What is Prog2Ram.exe?
Prog2Ram.exe is part of 7ZSfxNew and developed by Oleg N. Scherbakov according to the Prog2Ram.exe version information.
Prog2Ram.exe's description is "7z Setup SFX"
Prog2Ram.exe is usually located in the 'L:\2k10\Programs-2k10\' folder.
Some of the anti-virus scanners at VirusTotal detected Prog2Ram.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Vendor and version information [?]
The following is the available information on Prog2Ram.exe:
| Property | Value |
|---|---|
| Product name | 7ZSfxNew |
| Company name | Oleg N. Scherbakov |
| File description | 7z Setup SFX |
| Internal name | 7ZSfxNew |
| Original filename | 7ZSfxNew.exe |
| Legal copyright | Copyright © 2005-2009 Oleg N. Scherbakov |
| Private build | September 7, 2009 |
| Product version | 1, 3, 0, 1501 |
| File version | 1, 3, 0, 1501 |
Here's a screenshot of the file properties when displayed by Windows Explorer:
| Product name | 7ZSfxNew |
| Company name | Oleg N. Scherbakov |
| File description | 7z Setup SFX |
| Internal name | 7ZSfxNew |
| Original filename | 7ZSfxNew.exe |
| Legal copyright | Copyright © 2005-2009 Oleg N. Scher.. |
| Private build | September 7, 2009 |
| Product version | 1, 3, 0, 1501 |
| File version | 1, 3, 0, 1501 |
Digital signatures [?]
Prog2Ram.exe is not signed.
VirusTotal report
2 of the 71 anti-virus programs at VirusTotal detected the Prog2Ram.exe file. That's a 3% detection rate.
| Scanner | Detection Name |
|---|---|
| Antiy-AVL | Trojan/Win32.Chifrax |
| Jiangmin | TrojanDropper.MSIL.fso |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skip.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\27.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\8.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\23.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\5.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\abort.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\25.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\6.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\4.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\26.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\14.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\22.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\10.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\19.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\13.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skin.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_ia64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_amd64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\12.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\21.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\11.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\English.lng",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\7.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\3.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\18.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\24.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\30.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\29.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\20.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\pause.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\1.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\2.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\31.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progback.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\28.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\resume.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\minimize.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\16.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\15.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\32.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\9.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progfore.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\17.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\main.bmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart"
],
"dll_loaded": [
"kernel32",
"kernel32.dll",
"UxTheme.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"KERNEL32.DLL",
"OLEAUT32.DLL",
"ole32.dll",
"COMCTL32.dll",
"USER32.dll",
"IMM32.dll",
"OLEAUT32.dll",
"SHELL32.dll",
"comctl32.dll",
"GDI32.dll",
"MSVCRT.dll",
"ADVAPI32.dll",
"rpcrt4.dll",
"SETUPAPI.dll"
],
"file_opened": [
"C:\\Windows\\System32\\sechost.dll",
"C:\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\",
"C:\\Users\\cuck\\AppData\\"
],
"command_line": [
"\"C:\\Windows\\System32\\cmd.exe\" \/c start \/b C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"cmd.exe \/c start \/b C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skip.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\27.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\8.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\23.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\5.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\abort.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\25.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\6.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\4.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\26.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\14.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\22.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\10.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\19.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\13.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_ia64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_amd64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\12.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\21.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\11.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\English.lng",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\7.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\3.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\18.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\24.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\30.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skin.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\29.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\20.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\pause.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\1.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\2.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\31.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progback.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\28.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\resume.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\minimize.