What is bombux.exe?
bombux.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected bombux.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
bombux.exe is not signed.
VirusTotal report
42 of the 65 anti-virus programs at VirusTotal detected the bombux.exe file. That's a 65% detection rate.
| Scanner | Detection Name |
|---|---|
| Ad-Aware | Trojan.GenericKD.41077000 |
| AhnLab-V3 | Trojan/Win32.AutoIT.R258033 |
| ALYac | Trojan.GenericKD.41077000 |
| Arcabit | Trojan.Generic.D272C908 |
| Avast | Win32:Trojan-gen |
| AVG | Win32:Trojan-gen |
| Avira | DR/AutoIt.Gen |
| BitDefender | Trojan.GenericKD.41077000 |
| CAT-QuickHeal | Trojan.Autoit |
| CrowdStrike | win/malicious_confidence_60% (W) |
| Cybereason | malicious.667696 |
| Cyren | VBS/Agent.RS |
| Emsisoft | Trojan.GenericKD.41077000 (B) |
| Endgame | malicious (high confidence) |
| ESET-NOD32 | Win32/Injector.Autoit.DTG |
| F-Secure | Dropper.DR/AutoIt.Gen |
| Fortinet | AutoIt/Injector.DSA!tr |
| GData | Script.Trojan.Agent.IEP8DP |
| Ikarus | Trojan.Win32.Injector |
| Invincea | heuristic |
| Jiangmin | Trojan.Miner.ffr |
| K7AntiVirus | Trojan ( 005489701 ) |
| K7GW | Trojan ( 005489701 ) |
| Kaspersky | Trojan-Spy.Win32.Noon.abdt |
| Malwarebytes | Spyware.LokiBot |
| MAX | malware (ai score=99) |
| McAfee | Trojan-FQSO!1BFFE9687E01 |
| McAfee-GW-Edition | BehavesLike.Win32.Backdoor.cc |
| Microsoft | Trojan:Win32/Occamy.C |
| MicroWorld-eScan | Trojan.GenericKD.41077000 |
| NANO-Antivirus | Trojan.Win32.Noon.fnvkzk |
| Paloalto | generic.ml |
| Panda | Trj/CI.A |
| Qihoo-360 | HEUR/QVM06.2.A8B5.Malware.Gen |
| Rising | Trojan.Injector!8.C4 (TOPIS:E0:3cVgpLKVusQ) |
| Sophos | Mal/Generic-S |
| Tencent | Win32.Trojan.Autoit.Auto |
| Trapmine | malicious.high.ml.score |
| TrendMicro-HouseCall | TROJ_GEN.R049C0OC819 |
| VIPRE | Trojan.Win32.Generic!BT |
| ZoneAlarm | Trojan-Spy.Win32.Noon.abdt |
| Zoner | Probably RARAutorun |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\__tmp_rar_sfx_access_check_16896953",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate"
],
"dll_loaded": [
"SETUPAPI.dll",
"C:\\Windows\\system32\\shell32.dll",
"riched20.dll",
"kernel32",
"C:\\Windows\\syswow64\\MSCTF.dll",
"ntdll",
"riched32.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"Advapi32.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"comctl32",
"ole32.dll",
"comctl32.dll",
"CRYPTSP.dll",
"user32.dll",
"IMM32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042"
],
"file_copied": [
[
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\naf.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\__tmp_rar_sfx_access_check_16896953",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\spd",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cxi"
],
"guid": [
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe\" uhr=mex ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe uhr=mex "
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Windows\\SysWOW64\\ntdll.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"C:\\Users\\cuck\\AppData\\Local",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\spd",
"C:\\Users\\cuck",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
],
"directory_created": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"C:\\Users\\cuck\\AppData\\Local"
]
}Dropped
[
{
"yara": [],
"sha1": "3c54a34691c573babf3d987e85b4e2678706ce3d",
"name": "c81fba7fcbf52382_xvf.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"type": "ASCII text, with CRLF line terminators",
"sha256": "c81fba7fcbf52382410678de650c2a4aaab76b3172ee893a7d7670c440d92c49",
"urls": [],
"crc32": "B77C8634",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/c81fba7fcbf52382_xvf.bmp",
"ssdeep": null,
"size": 510,
"sha512": "6bc2d6b556273b5e31ee6de6fa5e4c3e54e23d730d6d66df304a3c553cdf68612b8b64eb9fc6ee00b61851c65a4c218d7cd2c9f67bdeb2a312b15d3d525698b9",
"pids": [
2816
],
"md5": "e4e89b16b9b47679145254d84d0454d2"
},
{
"yara": [],
"sha1": "ecf9f6c971104417f2e6887ea7f27eef719885ff",
"name": "20693d82142ce1db_qxu.jpg",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"type": "ASCII text, with CRLF line terminators",
"sha256": "20693d82142ce1db50a7c6adac94db5e2ff06e89a243982f1e547caaf9dae493",
"urls": [],
"crc32": "CD077E47",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/20693d82142ce1db_qxu.jpg",
"ssdeep": null,
"size": 531,
"sha512": "2aeff75ccdcbcd90788b0b2f6478ae7bd4df05edc04334da411a828dda0fa6ce1195c0b514e8ce80c574563dc26b8febb5e6101a12be18aeb6cc71ecbaeecf49",
"pids": [
2816
],
"md5": "ea9ebc5129e1748f0b4238be103c9634"
},
{
"yara": [],
"sha1": "55eb611fa7471f1035d88e6b5090c135e7f180df",
"name": "c6eadd9c6aecbe5e_tgm.jpg",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"type": "ASCII text, with CRLF line terminators",
"sha256": "c6eadd9c6aecbe5e16f2c2c572423558a187c465491b7c57f3fb217c7b53ceec",
"urls": [],
"crc32": "6C216427",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/c6eadd9c6aecbe5e_tgm.jpg",
"ssdeep": null,
"size": 243,
"sha512": "c128511a63984f1ad85b5b4ddd663b890cbbbb042a9db9c8ace476e21b49e29da0deff5f030622dab88455d354d1fc8bc9edca1e9b34eba0c5c3c673dc9fe267",
"pids": [
2816
],
"md5": "28e09f91d2d52f8e1df84c0092ca0cc1"
},
{
"yara": [],
"sha1": "1f2f8f8a736d0a59aca4c6706126d75a0015a789",
"name": "3d53588ee5c45052_lus.xl",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"type": "ASCII text, with CRLF line terminators",
"sha256": "3d53588ee5c450525cebca70ae5675c6ef0dfa20af94a1c02e1230bc1684c950",
"urls": [],
"crc32": "D031A179",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/3d53588ee5c45052_lus.xl",
"ssdeep": null,
"size": 515,
"sha512": "15ca40dca822046ccf8d136f6959fd4a54762fd6a6944589a716e0526ca76bb4954f75134430630fffe22b12aac3222fafa2d95c084b2a7736548fc534c265de",
"pids": [
2816
],
"md5": "b60c56bf53db1a7be701f4ff8267ba37"
},
{
"yara": [],
"sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
"name": "e3b0c44298fc1c14___tmp_rar_sfx_access_check_16896953",
"type": "empty",
"sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"urls": [],
"crc32": "00000000",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/e3b0c44298fc1c14___tmp_rar_sfx_access_check_16896953",
"ssdeep": null,
"size": 0,
"sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
"md5": "d41d8cd98f00b204e9800998ecf8427e"
},
{
"yara": [],
"sha1": "e9b5f9192faab6c0dfe8639bb316fa87de835f0c",
"name": "0bd605fa4dde1bca_hfc.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "0bd605fa4dde1bca83fe66d78ba1204249398202c9cab69ff7302e035cd017e8",
"urls": [],
"crc32": "60BF779D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/0bd605fa4dde1bca_hfc.dat",
"ssdeep": null,
"size": 535,
"sha512": "6636b38e1c4978544218a5c537f55f3fad801b713e58f241afc464a05d6951fe4c718000cb18106d804fe9fb344e1a94f2fa078a82c715588721b87d151fc524",
"pids": [
2816
],
"md5": "29aeac27f3c1e1b244ad50a39c72134c"
},
{
"yara": [],
"sha1": "062c966f4b474559887dc4484af5993b271740ef",
"name": "5eb7d5d216f438a6_inw.mp3",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"type": "ASCII text, with CRLF line terminators",
"sha256": "5eb7d5d216f438a69dc7a1610a3323ff48d50f8c03b9d30fecfb15ebfcb42d07",
"urls": [],
"crc32": "AE0BFFE9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/5eb7d5d216f438a6_inw.mp3",
"ssdeep": null,
"size": 541,
