Sample File: MD5 hash: 034711ded900d781e170c660bec9ab86 SHA1 hash: e21b41459d8ec1d685cbd5bdf8e80b2e0c5fe5f6 SHA256 hash: daeea857831d0d022fbbae530557cb48480ff0370decec3d41d4dbdfc672d3db SSDEEP hash: 1536:BkcgYgbig9EhjWNMSTdwp++ln/EFkQ6Em:Bj8ijWNw++l2kQ6 Filename(s): Fast.exeXX.exe Filetype: Windows Exe (x86-32) Mutex IOCs: Global\<>9C354B4200000001 Global\<>9C354B4200000000 Registry Key IOCs: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Startup HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Fast.exeXX HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Fast.exeXX HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NetSh Domain IOCs: - None - IP IOCs: - None - URL IOCs: - None - File IOCs: Filenames: \\?\C:\Boot\el-GR\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\BOOTSTAT.DAT.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\Fonts\chs_boot.ttf \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi.id[9C354B42-2795].[werichbin@protonmail.com].revon C:\Users\5p5NrGJn0jS HALPmcxz\Desktop \\?\C:\Boot\el-GR\bootmgr.exe.mui \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi \\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab \\?\C:\Boot\cs-CZ\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml \\?\C:\BOOTSECT.BAK.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\Fonts\cht_boot.ttf \\?\C:\BOOTSECT.BAK \\?\C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\it-IT\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\fr-FR\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\nl-NL\bootmgr.exe.mui \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.msi \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\memtest.exe \\?\C:\Boot\pt-BR\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\ru-RU\bootmgr.exe.mui \\?\C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\OutlkLR.cab.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\da-DK\bootmgr.exe.mui \\?\C:\Boot\zh-HK\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\nb-NO\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\sv-SE\bootmgr.exe.mui \\?\C:\Boot\en-US\memtest.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\en-US\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\pt-BR\bootmgr.exe.mui \\?\C:\Boot\pt-PT\bootmgr.exe.mui \\?\C:\Boot\Fonts\chs_boot.ttf.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\Fonts\kor_boot.ttf \\?\C:\Boot\fr-FR\bootmgr.exe.mui \\?\C:\Boot\zh-CN\bootmgr.exe.mui \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\da-DK\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\memtest.exe.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.msi.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\Fonts\jpn_boot.ttf \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\Setup.xml \\?\C:\Boot\BCD.LOG \\?\C:\Boot\en-US\memtest.exe.mui \\?\C:\Boot\fi-FI\bootmgr.exe.mui \\?\C:\Boot\zh-TW\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\ko-KR\bootmgr.exe.mui \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PubLR.cab.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\BCD \\?\C:\Boot\en-US\bootmgr.exe.mui \\?\C:\Boot\Fonts\cht_boot.ttf.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\tr-TR\bootmgr.exe.mui \\?\C:\Boot\ko-KR\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PptLR.cab.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\pt-PT\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\ja-JP\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\BCD.LOG2 \\?\C:\Boot\es-ES\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\hu-HU\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\Fonts\jpn_boot.ttf.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.xml \\?\C:\Boot\zh-TW\bootmgr.exe.mui \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelLR.cab \\?\C:\MSOCache\All Users\{90140000-0019-0409-1000-0000000FF1CE}-C\PublisherMUI.msi.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\BCD.LOG1 \\?\C:\Boot\fi-FI\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Fast.exeXX.exe C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lksf.txt \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\Setup.xml \\?\C:\Boot\sv-SE\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\hiberfil.sys \\?\C:\Boot\tr-TR\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\bootmgr.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\nb-NO\bootmgr.exe.mui \\?\C:\Boot\pl-PL\bootmgr.exe.mui \\?