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\16.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\15.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\32.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\9.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progfore.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\17.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\main.bmp"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skip.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\27.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\8.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\23.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\5.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\abort.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\25.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\6.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\4.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\26.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\14.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\22.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\10.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\19.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\13.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skin.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_ia64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_amd64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\12.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\21.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\11.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\English.lng",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\7.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\3.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\18.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\24.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\30.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\29.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\20.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\pause.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\1.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\2.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\31.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progback.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\28.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\resume.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\minimize.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\16.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\15.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\32.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\9.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progfore.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\17.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\main.bmp"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Windows\\SysWOW64\\cmd64.exe.*",
"C:\\Windows\\SysWOW64\\cmd64.exe"
]
}Dropped
[
{
"yara": [],
"sha1": "da9dbe099a7534b1b32cf4daa371d571d63e8791",
"name": "8aacad085c514949_skin.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skin.ini",
"type": "ASCII text, with CRLF line terminators",
"sha256": "8aacad085c514949e912ce7b7da87e39eb2e94cb7faa7e9cd5586ba5ab2f0ddd",
"urls": [],
"crc32": "19BA7FE9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/8aacad085c514949_skin.ini",
"ssdeep": null,
"size": 1415,
"sha512": "60192598ab88e7d94dbc181b5678714b80a54d7f0c0a08bb18076d47c760fdaffaab7b11ef400e45e01b421a52d3f0647f13157172dbf2536b5032fcf7415497",
"pids": [
2740
],
"md5": "c4627d96206665615441513463c9e767"
},
{
"yara": [],
"sha1": "5b26782e0358fb5c43674308ead895329884f9d0",
"name": "68d846b3035b7969_p2ram.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"type": "ASCII text, with CRLF line terminators",
"sha256": "68d846b3035b7969eeb32585e6b17413ba957a5614f0d79ce35d62c8321418a3",
"urls": [],
"crc32": "168127A0",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/68d846b3035b7969_p2ram.ini",
"ssdeep": null,
"size": 2289,
"sha512": "b2bfdc1a186686411d2261bf502a42f70630b332b89fc7468548c573fb21fb60c15e710030a8df2604fec74acc7a26e0a04ad11426a7ab9ea88dcf7de128e779",
"pids": [
2740
],
"md5": "69e9b8dc3bc71951a57ba855ad332961"
},
{
"yara": [],
"sha1": "b9f4bd64faef26c9efe3e335683f827fddfa0f06",
"name": "bee0b292de828bcc_skip.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skip.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "bee0b292de828bcc66a822536c564a18dccae685bb91d31ca13c3e229b108d5f",
"urls": [],
"crc32": "E49F95F6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/bee0b292de828bcc_skip.bmp",
"ssdeep": null,
"size": 246,
"sha512": "e5956190916bdb98dd229f99750f05a982bf57a4a00e701c8b6427a109dd4232cd0013cce04a79172792bc7d68d08a290c9d0527667689b1d840cd54928ea9e2",
"pids": [
2740
],
"md5": "04a020c86eec8867671e41621a88aade"
},
{
"yara": [],
"sha1": "9cbbc6f472ee7323feecfb59d8084453aab6ed19",
"name": "bb266c7eaffc8c8a_32.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\32.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "bb266c7eaffc8c8afbeaaec17e7f979deba251c1ef576975eb7895ac27c87a21",
"urls": [],
"crc32": "75FB2AD9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/bb266c7eaffc8c8a_32.bmp",
"ssdeep": null,
"size": 190,
"sha512": "33cfec49907e000c15102424fcdb4f69b92fc63a8a23a687771ae292746305e32ebd539cad0e060904d42ff0b273e7f0fd4f982efa274c36a8a6dbc86af91eb8",
"pids": [
2740
],
"md5": "23bf7197d2e621870a6bc503966e7625"
},
{
"yara": [],
"sha1": "8ad664ebb6f106935b9f183338cad5d7f549e256",
"name": "24c8318607c692db_minimize.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\minimize.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "24c8318607c692db2a8eedc4cd73ac4e02d3f24ac982a575759cb4b8f9fc13e7",
"urls": [],
"crc32": "514E9BA9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/24c8318607c692db_minimize.bmp",
"ssdeep": null,
"size": 206,
"sha512": "4ad7c3d40cd4bc740cadb29ee897d7de057fda0369d81895bb6b579515660619821d397dad57411b61f04cbe25860ba38ef06b0f2bd0d3bfea10c33e70305261",
"pids": [
2740
],
"md5": "4075c84df9949b7508fee0f5deb37d10"
},
{
"yara": [],
"sha1": "74c194dc4c6cc5a8a790696c35270c724b4ffd80",
"name": "16f2ba243fc21943_23.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\23.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "16f2ba243fc21943e27db0ec95945a3f1591aa5501374f41e7a09a7144e09e80",
"urls": [],
"crc32": "C64E6C34",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/16f2ba243fc21943_23.bmp",
"ssdeep": null,
"size": 194,
"sha512": "9a0e72326c0971a23953479826a068b9be33b5667d0416f33585c4f0795062881434e0b81973a244155d6bbc218fd815818824c17dc055c41d6537a65d63ba70",
"pids": [
2740
],
"md5": "86f75114347cd20fe1e21dac5cefec83"
},
{
"yara": [],
"sha1": "a69d9b3eb96934b5ba850492874d10e35440247b",