"sha512": "f4e4035c6d7a3579fcd09d5ef30c7526c98ff1eeb05bfdddb28ac63b7751668c46816140e93d872e07b016d28d8cad1a882efd43adb0c075e7236d14f2766f0e",
"pids": [
2816
],
"md5": "40c9efdabd1d3b77b9a5fca5f02e7b53"
},
{
"yara": [],
"sha1": "5877ae35c75b5ed093add348268b335e9a11a686",
"name": "50a70c9b89019737_obq.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "50a70c9b890197371f76bbce21a36bc02ef4449b5813f9e75707b6383da92af5",
"urls": [],
"crc32": "5A6B111D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/50a70c9b89019737_obq.icm",
"ssdeep": null,
"size": 561,
"sha512": "0616ab93b768146068be069103eebd3914e7ab2f760e1d39bb68dad4941fc3e72b72c588d6a8e08f075bfa72172778bebc46b2598359b620ae3de3f004854aa8",
"pids": [
2816
],
"md5": "1f5cccd12b9131f047d7ecae3d13b46d"
},
{
"yara": [],
"sha1": "78a1e013a3806db91c1c124ad6950146cffe87aa",
"name": "7495346994480acf_bck.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "7495346994480acfe867e180d436a2177c98f8c81f34a5c656bffa98791b190e",
"urls": [],
"crc32": "4F03F751",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/7495346994480acf_bck.icm",
"ssdeep": null,
"size": 665,
"sha512": "a45ec9dc977c3961d4f1ca6e11c366ffbe0e460c72f38ec1f51e75220aae6c5616e5f7fc71eaf09ddb1b55179489a4b9c4a70b7a1108c0dcd36083b1f32cb0b1",
"pids": [
2816
],
"md5": "ae0a1f8f7ac96692d15dafaa54a563f1"
},
{
"yara": [],
"sha1": "5b5767ca31db459f3ba1feef4b7166d91aec094c",
"name": "03cdbf0e09f9f46b_rrc.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "03cdbf0e09f9f46b3d4d3d7cd963039416f9df46075737432b1329f4b9ccb942",
"urls": [],
"crc32": "C9FEAA0B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/03cdbf0e09f9f46b_rrc.icm",
"ssdeep": null,
"size": 509,
"sha512": "137022a8a18bb8c6b1b2ca8c025b9a64ff4fd10fc1f3830e17dedd5bd3caf8dc8a2927adfe247995e75396d80fa8b9db1fe2f62614df55facf73e7cac82f453d",
"pids": [
2816
],
"md5": "14f8054d17ed3a0667e144b10bb35ac0"
},
{
"yara": [],
"sha1": "15c61e9a055d2b6495753b6e5984144109f8eded",
"name": "3b873ef6bf2b1dd3_vtn.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "3b873ef6bf2b1dd3ebeeb3a2b6dc9e24acfe8c3a7f2be5c7701be18b6bbd01a0",
"urls": [],
"crc32": "7A1F6618",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/3b873ef6bf2b1dd3_vtn.txt",
"ssdeep": null,
"size": 529,
"sha512": "62e43f387e94a25e45ab484e753603445637b22cd282e3067489b0f1ca218566223d771c314d739f5c5f78ec2be3ec5ea57ed70565f5717efed0fec70fe480f7",
"pids": [
2816
],
"md5": "cb987417ad7285eda5e459ae0a860f9c"
},
{
"yara": [],
"sha1": "2a4062e10a5de813f5688221dbeb3f3ff33eb417",
"name": "237d1bca6e056df5_naf.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d",
"urls": [
"http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0",
"http:\/\/crl.globalsign.com\/root-r3.crl0c",
"http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
"http:\/\/ocsp2.globalsign.com\/rootr306",
"https:\/\/www.globalsign.com\/repository\/0",
"http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
"http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
"http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
"https:\/\/www.globalsign.com\/repository\/06",
"http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
"http:\/\/crl.globalsign.net\/root-r3.crl0",
"https:\/\/www.autoitscript.com\/autoit3\/"
],
"crc32": "76090EE7",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/237d1bca6e056df5_naf.exe",
"ssdeep": null,
"size": 893608,
"sha512": "195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c",
"pids": [
2816
],
"md5": "c56b5f0201a3b3de53e561fe76912bfd"
},
{
"yara": [],
"sha1": "cd483767924d53d382b9f3ed7cf0633f80b51baf",
"name": "51eee2e4cd54fcbb_jqo.ico",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"type": "ASCII text, with CRLF line terminators",
"sha256": "51eee2e4cd54fcbbd09a0427615c5457916523f919c38738f551ed18e4816d86",
"urls": [],
"crc32": "341B24C6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/51eee2e4cd54fcbb_jqo.ico",
"ssdeep": null,
"size": 533,
"sha512": "1504810d0ddb5399f2d2e1a9f4fa24fdc5ddc9ac2aab528880acf641b4cfa74f635347398205be622e0f3e00167a630f4ff32a41132fb2e928452b7c3e83f523",
"pids": [
2816
],
"md5": "baed23cda4421d094c283d4d53133efd"
},
{
"yara": [],
"sha1": "2f4f1b7c0da3b73762bef80e7d488ad4b5dbab4b",
"name": "7cabde7a40b32170_umq.ico",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"type": "ASCII text, with CRLF line terminators",
"sha256": "7cabde7a40b321706345c01dc9cc64a93776a8a96317dfe94700a5b2a2cb41c7",
"urls": [],
"crc32": "915F715E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/7cabde7a40b32170_umq.ico",
"ssdeep": null,
"size": 595,
"sha512": "929f1eb2fd29da9a201eb945b6ab4d33d9dcc2d617345486967f5eb5a0f8eb4d8484bcfb1634d7147b056cfd597d4aa810842daf371c72fc55c143aeaf37d405",
"pids": [
2816
],
"md5": "28bf865c915c1855384ce720dd789163"
},
{
"yara": [],
"sha1": "c2eea3fc871f3ebf0a666b3e5815b77b32d06e89",
"name": "2db52217521043b7_oox.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"type": "ASCII text, with CRLF line terminators",
"sha256": "2db52217521043b7f75ccab04d16ed2f64655b3b78b3fcf0ee2b6fc0e93f5a49",
"urls": [],
"crc32": "1E1B7A99",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/2db52217521043b7_oox.bmp",
"ssdeep": null,
"size": 557,
"sha512": "d7cca6eaa6e14ca44e7d2a08491de0a224bd10a9a054011f5ed5f9aaee2bc054918cfc417bd6b35cd57c03841b3403a5f1553c15293b21ff9c37c96c16a00b07",
"pids": [
2816
],
"md5": "643d82e82b68d4a209656062ee6ce06e"
},
{
"yara": [],
"sha1": "a4c1376e116abdc4875197035becb1ce0f832138",
"name": "c5272fae1c300729_uhr=mex",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"type": "C source, ASCII text, with CRLF line terminators",
"sha256": "c5272fae1c300729c24142440fa962b6cc75de3acd138476b7274d0d31971c8e",
"urls": [],
"crc32": "091EFD31",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/c5272fae1c300729_uhr=mex",
"ssdeep": null,
"size": 187358,
"sha512": "b3641e5cdf2ea2957644f762e5e64cc85a9b9d05f71a59bc0bc31da0ab1ac5682a9fa2464d9f5f961481ccb7ff050c7bc2dfb0407f0db5ab91cee80e961c3020",
"pids": [
2816
],
"md5": "6e829854285c797b1f7733f36881d037"
},
{
"yara": [],
"sha1": "2af3c251fca8221d54752460cd3ace04315b1b59",
"name": "b08731538acfd0f6_wbi.mp4",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"type": "ASCII text, with CRLF line terminators",
"sha256": "b08731538acfd0f63d3cea3583e1572d27972a854f3e006b49cdd28c3c8cadf8",
"urls": [],
"crc32": "685B4FD9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/b08731538acfd0f6_wbi.mp4",
"ssdeep": null,
"size": 524,
"sha512": "15f68ff7f362164defa2ee1012593e59b85483bf4ee5fcb8facfcae5154e044b547e73f2f311452985e48e14e21933fa7089748c23b3244459287dd2fc07fbe9",
"pids": [
2816
],
"md5": "5ec64842ef103ff9a549c4dfe64d5733"
},
{
"yara": [],
"sha1": "1a8cbc2f232235071ff54b43c2e7dd1f225a3d9b",
"name": "23c4db879dc97714_vgd.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "23c4db879dc97714546dfa20ea749599be93b17d5d120d1b960de7338f11aec2",
"urls": [],
"crc32": "912D9F3A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/23c4db879dc97714_vgd.dat",
"ssdeep": null,
"size": 539,
"sha512": "35ef377e951f18dffc0c90a7b414fdc383d14b6de7f3b9e7a4f9d0128125d76a8171a8af9ebaa3f4d3a055ed015a4882baf7d7fe3b4fa79a1c74e75b0a104322",
"pids": [
2816
],
"md5": "e0e547fcc619bc8b4f8d9a31aa33ec4d"
},
{
"yara": [],
"sha1": "d57c28293bafc61970221e2acea290500e033cd7",
