Sample File: MD5 hash: 5a054e4b94c144afdf259c0ba19d0693 SHA1 hash: 42449f01ac3e9b0676a75d6053ec3a566d6f14a3 SHA256 hash: 1f0a6c92c237cbf344dedc841259f1da6b2d8742fcafb6926f746a48bbe0919f SSDEEP hash: 384:95/Gu5S5C2js70eOeF5eawczDyhoZhKrbr:9BGX42jsNzNXzDyhoZUrb Filename(s): %APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe Filetype: Windows Exe (x86-32) Mutex IOCs: - None - Registry Key IOCs: HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar Domain IOCs: - None - IP IOCs: - None - URL IOCs: - None - File IOCs: Filenames: C:\Users\5P5NRG~1\AppData\Local\Temp C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp C:\Users\5P5NRG~1\AppData\Local\Temp\1296.tmp.bat C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YFeKw5dmGYVjgc.exe C:\Users\5p5NrGJn0jS HALPmcxz\Desktop C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\%APPDATA%roamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\C:\Users\5p5NrGJn0jS HALPmcxz\AppData C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roamingroamingmicrosoftwindowsstart menuprogramsstartup8gfg.exe \\?\C:\BOOTSECT.BAK \\?\C:\Boot\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\. \\?\C:\Boot\.. \\?\C:\Boot\BCD \\?\C:\Boot\BCD.LOG \\?\C:\Boot\BCD.LOG1 \\?\C:\Boot\BCD.LOG1_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\Boot\BCD.LOG2 \\?\C:\Boot\BCD.LOG2_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\Boot\BOOTSTAT.DAT \\?\C:\Boot\BOOTSTAT.DAT_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\Boot\Fonts\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\Fonts\chs_boot.ttf \\?\C:\Boot\Fonts\cht_boot.ttf \\?\C:\Boot\Fonts\jpn_boot.ttf \\?\C:\Boot\Fonts\kor_boot.ttf \\?\C:\Boot\Fonts\wgl4_boot.ttf \\?\C:\Boot\cs-CZ\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\cs-CZ\bootmgr.exe.mui \\?\C:\Boot\da-DK\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\da-DK\bootmgr.exe.mui \\?\C:\Boot\de-DE\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\de-DE\bootmgr.exe.mui \\?\C:\Boot\el-GR\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\el-GR\bootmgr.exe.mui \\?\C:\Boot\en-US\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\en-US\bootmgr.exe.mui \\?\C:\Boot\en-US\memtest.exe.mui \\?\C:\Boot\es-ES\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\es-ES\bootmgr.exe.mui \\?\C:\Boot\fi-FI\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\fi-FI\bootmgr.exe.mui \\?\C:\Boot\fr-FR\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\fr-FR\bootmgr.exe.mui \\?\C:\Boot\hu-HU\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\hu-HU\bootmgr.exe.mui \\?\C:\Boot\it-IT\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\it-IT\bootmgr.exe.mui \\?\C:\Boot\ja-JP\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\ja-JP\bootmgr.exe.mui \\?\C:\Boot\ko-KR\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\ko-KR\bootmgr.exe.mui \\?\C:\Boot\memtest.exe \\?\C:\Boot\nb-NO\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\nb-NO\bootmgr.exe.mui \\?\C:\Boot\nl-NL\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\nl-NL\bootmgr.exe.mui \\?\C:\Boot\pl-PL\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\pl-PL\bootmgr.exe.mui \\?\C:\Boot\pt-BR\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\pt-BR\bootmgr.exe.mui \\?\C:\Boot\pt-PT\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\pt-PT\bootmgr.exe.mui \\?\C:\Boot\ru-RU\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\ru-RU\bootmgr.exe.mui \\?\C:\Boot\sv-SE\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\sv-SE\bootmgr.exe.mui \\?\C:\Boot\tr-TR\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\tr-TR\bootmgr.exe.mui \\?\C:\Boot\zh-CN\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\zh-CN\bootmgr.exe.mui \\?\C:\Boot\zh-HK\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\zh-HK\bootmgr.exe.mui \\?