"name": "5f738416b5b950b8_progback.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progback.bmp",
"type": "PC bitmap, Windows 3.x format, 285 x 13 x 4",
"sha256": "5f738416b5b950b82ce2c7fc77be199d3c215414be1d8c437f0686b6396620e8",
"urls": [],
"crc32": "D5CEB7C2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/5f738416b5b950b8_progback.bmp",
"ssdeep": null,
"size": 1946,
"sha512": "4373255ba13e5f0a2b0d03028cb51f0a947ff243db513b0a9c9a932f2ac06476ccb2f8ed5ed7d658458166c046d2d81c4e845134044cc831395c54cc22d740b8",
"pids": [
2740
],
"md5": "5986faca3eb1aeaa2e69da3e40478264"
},
{
"yara": [],
"sha1": "fa826203f1da0a15ecf3420b05fcce987375f2a3",
"name": "a8aed13bc616f0da_7.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\7.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "a8aed13bc616f0da75d6f42a45a8f7904ee3d3311b95f7f23aca77902230cefc",
"urls": [],
"crc32": "AAF4D7F8",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/a8aed13bc616f0da_7.bmp",
"ssdeep": null,
"size": 194,
"sha512": "b988b79bc297f073e4dd8ab8c6adaf742d519219bcb1b736f09d5af3eb4b02baeb6b37eff089fbbc335419d39ca8b45a3055abbb4444b587510457f2539d7492",
"pids": [
2740
],
"md5": "badcbab1a9cd68656c105c90a7c6a5f1"
},
{
"yara": [],
"sha1": "465d8c79f6b72014b2d8ab0fb49aaf16d90dcd77",
"name": "7776674da72b7a72_27.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\27.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "7776674da72b7a7216474029d48c6e938802c20e714950481b2310c6ed2e2058",
"urls": [],
"crc32": "3DD25641",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/7776674da72b7a72_27.bmp",
"ssdeep": null,
"size": 198,
"sha512": "d8cd4c46c5a3aa8003fa3820abbcd68be279178f8a6079abebf119ac6e51bdf8705019877098ac8c4dbf838ec55e33b6977fdd8960ac170c8c38c7168a5712bf",
"pids": [
2740
],
"md5": "98385e23a0ea152e00997f968cdc65ce"
},
{
"yara": [],
"sha1": "ff598c5e028a214c4917f64cee7d1e5128bf462a",
"name": "0edf6c5032eb135a_12.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\12.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "0edf6c5032eb135add4822238cf5c2ad4bc9aeebb3c9e0bfff9d7f52e312f8d0",
"urls": [],
"crc32": "C617148B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/0edf6c5032eb135a_12.bmp",
"ssdeep": null,
"size": 198,
"sha512": "0bded766e6ca4f39e358ab489604b3880b0365a5e0c65e464b4981346c3caf0e7df8f7d9f1249792f26e563a2db95961a15f6dbee2bb94da7d2be4b265f0a19f",
"pids": [
2740
],
"md5": "913083c3d901c378cc2bfc049c14326d"
},
{
"yara": [],
"sha1": "0ede9b0591359484bf74328a5d2c887f3d88d421",
"name": "36b277ff026c62bf_14.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\14.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "36b277ff026c62bfc58eeed954b7bd1d9f748fedd7687150b52882c90dd15097",
"urls": [],
"crc32": "24C0FE9B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/36b277ff026c62bf_14.bmp",
"ssdeep": null,
"size": 198,
"sha512": "5915121f0cb1023943c9e550a26dc24bbe1dffa82f05a5d3770dd1b83ad36b47a8584ad50acf61a6a821a64e2f07469610f89bdfaedb0c1027ca11f2a5dd78f9",
"pids": [
2740
],
"md5": "ce610f0292310df0a18bd5b7dc4694b2"
},
{
"yara": [],
"sha1": "7e324d92ca43561735e3367f3c6d811988918c5a",
"name": "48a26e1f89168b1e_6.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\6.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "48a26e1f89168b1e888728fa9f26ed477a04dd3ec29f69782d55f92ee715b7f3",
"urls": [],
"crc32": "8D57D3AB",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/48a26e1f89168b1e_6.bmp",
"ssdeep": null,
"size": 198,
"sha512": "924eb577a46f4056218f451e33c598aa80243a75fd6209cfbbc8febb00214ab509206ab3e51b9da1e0a1283431b49050eadcbf55b1b4f262c5a44ef86e16277d",
"pids": [
2740
],
"md5": "b19593044fcfc5ec8136e29eb3c38874"
},
{
"yara": [],
"sha1": "741411fa8da73ab50b166bd28f1444a3934d4d4d",
"name": "30b4ae99d0b0dcab_10.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\10.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "30b4ae99d0b0dcabbe532af3b2f9f4579a2e152e4ff3a9267bd714d33f3f9216",
"urls": [],
"crc32": "B13BA899",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/30b4ae99d0b0dcab_10.bmp",
"ssdeep": null,
"size": 198,
"sha512": "8286dbc2b81ca6870d4ac306d938e15ebb55851397452dd2c11e3bf4738cc57c2b3714a7c30f3dfef79a5f161ef351d7e0822b277ac5df4e6b9598187478a06c",
"pids": [
2740
],
"md5": "2f0c6e28cdb873d567542e421493cb5d"
},
{
"yara": [],
"sha1": "6dc83521774d07c396cf0b01752108c3df61fd7b",
"name": "ac458fd8ac61c4cf_21.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\21.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "ac458fd8ac61c4cff46fea8b5580ae4a800d302c8aa6b39bc7c078f64ed184e4",
"urls": [],
"crc32": "A01B4DD6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/ac458fd8ac61c4cf_21.bmp",
"ssdeep": null,
"size": 194,
"sha512": "687d961c1cda88bc76345161cfae6e4642b0a39876774c2b056b0b52b13515eb57f9ce0e927a1187dcc63a21c67cc3f7e9ef9d0eb8fe2ac65abfc5b114fd2195",
"pids": [
2740
],
"md5": "6ae3c1b5f667829372a9b792bc9b228a"
},
{
"yara": [],
"sha1": "0082bf323c946611a3d3aa7d29e87db7e70c774b",
"name": "678b35c144a05671_killcopy.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "678b35c144a0567116f258a1d66b16e619a65a1c89909573cf2239471dce94f1",
"urls": [],
"crc32": "C5511E2F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/678b35c144a05671_killcopy.dll",
"ssdeep": null,
"size": 22528,
"sha512": "e5813a17d8e5aff511a0a4f0dab2cbb78d676f5edb7825c79d9a485ae5177ba6e4773fab7d2d305d9ee3acbb5fdec55a6aa84a1193bff0149213f6bcffed7dd9",
"pids": [
2740
],
"md5": "8699cca1c0e2ebbe23f7a513b3928001"
},
{
"yara": [],
"sha1": "31b9b08a44258f94888c6f4e6f66a14cb95026e9",
"name": "627de081ac10d36f_16.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\16.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "627de081ac10d36f43d5abb9d14869671ef6e13ffded7a0931863ecd51e93c82",
"urls": [],
"crc32": "A2848EC1",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/627de081ac10d36f_16.bmp",
"ssdeep": null,
"size": 198,
"sha512": "91ac5b04364d9cbacde75f2d2c785c4f86e53460cb5eaab6fb18bdb742b8feeb9fea9337ee954807a751b7a9b2849d0e76fe49977929c9f904b15e487fe710a8",
"pids": [
2740
],
"md5": "544bb4b6e0cc168251c5071d68a945eb"
},
{
"yara": [],
"sha1": "f8e262868c7e46ac37d36bf1cd904cb840457787",
"name": "c9fff7a2045efb06_9.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\9.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "c9fff7a2045efb069729a2a8387b4800acfa329255af9e226098b3325a63e72d",
"urls": [],
"crc32": "70EA588D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/c9fff7a2045efb06_9.bmp",
"ssdeep": null,
"size": 194,
"sha512": "dc9b172e5ee78698aca91e60d084886e2eb1a9b659795119fe2cbc0cd2e39f1e109c686ef55348b9b030a035a2fc09ffd983b8d7c137bf749863a378c521a065",
"pids": [
2740
],
"md5": "9cd87831f9c4dff9c3c69acd8cb46048"
},
{
"yara": [],
"sha1": "982b5b96d0e83b52fe5730ccddf258786ffbd6b4",
"name": "8e0e71ab2a0db6f6_18.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\18.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "8e0e71ab2a0db6f6cea422234fcc3a71aad94a56499f25d29e8ffb8ad6054185",