"name": "b1208aab186cc7f9_tnw.ppt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "b1208aab186cc7f9dc46c518f45a1ba1b47e66dcce6cb88d05829cbcae2d0464",
"urls": [],
"crc32": "2CD4A7A9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/b1208aab186cc7f9_tnw.ppt",
"ssdeep": null,
"size": 568,
"sha512": "6ae833d982db4341a26fd739619bd8f8e9962d7a877aabcbc93e1c4e02f21bb09ab423addba0bc06158a8fd80e918f1013e6d2a913cc619b9dcae11368002bdb",
"pids": [
2816
],
"md5": "1319d2eb99cc8006bd8ba62dd53511c6"
},
{
"yara": [],
"sha1": "8e5756b47ae7e1982f3f089a32ddc61c05b37304",
"name": "4e474172623aab14_dnb.mp3",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"type": "ASCII text, with CRLF line terminators",
"sha256": "4e474172623aab14df3f50d21b1d7781d2adca495dbea38372d0fb0e3d358ee9",
"urls": [],
"crc32": "5A9DE37C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/4e474172623aab14_dnb.mp3",
"ssdeep": null,
"size": 535,
"sha512": "9abdd55ac0bd9f25c8ed6bc587412cd30189c71af3ed1a0723899b157ad552de808e4895677cd525d242bf94a6827e83f9db534e56e49df2de457b21b2d8984c",
"pids": [
2816
],
"md5": "220d3517a46399acfd2d684a576c8828"
},
{
"yara": [],
"sha1": "03c95b316f39d59bc03c0fb115f34f553eb7ab21",
"name": "c6000fef4e2a5ddf_msc.docx",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"type": "ASCII text, with CRLF line terminators",
"sha256": "c6000fef4e2a5ddf38b75cd1f790f7af94cd23e50ebcbede12e7adfe98f14c2b",
"urls": [],
"crc32": "6CAE4420",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/c6000fef4e2a5ddf_msc.docx",
"ssdeep": null,
"size": 586,
"sha512": "74f4e0f31cfae0484dd66036970efe560fdd64cd56849e022f3448233c1799f6de5efc607257fe04628de75f07c225e7d2aa29f93734acbf4383dca72c6bc556",
"pids": [
2816
],
"md5": "f3f1f02e96a795087c9a371823a2f284"
},
{
"yara": [],
"sha1": "5320fb1f2baf8467f2990ce7fd670c7d42c40a01",
"name": "a8fb5085173d0b32_mnr.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"type": "ASCII text, with CRLF line terminators",
"sha256": "a8fb5085173d0b327f1f2565c0207b7fb592a1f94f3a0cafc87b3b1ba528ec3e",
"urls": [],
"crc32": "367DE679",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/a8fb5085173d0b32_mnr.bmp",
"ssdeep": null,
"size": 604,
"sha512": "f023001454f1c279fdc480c1d33d1ee5e821b38978b139a30d2e48c9fdc3e5230b267ba860543c749e8e9eed3e0ca6f3ddbc9a42439b90c6844ef36675c5222b",
"pids": [
2816
],
"md5": "a2d50ad010ab9bb6933de6fd0c9bab16"
},
{
"yara": [],
"sha1": "90941b1061b355f587c61ca9426b9094fbcec0ba",
"name": "8af9f536cf6786e5_ivi.ppt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "8af9f536cf6786e508096d198d624b412c66ee6529ce6609628798466f725047",
"urls": [],
"crc32": "FF62A58D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/8af9f536cf6786e5_ivi.ppt",
"ssdeep": null,
"size": 534,
"sha512": "16a8bbde65db424304c9b7106bac2c2b27a59d4e5a444897e55020eff0daeacf7caff8e5477a5f69feba7708f337494138cea2cb0af9e1731bb7f0904baf1779",
"pids": [
2816
],
"md5": "93ac3231914988e16aa4941cbce6f086"
},
{
"yara": [],
"sha1": "527282887d407ab946d4b6965ae19a3d21d0840e",
"name": "9411f34666dbf850_cjf.xl",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"type": "ASCII text, with CRLF line terminators",
"sha256": "9411f34666dbf8506b8856af94b187c25eaecb498df7c23571d17621fa20a700",
"urls": [],
"crc32": "172369EC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/9411f34666dbf850_cjf.xl",
"ssdeep": null,
"size": 511,
"sha512": "d39848fd92ac5237596ad8c4e6a557b9df29abad1eae80d0f766cf054b328626566f0b60dcb8aa340f3b68b2e740cf7a603996777f4c2ffc115059b706058824",
"pids": [
2816
],
"md5": "9f0d04d9e8afbcd819a9d4ce0fd03889"
},
{
"yara": [],
"sha1": "ed3c17be78f5acbab60b8f474d479e9e3e2a5b58",
"name": "bbff3c1c5380998d_pwt.ico",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"type": "ASCII text, with CRLF line terminators",
"sha256": "bbff3c1c5380998deaf0ebe75dbd08db3b4ff1625f25294ff290e6e855de4d7c",
"urls": [],
"crc32": "19256389",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/bbff3c1c5380998d_pwt.ico",
"ssdeep": null,
"size": 529,
"sha512": "86b9d572b1724150ad345b4bd694811b6804e56033019c72886830f7e5cfb0f2c4070175a88f1e765e76d3571bb095122f616c255551c6342e10dbc4ce17e68a",
"pids": [
2816
],
"md5": "1afdf6b3957ba8f8b086fe89f58452ce"
},
{
"yara": [],
"sha1": "d1df8e49ea429e7cf2245f37aa23e71430793580",
"name": "4506a2ead56833bd_wcj.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "4506a2ead56833bd64bf014690e0c2ad2fdf50e0e572b0235f81cae663583746",
"urls": [],
"crc32": "3ECE19EF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/4506a2ead56833bd_wcj.icm",
"ssdeep": null,
"size": 545,
"sha512": "bd3e44a1d5041332c764c50b21968548f60fce7b999177296edf86902ae92f973bbf69c727fd2b156c6f583052cd80bba0633463e451c6dcac30f856a729c349",
"pids": [
2816
],
"md5": "90b1fe278a11a103f5c32b1290943e70"
},
{
"yara": [],
"sha1": "7a0abc76110aa0c2e9e3539261becd0740d0bcd4",
"name": "881337aed8a4ad4b_oqc.ppt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "881337aed8a4ad4b8fbe09b3d97ff84bee8a6e46faf8d5863ba2ed5b4f294e79",
"urls": [],
"crc32": "D8A7B5DC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/881337aed8a4ad4b_oqc.ppt",
"ssdeep": null,
"size": 526,
"sha512": "ac13367b2bbfb1d6d1b5d61c58f0dc23eba59e02d83f94fd20f2f79e16875bf2ac229e335c14df4d23195fcecd7f1a0edcfb4651f8775f371898804f1151af72",
"pids": [
2816
],
"md5": "687fcd35d0dd7f5689511a706d38a677"
},
{
"yara": [],
"sha1": "4617abe32b60b63668216f03d188e41ad3eb8f40",
"name": "71bc95d6cb85c27a_nch.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "71bc95d6cb85c27a650e0f36f483ce35d7a76df2215d742bd4fe357717a67e33",
"urls": [],
"crc32": "388CB4C9",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/71bc95d6cb85c27a_nch.icm",
"ssdeep": null,
"size": 593,
"sha512": "28980e4555aec417a08d04551dc07495bc2ce2ccf4c5b50f3a03be05684666ef1c7d40c4b6160ea2f390fb227675bd5118acf429b98a88ee899feccb7ed6adcb",
"pids": [
2816
],
"md5": "671bf7816dc857f5f66d764969593284"
},
{
"yara": [],
"sha1": "e543a3f03f237999cb47288b8119d3b4006f91e8",
"name": "067351d635c61fc1_reg.ppt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "067351d635c61fc1dcefba94c1c70bbf5eb134d8629b70bfaed623843b5181f3",
"urls": [],
"crc32": "67FA6242",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/067351d635c61fc1_reg.ppt",
"ssdeep": null,
"size": 513,
"sha512": "18d4d8904f48b157d858d516925c7b5572430dfeede2944a0956366ba694bb6fc201e2082dbf8c06f8136b3144445ff05f433e86d36e9068ccdeaa68aafeabeb",
"pids": [
2816
],
"md5": "e96d2f82d839d72da920716286f7ebaa"
},
{
"yara": [],
"sha1": "a2df78354ae7538c44702b9aa24709881033905e",
"name": "f3c5ce25076544a2_vil.ico",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"type": "ASCII text, with CRLF line terminators",
"sha256": "f3c5ce25076544a212f6760f53326e692b7f6bd3dec49eb99ff46e1fae573588",
"urls": [],
"crc32": "10E2A116",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/f3c5ce25076544a2_vil.ico",
"ssdeep": null,
"size": 533,
"sha512": "86b416888dbae2a1d4988542a319f11275e0756a95c6751c2da841eb3c59d8ff2e7204af996c0cb2c744fc8c07692052bf8ccedcca00a9713f66d14362be5f13",
"pids": [
2816
],
"md5": "881e6c406f3b8a95994bb0efcfa7c859"
},
{
"yara": [
{
"meta": {
"description": "Possibly employs anti-virtualization techniques",
"author": "nex"
},
"name": "vmdetect",
"offsets": {
"vmware24": [
[
17207,
0
],
[
17367,
0
],
[
17455,
0
]
],
"virtualbox3": [
[
17516,
1
]
]
},
"strings": [
"Vk13YXJl",
"VkJveFRyYXk="
]
}
],