\C:\Boot\zh-TW\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Boot\zh-TW\bootmgr.exe.mui \\?\C:\Config.Msi\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\Config.Msi\. \\?\C:\MSOCache\. \\?\C:\MSOCache\All Users\. \\?\C:\MSOCache\All Users\.. \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\$%%! NOTE ABOUT FILES -=!-.html \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\. \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\.. \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\. \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml_9c4rmT6TdKfuH9Ft_{alexbanan@tuta.io}.CORP \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab \\?\C:\bootmgr \\?\C:\hiberfil.sys debug.log MD5 hashes: 03f18ffb87691417b20dd7ed3c8ff321 15a0fef8a1ade304c039f05a7912fe24 221c89a6864b87a80374fa2750031774 2de785d1c95cbccdfa87db48edcb7cae 2e83fd14e6b70b3b3b3a7b1c47b2fc1f 33aba5bec1006aaa6e9aa1bee448c5bd 5a054e4b94c144afdf259c0ba19d0693 86c67c9ce448a0a992cdcd8fd37a227a a67db75a1f2f813da54317a661354887 aa24cf4316545a6d76559617d9de4e81 d41d8cd98f00b204e9800998ecf8427e dfa631eca19d2049def0813c67795367 f80b8d8edf9ab436b266c3d91821c102 f9a8a5aeaa1312e63b4ee59a8d53f748 SHA1 hashes: 2e092399add9b15462b36281860c84f621d9fd16 34da7b9e555263fabdef2e7388855e6a43d4ef04 42449f01ac3e9b0676a75d6053ec3a566d6f14a3 5c75410864654578995e6403198e337ce1eb47fc 70075093913574e5ddcaa5671d3a46e85d90013b 72b977a464cc16fbe2a2be391b276752353cf009 84a8f9ddd37b0b64589418122e3c5af4dc664d33 877e3e73c306afef2bfd8e89ea30ed6de648e710 8bd11313381e0f6d79fe640c4cf80f2b7c6dd48b 8d42b115432d3c9d631cb292651b8b94648a5c7f a60113e1e6be64da73695c5ec56ba9fef1409392 a8aa8df1a51297cdabeefb808b9d40501d7cb7ab b37f2701fc414201a0af34820e6b896c27ef9a75 da39a3ee5e6b4b0d3255bfef95601890afd80709 SHA256 hashes: 0b92f62ee86a7acad8e983dfce98bff8297daec0405efdf1942993fe0df0fbd6 0fd66a6aa358db1fbc1f659e62fc64ea19ca3e3b5b2983b85cf6c208b9f23c45 11e3ae780ea27b71c9c24130bfbf17718f541e02a7e3245bfbfb03143281fac3 1f0a6c92c237cbf344dedc841259f1da6b2d8742fcafb6926f746a48bbe0919f 244fe82fa86db3766b8df452f52ecd1c3daf7db51ff8c12315d5477a35aa1a56 49f0fd5d8691008879a85ca4e86d70fe367ece1ce65140eb4e9e552b6c116fe2 4f3ace85ad315ccae5a828098d493b65e2ab0b0f9c13d0b0746f1056e7358be1 674e94ed7e8e1f6381843dd39157b93eab518615362aaf89668caeabbee69d60 737192827b0ccfcc11cbebe88972f10e3263ef68e360cb7d34ce894634945102 b270b3b867f9fd7ce1dcedd10847f34b06cef027f88790bb56eea61cad0e9db3 cc4a7f6af53cea59dffde21082d2c7cc3f20c29f98228b43f8c9a4aa1e929355 cf531fd661768bb410cc89b2600c42873ee27fcac66c9e29c717eefd69788299 d914b03d007d082875ca7a6c79dace819a099d8785666cb07f122a3a895cf50c e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 SSDEEP hashes: 1536:cUhPOcd7UhPOcd7UhPOcd7UhPOcd7UhPOcd7UhPOcd7UhI:cUhPOcFUhPOcFUhPOcFUhPOcFUhPOcF+ 196608:kkI0ShKgPbqrX+O+TtdjBU8PMIXiIJ5towFXg2j95eCp:knTK4WrtgBUwUq5mwFg2H7 196608:uBT+FUVOwJ4WerdbzDDPMX81eg3hPol9y8mjlnzl7Z7yPpWfQbXa4Fxt5M:V66WuFz/w81nhsFmx5NyxbXDc 24:gXQB0Be6MwjtbToCFMt3/Us0mwnkcPWOes5RcU5LZz9ETnyewUgamQJSx6ixRty/:mM6Rjtb0C21HTwnkWRFlhejy+LU6Es 384:95/Gu5S5C2js70eOeF5eawczDyhoZhKrbr:9BGX42jsNzNXzDyhoZUrb 3:: 48:CF5bDvFKFkDGAyORAeUcnyvUFkUMUW8feeyWe9fZhi3Lhhxmyk4r+yf6HD3MQC:qxDtxyK1Uc/MUW8feiYfZhehG4Jfga 48:lVF2xoYUc/hZA+Dqssv50zDY8VuHm7Eoa:XAqYUi7U5OY8VuHm4x 48:uILJqxjAXXwT/n3+rK5ZB7Xr3lGoNBiliZqzKPCsFtV2tM7m:LLwRrXBN73iliUzKZteM6 49152:LNIDxihRZ2dfi18m90hzj3ixoUKgjs5oz8+YnFqKyxghZf2rXy9SB44qXcmH:2xihRZ2dfJmOhzDixJLjs5oz8PExAf2U 49152:vNIDxihRZ2dfi18m90hzj3ixoUKgjs5oz8+YnFqKyxghZf2rXy9SB44qXc/Ks/gA:KxihRZ2dfJmOhzDixJLjs5oz8PExAf2X 6:hHUTk4FA8y40MhiXoKKWOrIvMD2UUTk4FA8y40MhiXoKKWOrY0/Hm1gfbci23fSD:eT6x40MkXXNOqT6x40MkXXNOM0/Hm+zn 6:xv7ShRLN3HQ7GT6Q+Tfpz+SaXJAMApPCNtFdzGcW+l:xkNAy21LpQ6sN3d6cll 96:bGsQaziuw6fc6dZeDmhZKv/MyJ20XUKCr70zZgp7A21aII:1hzLfBvgf