"urls": [],
"crc32": "2065BCAC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/8e0e71ab2a0db6f6_18.bmp",
"ssdeep": null,
"size": 198,
"sha512": "26d9a222a36c002c530ae1c6bbd5a9c338245eba2e52523e5f2df50965fcf77a0b6e9e92b4f0e1debef7b6f1e4722cf01f94c22303d06095687b73c7a84877ec",
"pids": [
2740
],
"md5": "68174eae7d05e2a252a388893cba23a0"
},
{
"yara": [],
"sha1": "2ec0a7d76c4e932c0c375083d6fea471aedb3fb8",
"name": "02e025a381d4b8fd_1.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\1.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "02e025a381d4b8fdbb4265fcd582931ba7ee5f96fed3dc95a4964f79e52ca474",
"urls": [],
"crc32": "83316EC7",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/02e025a381d4b8fd_1.bmp",
"ssdeep": null,
"size": 190,
"sha512": "77aa374f013d4c7576efd95b53931adf77881f41efa55490201e28256a0d85489173ee961e2a1747bf291edf85d0c7ff89dc1f4dc481a73184eca8477e2b273f",
"pids": [
2740
],
"md5": "f81816a2a8d544fd4ba18f78393a1dd3"
},
{
"yara": [],
"sha1": "fcb56321ed3036e65d207c0c8137bd4e359e4e8c",
"name": "cd8b53aa69f51644_17.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\17.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "cd8b53aa69f51644d97ff5ab8f10ef2776febeffdebc96f9ecde23ef6c51f4ae",
"urls": [],
"crc32": "AA5EE763",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/cd8b53aa69f51644_17.bmp",
"ssdeep": null,
"size": 194,
"sha512": "dc48572ef5d73113c509133b3c86f8eff87681dff2f197725b9abce7696f9e5209fa04b55685043d4b8aa2237cc8ec176f4da7e203ee793bfb24dbb1990ad287",
"pids": [
2740
],
"md5": "dae9cf583984eb6a56625ea4c3251ec2"
},
{
"yara": [],
"sha1": "a0e1b6806422d03b113299be0a9226ab680ff07d",
"name": "51a4e6868e083a45_31.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\31.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "51a4e6868e083a45090926183ff8674946d32667c662ec4fcf5280da65c334b6",
"urls": [],
"crc32": "5DA58863",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/51a4e6868e083a45_31.bmp",
"ssdeep": null,
"size": 194,
"sha512": "ea4b6dd0c242a0765cba925f4652e9a769ed5b0d5ab641b574d0fd21cc943b9ac7bd675f4c98ec9280cf16662e39e48dcb4f3abe765a19a4c881d2c0e6e6527e",
"pids": [
2740
],
"md5": "572319185a7a5194b375b512a5a05e51"
},
{
"yara": [],
"sha1": "2be332abb12b74ba8453ed0cf4aeb71fc210c7a6",
"name": "cdb41533599486d4_main.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\main.bmp",
"type": "PC bitmap, Windows 3.x format, 374 x 162 x 4",
"sha256": "cdb41533599486d4691005e5b5285492b584a92fec839bc1e0d951186571acf7",
"urls": [],
"crc32": "8FA4134F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/cdb41533599486d4_main.bmp",
"ssdeep": null,
"size": 30574,
"sha512": "9d1753d7d34542d9ffff4d5c213867a760e44e4f0638472f8af8d1e0ccd1c41fb4e15e5106a9edd882d3ca70aeed4be5779865ec0b9725f393aed588569d7cd8",
"pids": [
2740
],
"md5": "2656d3e21f5ccb0f8e953d08673d5671"
},
{
"yara": [],
"sha1": "aa12a91a8a147cfea08215121122344f0edbaee2",
"name": "3c4e897d4be01607_25.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\25.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "3c4e897d4be01607c0b66875e3d7fff220f38e772605865ee5c7c0dc7e1d8c9a",
"urls": [],
"crc32": "AAC25C54",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/3c4e897d4be01607_25.bmp",
"ssdeep": null,
"size": 198,
"sha512": "18be869c8374357a3b85bfec138be8e7af79ecfd9c1752ad024106c0d8ed0352228988f19eaa1c3d0725f045bcf6d6a669c58781f948231afd81014cf67c91d2",
"pids": [
2740
],
"md5": "ff3b14aa487748ffdf949062dbb0b705"
},
{
"yara": [],
"sha1": "d4419aaa916f054d9e2b182d7e5893d94564f2b2",
"name": "d5019c2157a80546_killcopy_ia64.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_ia64.dll",
"type": "PE32+ executable (DLL) (GUI) Intel Itanium, for MS Windows",
"sha256": "d5019c2157a80546c1fbb740bac94167977e9c3b9266c5a6e46cce8258bd39f0",
"urls": [],
"crc32": "4A33BA6E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/d5019c2157a80546_killcopy_ia64.dll",
"ssdeep": null,
"size": 45056,
"sha512": "af2165bdd43dc2fa49277d14fae9cc0f754e7f420f2a0102cca2ac662909b78ea65f8dbf679c2b7f44dd7b3fecaf7528b3e70ced3572e3c43fb7c3b19ab52ff0",
"pids": [
2740
],
"md5": "6d485bffd0bf1dceb7849be7c3c22d80"
},
{
"yara": [],
"sha1": "b25f8db919d6c1faaddc47751425e58f5a8c4e97",
"name": "35c77e378ea2deb6_killcopy_amd64.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_amd64.dll",
"type": "PE32+ executable (DLL) (GUI) x86-64, for MS Windows",
"sha256": "35c77e378ea2deb676f3ed45bfdf5f5a48f7eb75df500bdc5df50059fdd7bc42",
"urls": [],
"crc32": "EC2E8356",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/35c77e378ea2deb6_killcopy_amd64.dll",
"ssdeep": null,
"size": 22016,
"sha512": "8817eb07e4911e27b1874593e8cb2339c64b6b1aafd682be77c2acd932f8e3b491b5280e9c382862d597e50dfacfdb8970007206515e92f91b066910973cdf3e",
"pids": [
2740
],
"md5": "6919bd0a5a512559cfa9fb0b7a58e2e9"
},
{
"yara": [],
"sha1": "2008caf7213ddd402caae11376563cfa2bdce557",
"name": "f4c8145870bc5691_30.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\30.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "f4c8145870bc5691e1d7a4349036824d19879e8ef62c995471b5ad56ab837068",
"urls": [],
"crc32": "92377D20",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/f4c8145870bc5691_30.bmp",
"ssdeep": null,
"size": 198,
"sha512": "262c6e67cfb9462da5dce4c48a433d4a4bb4bbc1630aaec807d072ccb33b0a7c99ae7ee7d8d3bf424425945eb61b6132f5175e714e5a2685f118ff154556ed4e",
"pids": [
2740
],
"md5": "eee2059791f172c8998e21f935f89df4"
},
{
"yara": [],
"sha1": "696d18691e60dcf60f11740f99ca51382b6c5892",
"name": "59d0d20f0e2f0321_24.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\24.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "59d0d20f0e2f0321c88a2c28f620358043c49df58d5b82cbf2c53abf1866e98a",
"urls": [],
"crc32": "2920794F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/59d0d20f0e2f0321_24.bmp",
"ssdeep": null,
"size": 198,
"sha512": "453c227213c901aa84ade69b430c3e77ed0548dfb8fa7e2f3ee66c9c1e6730ac0ff06a6ca62710377a7471275e9051aea8b5b2b26a7331ddefcdcd84b093296e",
"pids": [
2740
],
"md5": "c869332a01c71267b205824cc0b5fc76"
},
{
"yara": [],
"sha1": "d016a2402f3dc99b519b16423c3741ef8911b1a1",
"name": "3deaa388c46a3c2d_8.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\8.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "3deaa388c46a3c2d02db05d4047f3168dce29574609f3a4374e1cd545020d377",
"urls": [],
"crc32": "F4775EFC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/3deaa388c46a3c2d_8.bmp",
"ssdeep": null,
"size": 198,
"sha512": "020d1687a62442f2bae02d3331d11ccf21ae84b9ae311fa53e55c8a3254a906c96484e43a312cd8343bffcab039c8a333c600130b944a4a25893c5be73b60a1e",
"pids": [
2740
],
"md5": "7e1032326435fd7db5328fb33ab27c26"
},
{
"yara": [],
"sha1": "60061df21f6a4c6d066603cde7afeb89dcc8f500",
"name": "d012a26ec99b5659_15.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\15.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "d012a26ec99b5659e4697b80d09796f1c3422600d5a62e930d214b8ed530f032",