"sha1": "ae92534d320527c5b9835c4f83203bc4f8ac32b8",
"name": "3d10daf7ab8be37c_DTLMC",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"type": "ASCII text, with very long lines, with CRLF line terminators",
"sha256": "3d10daf7ab8be37cff62cb4775c7e08078189a65bd9ad6e4d9d2c9c73feaeb55",
"urls": [],
"crc32": "2ADC0412",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/3d10daf7ab8be37c_DTLMC",
"ssdeep": null,
"size": 89112,
"sha512": "aceaf78c694af0113e669afccb1d5e52e940e5ba35ac9a789ded70ab19ed9989e50f01d7182060e0215edc4f0def15c970ccc94b582fb21895bcb71d499ea9be",
"pids": [
3016,
2256
],
"md5": "a82c4cb3b18197b135dc5a89ae8e7342"
},
{
"yara": [],
"sha1": "2d7c91b40e99c10c3c38a1f99ef5d1fea73a13da",
"name": "466d45829e02acbd_cft.jpg",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"type": "ASCII text, with CRLF line terminators",
"sha256": "466d45829e02acbd663ef27633f36c1d5148518eb8d80b3191d8e6a89c1baa8b",
"urls": [],
"crc32": "4E03E45F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/466d45829e02acbd_cft.jpg",
"ssdeep": null,
"size": 516,
"sha512": "3179b1c0616a4a9b62dcc0465bd4362cf7d1ac2fe45183504a4f049b1ec0032e9dd99e16edc135d90b3bf059f4dcfd8fa1e28811ced5b728ca07b22eaf4e1d9b",
"pids": [
2816
],
"md5": "398450f1935d2ec015183204a6290b36"
},
{
"yara": [],
"sha1": "5823f23cbadb9cfbb06c1ecbb5968586604f8098",
"name": "0e04a40e1ebe4edf_pmt.mp3",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"type": "ASCII text, with CRLF line terminators",
"sha256": "0e04a40e1ebe4edfd7aa7cbeadf9c4125c1772283aa73898162a55896fc25b4a",
"urls": [],
"crc32": "42CAEAC4",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/0e04a40e1ebe4edf_pmt.mp3",
"ssdeep": null,
"size": 556,
"sha512": "bff850bebffe28d4ac0bc6f09ee79ed53d4849e246bf33f7b9ddf0ecacbbd253a1ed6148e612a952916b55ae195621bd7bcf958cae3e20fd2014d25ca7304dc6",
"pids": [
2816
],
"md5": "b32452dc1d54123f58d7665455a88e90"
},
{
"yara": [],
"sha1": "141deef5186f41393321935fed0fd173b20abd46",
"name": "c9c04f9437682c69_xnp.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"type": ", greymap, ASCII text, with CRLF line terminators",
"sha256": "c9c04f9437682c69203aab2d55b9893e1f90a0da241e4be2ac272b2cb61cbae3",
"urls": [],
"crc32": "DE94515E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/c9c04f9437682c69_xnp.txt",
"ssdeep": null,
"size": 533,
"sha512": "02bd9c0b5dabc1c816abaa71037d8db08a046c01827fc6b9903236b2f9a6a825b49a39d57134945edd45a1802951ffd9ef600c889277708b53285283944a5ce3",
"pids": [
2816
],
"md5": "8d58c7238cd3737078087df46dc338f3"
},
{
"yara": [],
"sha1": "e340ccf06563226b84f9f48f79ecf1d2d2a1f17a",
"name": "9a369b5605982cf2_pkn.docx",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"type": "ASCII text, with CRLF line terminators",
"sha256": "9a369b5605982cf2df99f0d8354ac197c4df7b9c627c379db67e0d7f76bd736e",
"urls": [],
"crc32": "D12DD066",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/9a369b5605982cf2_pkn.docx",
"ssdeep": null,
"size": 605,
"sha512": "f3dfa41e0461e642077943f9f5ecae688706435037761ac315cf2fe2f08e4b11934134f23f1244053935161fbfc4f90c7cea1ee1c1af47ff60d73b1babca3b1d",
"pids": [
2816
],
"md5": "139b6a240fd626c037a3c1060840fe1e"
},
{
"yara": [],
"sha1": "266811d3cefb5aa7daf261bbfd1f2ff23d935270",
"name": "01b519e6c6c1eb9e_bqw.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "01b519e6c6c1eb9e2d1f9c423a62c9c3e5e2edceaf4072221b6f7839f6f2b03b",
"urls": [],
"crc32": "1FC690D3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/01b519e6c6c1eb9e_bqw.txt",
"ssdeep": null,
"size": 82,
"sha512": "ac9a73ac24a6514076647bf58f1b739dcb494857a2519d279334c31b4f0d381bafefb061004ab5bcf61995eaab61271fb853fce27d1e65b228667e68848035b1",
"pids": [
2816
],
"md5": "f31946c4fd318daf5c0e8fe0c485fe89"
},
{
"yara": [],
"sha1": "28acc085e6c4a2bd89230a0c8d711e1e5c33cf64",
"name": "947cf91387503833_dna.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "947cf9138750383359f17bb112b1ff580823c90f2fa32d33b6f00aaf94d3b51f",
"urls": [],
"crc32": "433574BE",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/947cf91387503833_dna.dat",
"ssdeep": null,
"size": 577,
"sha512": "34473c9c11c8064773c4bb935bb1790064a470fd968ec16908ec3ab05ad7b36683ba14ebd94d97f8bd761f43258d54b70e0aaaf49d500ce4125dba59ae60dc5f",
"pids": [
2816
],
"md5": "1b43d7bf9eef407f4994a81911997626"
},
{
"yara": [],
"sha1": "a4ce77429d9c489ba31a7d60f14791d8a293c1e5",
"name": "016f7b61a7668ed8_kbr.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"type": "ASCII text, with very long lines, with CRLF line terminators",
"sha256": "016f7b61a7668ed8dc942d951f6b73d8b568ee893c556e67757a0b4bc6110764",
"urls": [],
"crc32": "08670739",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/016f7b61a7668ed8_kbr.dat",
"ssdeep": null,
"size": 578049,
"sha512": "02703cbc454f47dbbd3ca403831d42d91f0e16a2657f9cdf58545c7dee1181f34513fc9a91a0d3c91c00b4243c534ce7b7296711bf658810711656e312cdf8d3",
"pids": [
2816
],
"md5": "efe04fed43ef0cf1bfb98d146a3a579a"
},
{
"yara": [],
"sha1": "209db3e24f45251ce6e0941f0e41cab022bd2229",
"name": "ba547044be89c2e1_rjp.bmp",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"type": "ASCII text, with CRLF line terminators",
"sha256": "ba547044be89c2e1c94f34a54da74e06509a6d4bb902884c8ff1e51fb309c4b9",
"urls": [],
"crc32": "2CBCD2C3",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/ba547044be89c2e1_rjp.bmp",
"ssdeep": null,
"size": 504,
"sha512": "9893807d1a69ce4b82089c578486c4739ab97ef9bcc0f543b888cfd4661fd37b18934b3d2dfd14688d7c1b86055d12da655606ed23d1421c945a19a81061f76a",
"pids": [
2816
],
"md5": "07be87744dc780faa4abc0a35b9f2544"
},
{
"yara": [],
"sha1": "5df1d334c12cb6accfd40d0c43f84395785e95eb",
"name": "bc1cb08ff2106a50_kas.mp4",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"type": "ASCII text, with CRLF line terminators",
"sha256": "bc1cb08ff2106a50fe1b749934704dcba038df41befe077dd6513349cfc974bf",
"urls": [],
"crc32": "04796CBB",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/bc1cb08ff2106a50_kas.mp4",
"ssdeep": null,
"size": 538,
"sha512": "dbc736e640543f1c2f86c17e4e326d4a01d8263b6687be53e72bf7d4c6fefdfaa8baa513ec1df08cb301893fdd6cad8ad52863a96edd2178f09adf13114ff53a",
"pids": [
2816
],
"md5": "3a1631239624d09f6fe3c431f62bcf7d"
},
{
"yara": [],
"sha1": "4c055dc0c49bdc6284db01c4e0291fe4418dfc49",
"name": "a4f29845878c2abe_nqk.jpg",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"type": "ASCII text, with CRLF line terminators",
"sha256": "a4f29845878c2abe5dded14fcc9eaab5d7eb26ba123b14ead9bfe45b93231b44",
"urls": [],
"crc32": "EFEACD0A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/a4f29845878c2abe_nqk.jpg",
"ssdeep": null,
"size": 625,
"sha512": "0a8f82979a618531d84bd7f3a56c2fc1b06ec32bdc0cb7bea94956535b12145bb169de803b71f7e7a71ce8146cd5d5fc4067eb468c4f1413568887910a543767",
"pids": [
2816
],
"md5": "ce0b868d4b7866bc1eedf1acad70457e"
},
{
"yara": [],
"sha1": "c6109bc325dc3e68e3602583eb85e25e88996041",
"name": "31266ec9468e863c_wok.jpg",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"type": "ASCII text, with CRLF line terminators",
"sha256": "31266ec9468e863c8dbf0599d730c7d3c16b25910819abe560b19ad0ccf2dc77",
"urls": [],
"crc32": "40B8BCBD",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/31266ec9468e863c_wok.jpg",
"ssdeep": null,
"size": 516,
"sha512": "a50288b37a529ba69a19deca043f3df4272fd59cae1ee081b18d5aaab423865994871b3aecc653d6272ba7b254c456fcae515aa5c75814ff876852d50cd5b6c6",