\C:\Boot\ru-RU\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\zh-HK\bootmgr.exe.mui \\?\C:\Boot\cs-CZ\bootmgr.exe.mui \\?\C:\Boot\Fonts\wgl4_boot.ttf.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\zh-CN\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon C:\Windows\system32\cmd.exe \\?\C:\Boot\it-IT\bootmgr.exe.mui \\?\C:\Boot\de-DE\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\bootmgr \\?\C:\Boot\de-DE\bootmgr.exe.mui \\?\C:\Boot\BOOTSTAT.DAT \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\PowerPointMUI.xml.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\$Recycle.Bin\S-1-5-21-3388679973-3930757225-3770151564-1000\desktop.ini \\?\C:\Boot\es-ES\bootmgr.exe.mui \\?\C:\Boot\Fonts\wgl4_boot.ttf \\?\C:\Boot\Fonts\kor_boot.ttf.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\hu-HU\bootmgr.exe.mui \\?\C:\MSOCache\All Users\{90140000-0016-0409-1000-0000000FF1CE}-C\ExcelMUI.xml \\?\C:\MSOCache\All Users\{90140000-0018-0409-1000-0000000FF1CE}-C\Setup.xml.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\pl-PL\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\nl-NL\bootmgr.exe.mui.id[9C354B42-2795].[werichbin@protonmail.com].revon \\?\C:\Boot\ja-JP\bootmgr.exe.mui MD5 hashes: 1065a4e24b2da0ee907152f2f18721ee 79f40b62b392e68adeb9397f81b92765 f9eb510fa0937acf828b4b69799ec275 918f80490e907b1cffb2578533065d79 be1484ed1e4462475db5aa4baac04a35 8e546c1a38737c6c6c0cecb32334836b 70129afd0358a4d3fa29ea32fcde789e a31f47fca9ee0d402583aa83e12f6044 9395e8a748c52e9c2c00627bcb4291c0 6b078cbccbab0d5edeaa1d85f11ba58a 2fb10a322517f7cbfb3a6cfe3f7ec571 0287d6e41cfedf55f21c84e60cc354b0 8a6a845d810361b2753de97f61f30263 201efb7c24d19b3f5ecbd938a35b1148 034711ded900d781e170c660bec9ab86 SHA1 hashes: 52c0263b401249ca72f78ccb10e9503dedb0d435 66820f091ea72f244d2d2019748cbda0b7b9702d 141b92a47cd03724a115801de3daeeb314a88e5c 2f580f182b5f3c54fdab638efb33e0019d6c645a d2b2eeaff1f790366160b3202cf332a035e6a0b2 f50dbea0bf05e4a4f73abb265fef52fa43db4e07 4786a700d03102785663b379207b5dd523639250 48ea116fc2ffc90e9a64342db3e3893466e47103 67e5519da060278ef2094aedc762d1d2b0a90539 c11e0542d0b7e63727a73fde4d80d2a99dc1331f b05173ba1e4d24ecb9d7bb917f545f8d686a2137 bc55ce9049bbd30259133e7f5516f6c4be84735f c1d97d27575e70631657d3ee9bcd011a1a2ecd28 e21b41459d8ec1d685cbd5bdf8e80b2e0c5fe5f6 b15db6499a364482471f9f4ef48b3fd89981adab SHA256 hashes: d75ee8b4689e88bd35b28215e59297b800a83058d08e5bb69b25a0db63de6fcf 43b8345254e1bb6c722b699bb29e8fbad1a8a12d9f6d799683917a946c9fdad9 5ef870f132dab830dd5380a5f66f2db9ead790ee6610fc191c638c2aecd616a4 2348c9603039631e438fada5eeae617e3219ba1572b0ac678ddc006ca2212178 4c13c8dcb2cf8b512db1bb2453d9ac0ff877c25d5eab2994ce489d82f43d118c e65e4e6b9d4d1ddc8bfbcaf5daa50c27da8b4eefd7c13f97d878ce416bc38857 7597007b7fd82fa6fc079ad255cc80561c20be4bc515df7968b4b0e377292774 0a345b0fcf4fd34f9944c69b6646f490d49fd66a86e4f4ed27f4eac1e0006599 1779eb06a6bfb6c4333a375e9eeb62cbfecbd57269235fc9387ee232e3e2bd53 34c651e967c74c07d5cc9fe84708bfbb78f50ccf9a4dd240f0c7cd77a764d200 d2e60095553289830d804a5ca340e05c9fac479fed0763577a3ab71fbac002b6 7e37e4953fba32e500462e45b073062f6eaa017bb9d62fae4120c431a716ada8 bcf410b95c08ba48fe371fd093aecbb41b2e946d70afcf2e98e797e488c78071 bf8f198dbffd5530288e1eb4a1d42675ca8c44f6ffb1dcb62e5fca9ea4f6679a daeea857831d0d022fbbae530557cb48480ff0370decec3d41d4dbdfc672d3db SSDEEP hashes: 196608:H4KKCX5FvaeoDcBdxmOJR7nxOKOmE7dzaNQwr:H4KKCX5FvaVczxmUJnYSE7dzAT 48:9XUkQthedqmfwJAT79N1KxbyRwSI/MHvxa1wo:9EkQHePfGA/9N1KxORdvxeH 48:d0r5dfzYyTdV7Yv/exu6iWXLoKA5YUdVJipq3UUKgcmD0vSqqjcm:arfYvEusMr/cpqdcQsqjcm 24:hUUk4VK+7Zqu8Dj999NF7t/GCSCQjnn/HUCH+Q8Sbbjlhm9/jIyyAViiZeUwo:0+EBFft/pSCQbn/0ox8SbbRS/PuLUwo 48:hOrO0zsJX11f+8fhqcUc+KZelFPWet83qefmO1pXv+vSm:6AF1qctelFA3qefVpISm 1536:xGd8org069fMR+qdAgsuES/HbcggbX0Rb6DCK1bUhYAAj6orb4Txm:xt0gH9fM0q3suEpA0CK1Fd0o 196608:6a8A7fKP0ReD0wXKLUEfRrDXP2ifogB2jHcSBLWiyvyWJRMLhdPWfi:6aRDKP0q0wM9JrL2ifJcjhW/6vL3Ai 48:DoK4Vjh9uJyZxeBUx0h7QGSqpSBaccrJhMm:qjh9ucXeBUx0h79SqgS2m 49152:zDxL8QBo6Tex4S120ytJy0TfkPnYe/dLv2L0G5o16W:zR89j1/PXdLv2L0Z11 1536:BkcgYgbig9EhjWNMSTdwp++ln/EFkQ6Em:Bj8ijWNw++l2kQ6 48:VsAblq7WAr2iZ/Luy5siKZzK6Zaw3kjnr/UaBm:VFBqaKJZ/S3ZzTaNjnDFm 6:MyBcij1LfWcJWPAd3dzYeeFx2zFfTxGWQb6bX9zwee43Sm0sw3SNjlgTso:MScAwYNdzYeeFxsnW6ah+0R+RMb 192:25nSbgQhEKTeMnDWbd40ddxGZMcmoLzRplgunhgVGdi5K8m:uSbgQ7Tod4ER5AdounPd2K8m 49152:zDxL8QBo0Tex4S120ytJyghRTPJ52/zwD+z:zR89t1oPD+/zwk 49152:zDxL8QBonTex4S120ytJyJs9hbjPwIEivwxqCV:zR89K1RChbEnxv