"urls": [],
"crc32": "8D288CE2",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/d012a26ec99b5659_15.bmp",
"ssdeep": null,
"size": 194,
"sha512": "5fffed2beccc9ed2eda2cacd0dae4721d1d8f15cfed5cd37d5cc3d33ea041d55296981071f208d57023d3afda3289a5f0f379dfd24d14669e08dcb8fd53fb026",
"pids": [
2740
],
"md5": "80cf1c812f28e2dcfe76a6946ec618f8"
},
{
"yara": [],
"sha1": "54c35baf736e32d1fe1421d3b29ef6e5a89b3c39",
"name": "5129cf7a06bf2294_5.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\5.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "5129cf7a06bf22945c03f5cd99c0ea0f200bd34a070db04616c76400f0b57ccd",
"urls": [],
"crc32": "5855D4CB",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/5129cf7a06bf2294_5.bmp",
"ssdeep": null,
"size": 194,
"sha512": "74da0d1aa62e1895f455e3a93b4a4eea3feff453c0432d90b145bfd54956d5c5133c73b6d7d47fc71f45a4f9fbea715be6f29cf5d8f5f3463d8302621c84c5fe",
"pids": [
2740
],
"md5": "ee6dcfe4f529f0115ca6026c8df8a783"
},
{
"yara": [],
"sha1": "ea9e127f1e360acde3fa3a51f16f5ea042b6742f",
"name": "caa3c48a5feb9f20_progfore.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progfore.bmp",
"type": "PC bitmap, Windows 3.x format, 285 x 13 x 4",
"sha256": "caa3c48a5feb9f201890605d610052b12e51d05e1c51de80a869277db1ed02c0",
"urls": [],
"crc32": "E06FA664",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/caa3c48a5feb9f20_progfore.bmp",
"ssdeep": null,
"size": 1946,
"sha512": "0124b485381639ed37ff0a2a7fb713c5339a2af4b6c2e15d2cd0cac03e1ea074d9e43792c1fdfc48cb96b13a80c5f1893d31154f1ec3d6d7e5400bc1b9b565ec",
"pids": [
2740
],
"md5": "4c72bde274d27e883779e993a106d9e6"
},
{
"yara": [],
"sha1": "0d894591b93df60d51a47b88fa1d2f64d40bf6e6",
"name": "30cce4614b8bbec6_11.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\11.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "30cce4614b8bbec6b8d97b55d0332dc21e04e20dde8dea7bcf814bea39ec935d",
"urls": [],
"crc32": "109D5971",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/30cce4614b8bbec6_11.bmp",
"ssdeep": null,
"size": 194,
"sha512": "e4734f53a373a921f015a4a461d6311cede118fc3794e25d15902f6e44a9fe0983f28503289a61871aa7deb3c53aeef25265822b890e44e76b951bda6f861b1e",
"pids": [
2740
],
"md5": "7fd844aad2ff8ccf7877aa083e2761ca"
},
{
"yara": [],
"sha1": "5693c73f9508bf56254b924da99845a86e012303",
"name": "92f1b5ca084c7f98_22.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\22.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "92f1b5ca084c7f98cbe4e4f91949e40cd4f5bda285a720cbadd7632da7142d07",
"urls": [],
"crc32": "F8B6844E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/92f1b5ca084c7f98_22.bmp",
"ssdeep": null,
"size": 198,
"sha512": "d6efee76e978ba7548e320f04a1ea2709ab2cbe2a2c1ab72222843c656fc09f17592b84e5f98ee8f748da412ce85e73332717ce4421be13e24ea429c97d46110",
"pids": [
2740
],
"md5": "953487304897556211f4e1766a2ff988"
},
{
"yara": [],
"sha1": "2fc0dd2e205be0f355ad71d4ea818a23d0d87b74",
"name": "d2cbef9d4b97a4a9_28.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\28.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "d2cbef9d4b97a4a9209dfc27c27d25f6a45fc17a70df86b585c2f5b5758a8b96",
"urls": [],
"crc32": "7CA9E72B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/d2cbef9d4b97a4a9_28.bmp",
"ssdeep": null,
"size": 198,
"sha512": "0b4463019dc73084cb635b98ca78eb8f463393ea4825cae2a253da7db4b5fe986cd3054f134331f281baa354e65a4aa4681f612dd935145ba95cf5992a6488e2",
"pids": [
2740
],
"md5": "63ef4703faf8e446b67d469b336b9740"
},
{
"yara": [],
"sha1": "70964d10a7934275e3aa2d3f335c3483604e0b11",
"name": "eabd130a24592049_resume.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\resume.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "eabd130a245920495226687d57d19cbab0ec5f8fc917244639b261d2fcb07fbb",
"urls": [],
"crc32": "29562348",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/eabd130a24592049_resume.bmp",
"ssdeep": null,
"size": 246,
"sha512": "a44c263ff0bb3d913d096064c236485f4995bc1268cd3119cf6b27908c13cb7903c28a2a5b17bbbabe1ebeb9d4040fed29433b83a3f2032b0f12586c58039c59",
"pids": [
2740
],
"md5": "0930913a07833606d92267c67a436e2b"
},
{
"yara": [],
"sha1": "95543190ed0bc05f7cd8cca38f56795991182ee9",
"name": "950566f836d2024c_abort.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\abort.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "950566f836d2024c1adca0c2c296f2a657a8425d5bd99a5b39c08df9528bff58",
"urls": [],
"crc32": "C6AC60E5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/950566f836d2024c_abort.bmp",
"ssdeep": null,
"size": 206,
"sha512": "06e89a367e1102e17b060249a910cd919857594a3e50ddb49f85980b80e2aea1ed20bf9030a04afe65e10bb2ad8037e73066ced42da55a0c63f5f7290278e7a1",
"pids": [
2740
],
"md5": "51be024d1233d50bf11394d7c18540d8"
},
{
"yara": [],
"sha1": "840a92f8b4f90714bc04447d27bc06c7dcf2c8b0",
"name": "efa4295b54f3c87e_3.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\3.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "efa4295b54f3c87ee5edd197a944c9892d47c8031724e1b1d91b5fbc6a55fcca",
"urls": [],
"crc32": "8151B1DE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/efa4295b54f3c87e_3.bmp",
"ssdeep": null,
"size": 194,
"sha512": "1a93fa570cabcc788e6ce611c75173732afeaac45b3012a8a470525f075d260140a8c58b85655c56ab69ca1307d1760c3ec1a4f89b29f4a9b879c5fa255035a4",
"pids": [
2740
],
"md5": "0fd2ba393d8c4c6c05eb3df28e562b0a"
},
{
"yara": [],
"sha1": "64b25290e8ec261f50cdc682acd39e2ecb116792",
"name": "1048866b6e6709ab_29.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\29.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "1048866b6e6709ab1f5ed9563abb26b8f509a5d0c89539023a0e3a0270e3bee2",
"urls": [],
"crc32": "C975D832",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/1048866b6e6709ab_29.bmp",
"ssdeep": null,
"size": 198,
"sha512": "0af98de74acf0bea41a03f3b30edb3f5393ea3913f27d5adbe7fdf8fdad2b4dd9246e186f767ec8187f22880ed852663760e37146d9427a7cacab1168e7aa468",
"pids": [
2740
],
"md5": "232e89fbda5563c3e19a88f239727f56"
},
{
"yara": [],
"sha1": "8ee7f3cc2685014de7a03faf384b21e0f3aa443d",
"name": "b50189752a313e6b_2.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\2.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "b50189752a313e6ba914f4c9e1559f1854b9bae76fccd1f74faadda7dc52ac33",
"urls": [],
"crc32": "AD6BDBD9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/b50189752a313e6b_2.bmp",
"ssdeep": null,
"size": 194,
"sha512": "aaf603bd2794970ee2b187ef945685c745a0a670a44c19682990f3d5d56faab3a8fd4b43780e88145a7b39922c6ef40c3a683e428ac4ccd956ad0786ab99aa51",
"pids": [
2740
],
"md5": "6a4671ca3bee3121bca635ae043550f9"
},
{
"yara": [],
"sha1": "e5203b868ad02743683ea76544be6c549df474a4",
"name": "f84a6e9bacec1332_killcopy.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"type": "PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows",