"pids": [
2816
],
"md5": "1ca7daa16b788675d53cb262ce31b200"
},
{
"yara": [],
"sha1": "a2f83c4f4e187a49bc5051a4c265c250d96857f2",
"name": "f82d50f72bf58194_ufc.docx",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"type": "ASCII text, with CRLF line terminators",
"sha256": "f82d50f72bf581947ac8b634a67c9cd03eecf39dc328d2e566e2688c1d460ebe",
"urls": [],
"crc32": "961D7721",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/f82d50f72bf58194_ufc.docx",
"ssdeep": null,
"size": 519,
"sha512": "b8eeab4cb95bd88ba58cdaf9abda34a2beedde47b40fd3f7738a400c3bfa0101999ff28da19b1850dcb110d4e908b774eaaac64b51c71f29c101a15c67351de5",
"pids": [
2816
],
"md5": "6adbc654d98400974fc12517f0ac6f8f"
},
{
"yara": [],
"sha1": "ffa42336a316e79f60aa79e137dc6b806e99625b",
"name": "d60999888839c998_rjh.jpg",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"type": "ASCII text, with CRLF line terminators",
"sha256": "d60999888839c9981fbe8fb63bae7f3bfd80630a490ff8df119cc40dcfb62114",
"urls": [],
"crc32": "2DC7121D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/d60999888839c998_rjh.jpg",
"ssdeep": null,
"size": 537,
"sha512": "fca88be1ff1c701180892f9ab69da1646e864ea6f50ff06fe8e21ea22c6b9001498f8264b12bc6556950f1fbcc34b66591b491ee982ca8de550152427cf7485c",
"pids": [
2816
],
"md5": "e5e13785ced212e8512d9597fc8ea060"
},
{
"yara": [],
"sha1": "147a8656345e1214bd3c5bc737aa051c85b04cb5",
"name": "c4610b9b28f4a6d8_dra.docx",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"type": "ASCII text, with CRLF line terminators",
"sha256": "c4610b9b28f4a6d82bee8fdc010164ac99125856a2879ecc07c51a419da8af24",
"urls": [],
"crc32": "EAE8AA3E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/c4610b9b28f4a6d8_dra.docx",
"ssdeep": null,
"size": 651,
"sha512": "38bbe5e02ea737c8b7adfafb52b177a3609e54500aa8c3f9fe761bb897db21909b48f7a3b84a230fe507e8ea113e59652ff1b17a80d2c8a8907151992c7d6f90",
"pids": [
2816
],
"md5": "d0a07c0ef9d4490bc24b7ff6efbf10bc"
},
{
"yara": [],
"sha1": "45f8bfead9f334e91649b77727dc126af7de6873",
"name": "82982e666df7f823_hqn.mp4",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"type": "ASCII text, with CRLF line terminators",
"sha256": "82982e666df7f823a8e86418069590e8a4f69f36b2f1a31b8a7a1f6f97b6a895",
"urls": [],
"crc32": "EF71645E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/82982e666df7f823_hqn.mp4",
"ssdeep": null,
"size": 512,
"sha512": "5669bafe6ac64401f90fd404b9ef709cc49c2ca5469a7faeb95c89eccc2ed92c4634e31080af128e73049648c0ce55e427485b4b57f3b13ee1ff0f270801d0ba",
"pids": [
2816
],
"md5": "58bdbac0fad218bf28a68b0b6b082431"
},
{
"yara": [],
"sha1": "983f7abf3764835b073f36ccd083d1db3c24f06b",
"name": "7a9b5f33490e4224_hlh.xl",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"type": "ASCII text, with CRLF line terminators",
"sha256": "7a9b5f33490e4224d12533a9ef9970bde57459f4a9f4b3f6de94d0fd0582b13e",
"urls": [],
"crc32": "8BEB64A1",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/7a9b5f33490e4224_hlh.xl",
"ssdeep": null,
"size": 529,
"sha512": "7a944116f3c2171c4f75d84487904d756aeebbd7ab13780609d4d518a95be4e3106458a2dd487d2a04a9d3b1bfa2477eaa4724ff7e0d2e0c43c35f62609beb50",
"pids": [
2816
],
"md5": "0c5f49577b5d1b74b7affdb7705de635"
},
{
"yara": [],
"sha1": "179a6a7ea4c14885fc080a597cd1e2649e3604d2",
"name": "3e7729ea4d49fa4d_jga.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"type": "ASCII text, with CRLF line terminators",
"sha256": "3e7729ea4d49fa4dcc54c324d48bbf743db2de2416842ba21ae7cf7b2fd7288c",
"urls": [],
"crc32": "EE40412B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/3e7729ea4d49fa4d_jga.txt",
"ssdeep": null,
"size": 555,
"sha512": "3d28665f19b4abcd61f8986c4ea37999528c0ad75d75291ed32b71a980bb62cad4977ef8043a7a5590b7b3a7c94846f41c7aa05652fdbcfbd141031131037041",
"pids": [
2816
],
"md5": "a09521acb2e2d36a4ec5c12e0d9e9ae5"
},
{
"yara": [],
"sha1": "008d56569f25b7e86c98aa0956064727e5feeb3c",
"name": "3f8315e40c7005a0_irl.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "3f8315e40c7005a03b3078a30f19fa798854e2c1df0bdd40de494f52c750e679",
"urls": [],
"crc32": "CE49C1E1",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/3f8315e40c7005a0_irl.icm",
"ssdeep": null,
"size": 585,
"sha512": "9bdfd2be334d9cbb875b94b0a449fd32773658bd74feefcf4c8dd8f49f0c533bce23345ed0ada44be599d94427afe131fb2a939b878df3368370d7e4ab424da0",
"pids": [
2816
],
"md5": "2b5cca41d747fe2d3b398d93f4959ed9"
},
{
"yara": [],
"sha1": "cfeafa59293b7c1f5f9e2a7898599780c94c47d3",
"name": "bdfc3dbb1d7412e9_puk.mp3",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"type": "ASCII text, with CRLF line terminators",
"sha256": "bdfc3dbb1d7412e9c1e357e5a8a52f05a747013323ca8ef39b5f6f7b7268c45b",
"urls": [],
"crc32": "F7F84F98",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/bdfc3dbb1d7412e9_puk.mp3",
"ssdeep": null,
"size": 624,
"sha512": "274165c51e9552beb036696540f1f41661b8f63b285c2ef57f54cfa3bd217c8cedd551d75a0cf84a444b8207d607f597369c9922cbf346dded0200e707bc643f",
"pids": [
2816
],
"md5": "d38c4443fba49377ab0b2aab23fcf15d"
},
{
"yara": [],
"sha1": "cc10dc3bd387068c78ea19591092956793d5ba93",
"name": "2c6178f3d1f5fcb4_rnu.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "2c6178f3d1f5fcb4335f40af9c9b34df0c9d95898beb461716c3296ad7d0e877",
"urls": [],
"crc32": "FD2BA865",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/2c6178f3d1f5fcb4_rnu.icm",
"ssdeep": null,
"size": 557,
"sha512": "546e6eb0ddabec9543cf277e02bee6c70388370d84869deb3050b029900d8ee26010b9ed326a6a3e50456de16e641d9ebfe65cf7d43237dd96e2874bd2486fcd",
"pids": [
2816
],
"md5": "ff2d15737fb48ce112c7d22644589379"
},
{
"yara": [],
"sha1": "0b56fac9649ce40e84f0d96e63181067dd629dc4",
"name": "505d29ee6f785505_adq.pdf",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"type": "ASCII text, with CRLF line terminators",
"sha256": "505d29ee6f7855053a64ba11d0849de6574b7eb19fdd0ad0cff7807c4a03919f",
"urls": [],
"crc32": "5B15DFAF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/505d29ee6f785505_adq.pdf",
"ssdeep": null,
"size": 622,
"sha512": "8f75600e19dbcbf2ca4c236c5b7ce52c305c3681f7cd8dbd369434242ffd2a86acebea7bdbb212db61cbff290fdd49c8494a247f490b09ea0d009b9e6e954474",
"pids": [
2816
],
"md5": "3e7cba1f558e07444a8844746d066fb5"
},
{
"yara": [],
"sha1": "24ffb286ec873946b39b117e2555fb4898bfacf6",
"name": "949584b91abb2471_kvd.dat",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"type": "ASCII text, with CRLF line terminators",
"sha256": "949584b91abb2471165af5603def1a202b88bbfffdb0f81b7c9331e54826e47b",
"urls": [],
"crc32": "147BB4E6",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/949584b91abb2471_kvd.dat",
"ssdeep": null,
"size": 515,
"sha512": "fd566cf5a7f5201374f6a262c9c33b254305bd6522463148ad2ed26da138fffe40ce7621db7b37769771509935d7bc7917b837cfe687c35ed055de9ca8bc889c",
"pids": [
2816
],
"md5": "ad99d417944853dcac86e83456fed1ae"
},
{
"yara": [],
"sha1": "8fad1a7a9353a8bf5d48569db677a8366daddf46",
"name": "1764f723de368ec6_flf.icm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"type": "ASCII text, with CRLF line terminators",
"sha256": "1764f723de368ec6c4f736975723ff8aca6c6335333893064924413c06cd91bc",
"urls": [],
"crc32": "5626DFE5",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/1764f723de368ec6_flf.icm",
"ssdeep": null,
"size": 502,
