxwr\0.0.0.0\user.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\aIBiywy.tmp-journal C:\ProgramData\images.exe:Zone.Identifier C:\ProgramData C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\v5vYBIG3hWD7d5JW.exe.config C:\Windows\system32 C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\aIBiywy.tmp C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\eIdnomH.tmp C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft Vision\ C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\images.exe.config c:\windows\system32\user32.dll C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Ut族的z行RX的h氏i\v5vYBIG3hWD7d5JW.exe_Url_rlbjgubybihqikq2fk4uc4pdtvf3y0re\0.0.0.0\user.config C:\Program Files\Microsoft DN1 C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ut族的z行RX的h氏i\ChFIQxtpqP.exe_Url_pgtlqwziabthte2s3uiljvbc1p4ofxwr\0.0.0.0\user.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\asoAt.H.tmp C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ut族的z行RX的h氏i\v5vYBIG3hWD7d5JW.exe_Url_rlbjgubybihqikq2fk4uc4pdtvf3y0re\0.0.0.0\user.config C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\v5vYBIG3hWD7d5JW.exe C:\Windows\SysWOW64\schtasks.exe System Paging File C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Ut族的z行RX的h氏i\images.exe_Url_eqbepp4itfjuxmwxkohtvw1odsza5bdo\0.0.0.0\user.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft Vision\12-10-2020_23.25.22 C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\tmpF0A4.tmp C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Ut族的z行RX的h氏i\images.exe_Url_v52zdyq4zjgafwcwfazlwkurkeqjdgxc\0.0.0.0\user.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming C:\ProgramData\images.exe.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\aIBiywy.tmp-wal C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ut族的z行RX的h氏i\images.exe_Url_eqbepp4itfjuxmwxkohtvw1odsza5bdo\0.0.0.0\user.config C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\ChFIQxtpqP.exe.config MD5 hashes: d41d8cd98f00b204e9800998ecf8427e 29844404ae855e9df054833f71888eb1 8bd1629331740f9a2bb0c2a5934844ff 000b8c25038229e5a6fd5e1c931f4503 edea92a7dd66d2e13b1b46414df046ec SHA1 hashes: 413a9890eb88ef44c4d420933a104e54c335d3fa 3e86f08def08fc14ddec0227d0643319562666db 9364a59bc37c85fac4f621b4b76b4266a8fd0359 a7068ec5a41ff158c4ff74381bb5f3ac4774e75b da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 hashes: b3fcafa6d8b16ff280ad480b4f8da6775de02d34846e708c073abce41b793505 c381401ea96dfe9b926126dcbbc0dd6ab541dbf549732cc6c66f20096b1f663e e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 3d3ea3644f09a0835c4c5b9b5fccf2778806b598b48769882b72af8578ca4fbc cab40edc26b345bfe6e81b80e50a651419d29cd0e3c93eab9561cc86e6d5a1a6 SSDEEP hashes: 48:cbhkN76glNQiw/rydbz9I3YODOLNdq3Mm:yhkNe9iw/rydbz9ddq3Mm 3:: 12288:7MOLngfkP85sYwNuri5T61wVRvyj3v0Iq3pTGn9aITG64F0icn:BL0kP8SY0T61wfaQlGbRecn 1536:jx2yuMjgKRTDow4tRovIkCngQvq783ksXyHrPKu:tWw4tRaCngEu83JCuu 24:LLijhJ0KL7G0TMJHUyyJtmCm0u6lOKQAE9V8FsffDVOzeCmly6UwcTa/HMQW:wz+JH3yJUhJCVE9V8FsXhFlNU1Ts3W