"sha256": "f84a6e9bacec1332a4e6fc2e3b0e5eafe4d1b2d28fc255f7d6ef66b17797ddc5",
"urls": [
"http:\/\/www.killprog.com"
],
"crc32": "BE10E254",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/f84a6e9bacec1332_killcopy.exe",
"ssdeep": null,
"size": 1185792,
"sha512": "b51f1d2e37429ab37b61608ace82cfb53bc90a3f182acb14afe6df45a5409b26510ab1dcb9f2462dfe1ba80993b1525bf16f0c3aaa94a5abaefc2cd2ff7fb07a",
"pids": [
2740
],
"md5": "8181d9282a5f3c1d3df8995f376a2bc0"
},
{
"yara": [],
"sha1": "85de8b77a72d015ddef801f2db17f80e4f70cb95",
"name": "036a983635bb7daf_pause.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\pause.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "036a983635bb7daf7b05d7f8d9093c44839e200441728de9c4caa854e6972535",
"urls": [],
"crc32": "883A84E4",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/036a983635bb7daf_pause.bmp",
"ssdeep": null,
"size": 242,
"sha512": "5749ebdf3c1bacb1810cb5a433e2c9fc9898b3f7b1e860c4eda9f15af623a3a1fa8337e240544c69e6554514b4ad176264c340fdf4e3f408ce62ffac21901d87",
"pids": [
2740
],
"md5": "2374160f55d7b8de7194ab1b15dd510b"
},
{
"yara": [],
"sha1": "8fc9bb9f17f9d253e9e379bb0569bed30ed2cf04",
"name": "c74b89da16b3dd5c_4.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\4.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "c74b89da16b3dd5c411749501057b292f6b8257be815c5e3bb8ddd26d729ac33",
"urls": [],
"crc32": "58DE6B41",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/c74b89da16b3dd5c_4.bmp",
"ssdeep": null,
"size": 198,
"sha512": "8756dec15993df8d2721e6e109e4f9fb617601f2efc58835bdde9a7e4bcb9d63af458c267a69033f6fcaa9150817abab28dbebe4c0e46176d0db5f0bb76dbfe1",
"pids": [
2740
],
"md5": "4e6c3594d61184fddd19698b112f5b5f"
},
{
"yara": [],
"sha1": "0707073023c1f72c9523339bf0ca28c9be85e478",
"name": "4c6f3a00e79c57e0_english.lng",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\English.lng",
"type": "ASCII text, with CRLF line terminators",
"sha256": "4c6f3a00e79c57e08e6a03e1736c557785d2a820a1e5b389892fab875f0ee4a6",
"urls": [],
"crc32": "40A754C5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/4c6f3a00e79c57e0_english.lng",
"ssdeep": null,
"size": 6358,
"sha512": "639118b7beeec5c9b2724369a954ab622f64ed795ae45f9bde94129b60b45cfb75bd274380a2fe942a291754e56a33cf444264b567f2cd6c8526e8a8c7ea3446",
"pids": [
2740
],
"md5": "1f8fea4546508fa89f380f1ed7e166a6"
},
{
"yara": [],
"sha1": "3641e683f28e5f83e2ab1c85667ae60269729529",
"name": "024f3d3f326fbcdc_26.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\26.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "024f3d3f326fbcdcef16626c11f2dad281aaa802d9979a816ff50f2ed5bca881",
"urls": [],
"crc32": "7C04A2AF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/024f3d3f326fbcdc_26.bmp",
"ssdeep": null,
"size": 198,
"sha512": "71df64032c6d3ca171f5e9993e5a91bbcb2af901b8edb8b2914818af2156655b4174997e641883cf884fe8a719209bb1e94e76678bd7eadfcfcaec5446d04c4b",
"pids": [
2740
],
"md5": "6f2310876b54b3de09e8be2debb5b6bd"
},
{
"yara": [],
"sha1": "5b01bafd1d7bf516d01f8214febae68ae7be0004",
"name": "48d0fb002c16ab51_19.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\19.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "48d0fb002c16ab51433b0324442862133fe4bc6e3f39a4f9ab12d7f0fc8574e8",
"urls": [],
"crc32": "12E467F0",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/48d0fb002c16ab51_19.bmp",
"ssdeep": null,
"size": 194,
"sha512": "32108cb828c9857d6620285d00ee9ff6a18253792dcbb6d30840c97f653990b6698a248ace61a4f2a456cb48bb278a3e755bdc7bf0211d0d845ba38dbe276952",
"pids": [
2740
],
"md5": "b135d84c1225cd7d1f9269bed9702790"
},
{
"yara": [],
"sha1": "084775455eab3b667c945b8692b664aeb903366e",
"name": "b5c6c5a4483c39ff_13.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\13.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "b5c6c5a4483c39ffdab4a011c61722d912d4616f8584fba6adcb64850aa6b94e",
"urls": [],
"crc32": "913B19F4",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/b5c6c5a4483c39ff_13.bmp",
"ssdeep": null,
"size": 194,
"sha512": "6f9f29ee45f0140f33374668d109d829e76cb582ff77e7c0c098218780ecb6515586d58d64d65d943124377fcc258257459820beac07eb1624d75775455ddfff",
"pids": [
2740
],
"md5": "77f41dc203b76748ace85afdf0e53cab"
},
{
"yara": [],
"sha1": "2d05f1143fb66d309219f8060a4a38289862c8ab",
"name": "6e0f6febcdc00a0b_20.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\20.bmp",
"type": "PC bitmap, Windows 3.x format, 16 x 16 x 4",
"sha256": "6e0f6febcdc00a0bb25e5c5f8050373c4defa04e4343fa5d3b1573356dc0910f",
"urls": [],
"crc32": "42499668",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/4133\/files\/6e0f6febcdc00a0b_20.bmp",
"ssdeep": null,
"size": 198,
"sha512": "f635320c2d5541c3a120d15064fa8713c3ca5563f033021178e5d759d58191df5ea94c063a1971d16de8415445c0cba3528c0c4fce00d28be50a78f50c9326a6",
"pids": [
2740
],
"md5": "b73a6611d9e538f43395ebb7cd9a9eb5"
}
]Generic
[
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1575845584.34375,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin",
"process_name": "212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin",
"pid": 2740,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skip.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\27.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\8.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\23.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\5.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\abort.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\25.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\6.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\4.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\26.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\14.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\22.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\10.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\19.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\13.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skin.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_ia64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_amd64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\12.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\21.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\11.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\English.lng",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\7.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\3.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\18.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\24.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\30.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\29.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\20.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\pause.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\1.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\2.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\31.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progback.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\28.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\resume.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\minimize.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\16.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\15.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\32.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\9.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progfore.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\17.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\main.bmp"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart"