"sha512": "cb069acbe2b156d5d7e512163d29982ecc6faa9c9b562ad982cf261813d109bae44a412e2bcc0972f36e08cd8f9e5de85e0c64db10039e44a3d85635246a597e",
"pids": [
2816
],
"md5": "08c80bab7f8f17e9bf27c05bbf47bee8"
},
{
"yara": [],
"sha1": "d61a80868633bc6925b76f0972194d7a5bfb9f77",
"name": "f5ff495a7c93b69e_pjj.mp3",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"type": "ASCII text, with CRLF line terminators",
"sha256": "f5ff495a7c93b69ecdd5dbf04c4dc15c590bc0a1e970743083e30b5cc1751f15",
"urls": [],
"crc32": "6CB5402D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/f5ff495a7c93b69e_pjj.mp3",
"ssdeep": null,
"size": 557,
"sha512": "d9d6b1f3549c9b650b76694aa174be2851ff0e5c33736fdbc419b85c727b7dd57ee0060d8b383f53f7213bf2260147c10bed20f6ddae8c7aaf66bb9026fa99bd",
"pids": [
2816
],
"md5": "a5807b3c61e632ce0b1eeaff0da6b539"
},
{
"yara": [],
"sha1": "4d800fcbcc36104400e8f397e30c94741cad9d4c",
"name": "64fdca5b1288d87a_wnm.xl",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"type": "ASCII text, with CRLF line terminators",
"sha256": "64fdca5b1288d87a6545f76e909b6829f05072e37b9d19df8d70366e546afdfc",
"urls": [],
"crc32": "05F4D8FF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/64fdca5b1288d87a_wnm.xl",
"ssdeep": null,
"size": 568,
"sha512": "6da84c117fe4de62af1a744c58a6329ac6a59068427a51189facd6c10759c4acb880b20231ec31d72ff0067c6dfda1b43cf42cd467d21b1ece8080afac1d7447",
"pids": [
2816
],
"md5": "ecbe68ce795567bcdfdefa26232d5cb6"
},
{
"yara": [],
"sha1": "2f8ed26eb714b4efbe5d7a3167e33ade82c51fd8",
"name": "97bd627ebfc4d40b_regsvcs.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"type": "PE32 executable (console) Intel 80386 Mono\/.Net assembly, for MS Windows",
"sha256": "97bd627ebfc4d40b21ebaaed916a1ba53859520edc99537b37d042a0d5425a5a",
"urls": [],
"crc32": "C92CDC1B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/97bd627ebfc4d40b_regsvcs.exe",
"ssdeep": null,
"size": 32768,
"sha512": "47bdc8cce5cd308053d9429a512924448e65023d154b798668d1ee8f628c1b548651e968e7c03db4a6770705f382b9e96db246c39f838000924985b53ccaa3db",
"pids": [
2256
],
"md5": "d79f070423fdd3f01ce8c2ba3fbbc8ed"
},
{
"yara": [],
"sha1": "7d1bd9fa59cb8a2139f4cd62b8f07223bc0c69d1",
"name": "c55c80e5950699d3_uxa.docx",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"type": "ASCII text, with CRLF line terminators",
"sha256": "c55c80e5950699d3938ce5845ebcbef78e96703ac585f2762383ca746fb0c01d",
"urls": [],
"crc32": "B0384270",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/9429\/files\/c55c80e5950699d3_uxa.docx",
"ssdeep": null,
"size": 523,
"sha512": "c8e1a94de5a2f14ff1440e15a1e23a07886200fe4ea834c62015cf88424a45d20a197fae887066a883e9fe0914fd2536a9d21584cdf2c70e9c1f55369b754bbe",
"pids": [
2816
],
"md5": "792151701c21c63a7718cf317434b57c"
}
]Generic
[
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"process_name": "naf.exe",
"pid": 2256,
"summary": {
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate"
],
"dll_loaded": [
"kernel32",
"ntdll",
"Advapi32.dll",
"kernel32.dll",
"UxTheme.dll",
"dwmapi.dll",
"comctl32",
"comctl32.dll",
"CRYPTSP.dll",
"user32.dll",
"IMM32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042"
],
"file_copied": [
[
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe"
]
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\naf.exe",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC"
],
"file_exists": [
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\spd",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042"
],
"file_failed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cxi"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"directory_enumerated": [
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\spd",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"C:\\Users\\cuck",
"C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\RegSvcs.exe",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1599652408.202751,
"ppid": 3016
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"process_name": "naf.exe",
"pid": 3016,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC"
],
"dll_loaded": [
"kernel32.dll",
"UxTheme.dll",
"dwmapi.dll",
"comctl32",
"comctl32.dll",
"user32.dll",
"IMM32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Control Panel\\Mouse",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\naf.exe",
"HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\bqw.txt"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\Include\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"C:\\Users\\cuck\\AppData\\Local"
]
},
"first_seen": 1599652392.421875,
"ppid": 2816
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1599652391.328125,
"ppid": 376
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"process_name": "RegSvcs.exe",
"pid": 2792,
"summary": {
"file_opened": [
"C:\\Windows\\SysWOW64\\ntdll.dll"
],
"file_read": [
"C:\\Windows\\SysWOW64\\ntdll.dll"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
]
},
"first_seen": 1599652410.796499,
"ppid": 2256
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"process_name": "e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"pid": 2816,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\__tmp_rar_sfx_access_check_16896953",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
],
"directory_created": [
"C:\\Users\\cuck\\AppData",
"C:\\Users\\cuck\\AppData\\Local\\Temp",
"C:\\Users\\cuck",
"C:\\Users",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"C:\\Users\\cuck\\AppData\\Local"
],
"dll_loaded": [
"SETUPAPI.dll",
"C:\\Windows\\system32\\shell32.dll",
"C:\\Windows\\syswow64\\MSCTF.dll",
"riched32.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"riched20.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"comctl32",
"ole32.dll",
"IMM32.dll",
"comctl32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Control Panel\\Desktop",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\Software",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_CLASSES_ROOT\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Policies",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete\\Client\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"
],
"command_line": [
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe\" uhr=mex ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe uhr=mex "
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\__tmp_rar_sfx_access_check_16896953"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
],
"guid": [
"{eac04bc0-3791-11d2-bb95-0060977b464c}",
"{5e078e03-8265-4bbe-9487-d242edbef910}",
"{00bb2763-6a77-11d0-a535-00c04fd7d062}",
"{00000000-0000-0000-c000-000000000046}",
"{807c1e6c-1d00-453f-b920-b61bb7cdd997}",
"{03c036f1-a186-11d0-824a-00aa005b4383}",
"{00bb2765-6a77-11d0-a535-00c04fd7d062}"
],
"file_read": [
"C:\\Windows\\win.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Always Use Tab",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewAlphaSelect",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{00BB2763-6A77-11D0-A535-00C04FD7D062}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\Segoe UI",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInset",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollInterval",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ScrollDelay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{03C036F1-A186-11D0-824A-00AA005B4383}\\InProcServer32\\(Default)",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragMinDist",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\AutoSuggest",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_CURRENT_USER\\Control Panel\\Desktop\\SmoothScroll",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ListviewShadow",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AccListViewV6",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\AutoComplete\\Client\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\UseDoubleClickTimer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\EnableBalloonTips",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\DragDelay",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kvd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wbi.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pjj.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\obq.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dnb.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xvf.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rnu.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jga.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\lus.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hfc.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bck.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kbr.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\bqw.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hlh.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\hqn.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjp.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\puk.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rjh.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\rrc.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pmt.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vil.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\qxu.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cft.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vtn.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pwt.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wok.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tgm.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wcj.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oox.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\wnm.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\mnr.bmp",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\xnp.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\flf.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\umq.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uhr=mex",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\inw.mp3",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\vgd.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\kas.mp4",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nqk.jpg",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\cjf.xl",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\nch.icm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\jqo.ico",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dna.dat",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\irl.icm"
]
},
"first_seen": 1599652391.75,
"ppid": 2016
}
]Signatures
[
{
"markcount": 2,
"families": [],
"description": "Checks if process is being debugged by a debugger",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 5,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1599652392.499875,
"tid": 964,
"flags": {}
},
"pid": 3016,
"type": "call",
"cid": 45
},
{
"call": {
"category": "system",
"status": 0,
"stacktrace": [],
"last_error": 5,
"nt_status": -1073741772,
"api": "IsDebuggerPresent",
"return_value": 0,
"arguments": {},
"time": 1599652408.265751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 45
}
],
"references": [],
"name": "checks_debugger"
},
{
"markcount": 1,
"families": [],
"description": "This executable has a PDB path",
"severity": 1,
"marks": [
{
"category": "pdb_path",
"ioc": "d:\\Projects\\WinRAR\\SFX\\build\\sfxrar32\\Release\\sfxrar.pdb",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "has_pdb"
},
{
"markcount": 0,
"families": [],
"description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
"severity": 2,
"marks": [],
"references": [],
"name": "dumped_buffer"
},
{
"markcount": 15,
"families": [],
"description": "Allocates read-write-execute memory (usually to unpack itself)",
"severity": 2,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74d41000"
},
"time": 1599652391.844,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 9
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74d21000"
},
"time": 1599652391.86,
"tid": 2420,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 104
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x773d1000"
},
"time": 1599652392.297,
"tid": 1676,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 3523
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x759c1000"
},
"time": 1599652392.297,
"tid": 1676,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 3525
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2816,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x765e1000"
},
"time": 1599652392.297,
"tid": 1676,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2816,
"type": "call",
"cid": 3527
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 3016,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x750a1000"
},
"time": 1599652408.062875,
"tid": 964,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 3016,
"type": "call",
"cid": 127792
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x74cb1000"
},
"time": 1599652408.296751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2256,
"type": "call",
"cid": 286
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtProtectVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"length": 4096,
"protection": 64,
"process_handle": "0xffffffff",
"base_address": "0x750a1000"
},
"time": 1599652410.609751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE"
}
},
"pid": 2256,
"type": "call",
"cid": 835
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00320000"
},
"time": 1599652410.655751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2256,
"type": "call",
"cid": 916
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00350000"
},
"time": 1599652410.655751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2256,
"type": "call",
"cid": 918
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00360000"
},
"time": 1599652410.655751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2256,
"type": "call",
"cid": 920
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00550000"
},
"time": 1599652410.655751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2256,
"type": "call",
"cid": 922
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x00560000"
},
"time": 1599652410.655751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2256,
"type": "call",
"cid": 924
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2256,
"region_size": 4096,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 4096,
"base_address": "0x009f0000"
},
"time": 1599652410.655751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT"