],
"dll_loaded": [
"UxTheme.dll",
"kernel32",
"SETUPAPI.dll",
"IMM32.dll",
"dwmapi.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"C:\\Windows\\system32\\uxtheme.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"kernel32.dll",
"GDI32.dll",
"SHELL32.dll",
"KERNEL32.DLL",
"MSVCRT.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\ole32.dll",
"ADVAPI32.dll",
"OLEAUT32.DLL",
"ole32.dll",
"comctl32.dll",
"USER32.dll",
"COMCTL32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skip.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\27.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\8.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\23.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\5.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\abort.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\25.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\6.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\4.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\26.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\14.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\22.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\10.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\19.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\13.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skin.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_ia64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_amd64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\12.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\21.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\11.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\English.lng",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\7.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\3.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\18.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\24.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\30.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\29.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\20.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\pause.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\1.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\2.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\31.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progback.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\28.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\resume.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\minimize.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\16.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\15.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\32.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\9.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progfore.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\17.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\main.bmp"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skip.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\27.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\8.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\23.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\5.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\abort.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\25.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\6.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\4.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\26.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\14.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\22.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\10.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\19.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\13.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_ia64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy_amd64.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\12.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\21.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\11.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\English.lng",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\7.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\3.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\18.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\24.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\30.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\skin.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\29.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\20.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\pause.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\1.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\2.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\31.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progback.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\28.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\resume.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\minimize.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\16.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\15.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\32.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\9.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\progfore.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\17.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\Skins\\Standart\\main.bmp"
],
"command_line": [
"\"C:\\Windows\\System32\\cmd.exe\" \/c start \/b C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"cmd.exe \/c start \/b C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3.bin"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data"
]
},
"first_seen": 1575845584.625,
"ppid": 1664
},
{
"process_path": "C:\\Windows\\System32\\cmd.exe",
"process_name": "cmd.exe",
"pid": 2820,
"summary": {
"dll_loaded": [
"SHELL32.dll",
"rpcrt4.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"SETUPAPI.dll"
],
"file_opened": [
"C:\\Windows\\System32\\sechost.dll",
"C:\\",
"C:\\Users\\",
"C:\\Users\\cuck\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\",
"C:\\Users\\cuck\\AppData\\"
],
"command_line": [
"C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DisableUNCCheck",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\AutoRun",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\EnableExtensions",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DelayedExpansion",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Command Processor\\CompletionChar",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
],
"directory_enumerated": [
"C:\\Windows\\SysWOW64\\cmd64.exe.*",
"C:\\Windows\\SysWOW64\\cmd64.exe"
]
},
"first_seen": 1575845587.858751,
"ppid": 2740
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741515,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1575845584.812,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 233
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "Command line console output was observed",
"severity": 1,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "WriteConsoleW",
"return_value": 1,
"arguments": {
"buffer": "The system cannot find the file C:\\Windows\\SysWOW64\\cmd64.exe.\r\n",
"console_handle": "0x000000000000000b"
},
"time": 1575845161.39402,
"tid": 2952,
"flags": {}
},
"pid": 2820,
"type": "call",
"cid": 224
}
],
"references": [],
"name": "console_output"
},
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1575845587.609,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 877
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 1,
"families": [],
"description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
"severity": 2,
"marks": [
{
"call": {
"category": "misc",
"status": 1,
"stacktrace": [],
"api": "GetDiskFreeSpaceExW",
"return_value": 1,
"arguments": {
"root_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change",
"free_bytes_available": 23514615808,
"total_number_of_free_bytes": 0,
"total_number_of_bytes": 0
},
"time": 1575845587.609,
"tid": 3016,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 892
}
],
"references": [],
"name": "antivm_disk_size"
},
{
"markcount": 3,
"families": [],
"description": "Creates a suspicious process",
"severity": 2,
"marks": [
{
"category": "cmdline",
"ioc": "\"C:\\Windows\\System32\\cmd.exe\" \/c start \/b C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"type": "ioc",
"description": null
},
{
"category": "cmdline",
"ioc": "cmd.exe \/c start \/b C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "suspicious_process"
},
{
"markcount": 2,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\killcopy.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "A process created a hidden window",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "ShellExecuteExW",
"return_value": 1,
"arguments": {
"parameters": "\/c start \/b C:\\Windows\\SysWOW64\\cmd64.exe \/c C:\\Windows\\System32\\pecmd.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\2k10\\Change\\P2RAM.ini",
"filepath": "cmd.exe",
"filepath_r": "cmd.exe",
"show_type": 0
},
"time": 1575845587.797,
"tid": 2436,
"flags": {}
},
"pid": 2740,
"type": "call",
"cid": 1357
}
],
"references": [],
"name": "stealth_window"
},
{
"markcount": 2,
"families": [],
"description": "The binary likely contains encrypted or compressed data indicative of a packer",
"severity": 2,
"marks": [
{
"entropy": 7.910391757442451,
"section": {
"size_of_data": "0x0000ba00",
"virtual_address": "0x00013000",
"entropy": 7.910391757442451,
"name": "UPX1",
"virtual_size": "0x0000c000"
},
"type": "generic",
"description": "A section with a high entropy has been found"
},
{
"entropy": 0.8532110091743119,
"type": "generic",
"description": "Overall entropy of this PE file is high"
}
],
"references": [
"http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
"http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
],
"name": "packer_entropy"
},
{
"markcount": 2,
"families": [],
"description": "The executable is compressed using UPX",
"severity": 2,
"marks": [
{
"section": "UPX0",
"type": "generic",
"description": "Section name indicates UPX"
},
{
"section": "UPX1",
"type": "generic",
"description": "Section name indicates UPX"
}
],
"references": [],
"name": "packer_upx"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 662,
"time": 6.201472997665405,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5342,
"time": 12.200999975204468,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7186,
"time": 6.16173791885376,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7514,
"time": 4.146929025650024,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7842,
"time": 6.1744208335876465,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8170,
"time": 4.657837867736816,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8498,
"time": 3.0242459774017334,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8826,
"time": 4.654227018356323,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28236,
"time": 4.16933798789978,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36620,
"time": 6.23248291015625,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "4377d2a2a19855493c8db38af30d7b0681bd568ce0924ad54d3cbbab8194e6d6",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "bb929bc43a50d4ba3d077d86893e20ef2a4a0fdf318ac7bdf05b0f2daa5430bb",
"irc": [],
"https_ex": []
}Screenshots
Prog2Ram.exe removal instructions
The instructions below shows how to remove Prog2Ram.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the Prog2Ram.exe file for removal, restart your computer and scan it again to verify that Prog2Ram.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate Prog2Ram.exe in the scan result and tick the checkbox next to the Prog2Ram.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate Prog2Ram.exe in the scan result.
L:\2k10\Programs-2k10\Prog2Ram.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the Prog2Ram.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If Prog2Ram.exe still remains in the scan result, proceed with the next step. If Prog2Ram.exe is gone from the scan result you're done.
- If Prog2Ram.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that Prog2Ram.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 35b1b024437b22e9a706a0b47f5b11ed |
| SHA256 | 212d1b390bbb606c50aa304f479cc9476c51e21ebfd2a169bf2c0be95a05eee3 |
Error Messages
These are some of the error messages that can appear related to prog2ram.exe:
prog2ram.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
prog2ram.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
7z Setup SFX has stopped working.
End Program - prog2ram.exe. This program is not responding.
prog2ram.exe is not a valid Win32 application.
prog2ram.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with Prog2Ram.exe?
To help other users, please let us know what you will do with Prog2Ram.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.