}
},
"pid": 2256,
"type": "call",
"cid": 926
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2792,
"region_size": 3158016,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0xffffffff",
"allocation_type": 12288,
"base_address": "0x021f0000"
},
"time": 1599652410.921499,
"tid": 1496,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2792,
"type": "call",
"cid": 7
}
],
"references": [],
"name": "allocates_rwx"
},
{
"markcount": 10,
"families": [],
"description": "Creates (office) documents on the filesystem",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ufc.docx",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\uxa.docx",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\msc.docx",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\adq.pdf",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\ivi.ppt",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\reg.ppt",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\pkn.docx",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\tnw.ppt",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\dra.docx",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\oqc.ppt",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "creates_doc"
},
{
"markcount": 2,
"families": [],
"description": "Drops a binary and executes it",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dropper"
},
{
"markcount": 2,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 1,
"families": [],
"description": "One or more of the buffers contains an embedded PE file",
"severity": 3,
"marks": [
{
"category": "buffer",
"ioc": "Buffer with sha1: 12f8d907f0e0454cf1269cf183c9dd764dd48e79",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dumped_buffer2"
},
{
"markcount": 1,
"families": [],
"description": "Allocates execute permission to another process indicative of possible code injection",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2792,
"region_size": 172032,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000124",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2256,
"type": "call",
"cid": 934
}
],
"references": [],
"name": "allocates_execute_remote_process"
},
{
"markcount": 1,
"families": [],
"description": "Installs itself for autorun at Windows startup",
"severity": 3,
"marks": [
{
"type": "generic",
"reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\WindowsUpdate",
"reg_value": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\UHR_ME~1"
}
],
"references": [],
"name": "persistence_autorun"
},
{
"markcount": 2,
"families": [],
"description": "Potential code injection by writing to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2792,
"buffer": "MZER\u00e8\u0000\u0000\u0000\u0000X\u0083\u00e8\t\u008b\u00c8\u0083\u00c0<\u008b\u0000\u0003\u00c1\u0083\u00c0(\u0003\b\u00ff\u00e1\u0090\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00df\u00aaC\u00c2\u009b\u00cb-\u0091\u009b\u00cb-\u0091\u009b\u00cb-\u0091\u0080V\u0086\u0091\u00d9\u00cb-\u0091\u0080V\u00b3\u0091\u0098\u00cb-\u0091\u0080V\u00b0\u0091\u009a\u00cb-\u0091Rich\u009b\u00cb-\u0091\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0001\u0000\u00f6R\u0093P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002\u0001\u000b\u0001\n\u0000\u0000\u008c\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u00b5\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0002\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u0002\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0081\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000\u00ec\u008a\u0002\u0000\u0000\u0010\u0000\u0000\u0000\u008c\u0002\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000124",
"base_address": "0x00400000"
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 936
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2792,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000124",
"base_address": "0x7efde008"
},
"time": 1599652410.687751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 944
}
],
"references": [],
"name": "injection_write_memory"
},
{
"markcount": 1,
"families": [],
"description": "Code injection by writing an executable or DLL to the memory of another process",
"severity": 3,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2792,
"buffer": "MZER\u00e8\u0000\u0000\u0000\u0000X\u0083\u00e8\t\u008b\u00c8\u0083\u00c0<\u008b\u0000\u0003\u00c1\u0083\u00c0(\u0003\b\u00ff\u00e1\u0090\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00df\u00aaC\u00c2\u009b\u00cb-\u0091\u009b\u00cb-\u0091\u009b\u00cb-\u0091\u0080V\u0086\u0091\u00d9\u00cb-\u0091\u0080V\u00b3\u0091\u0098\u00cb-\u0091\u0080V\u00b0\u0091\u009a\u00cb-\u0091Rich\u009b\u00cb-\u0091\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0001\u0000\u00f6R\u0093P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002\u0001\u000b\u0001\n\u0000\u0000\u008c\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u00b5\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0002\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u0002\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0081\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000\u00ec\u008a\u0002\u0000\u0000\u0010\u0000\u0000\u0000\u008c\u0002\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000124",
"base_address": "0x00400000"
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 936
}
],
"references": [],
"name": "injection_write_memory_exe"
},
{
"markcount": 2,
"families": [],
"description": "Used NtSetContextThread to modify a thread in a remote process indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2256 called NtSetContextThread to modify thread in remote process 2792",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000128",
"registers": {
"eip": 2008678852,
"esp": 4192256,
"edi": 0,
"eax": 4306368,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2792
},
"time": 1599652410.687751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 946
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_ntsetcontextthread"
},
{
"markcount": 2,
"families": [],
"description": "Resumed a suspended thread in a remote process potentially indicative of process injection",
"severity": 3,
"marks": [
{
"category": "Process injection",
"ioc": "Process 2256 resumed a thread in remote process 2792",
"type": "ioc",
"description": null
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000128",
"suspend_count": 1,
"process_identifier": 2792
},
"time": 1599652410.718751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 948
}
],
"references": [
"www.endgame.com\/blog\/technical-blog\/ten-process-injection-techniques-technical-survey-common-and-trending-process"
],
"name": "injection_resumethread"
},
{
"markcount": 11,
"families": [],
"description": "Executed a process and injected code into it, probably while unpacking",
"severity": 5,
"marks": [
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 964,
"thread_handle": "0x00000268",
"process_identifier": 3016,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"track": 1,
"command_line": "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe\" uhr=mex ",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe",
"stack_pivoted": 0,
"creation_flags": 67634196,
"process_handle": "0x000002c0",
"inherit_handles": 0
},
"time": 1599652392.328,
"tid": 2420,
"flags": {
"creation_flags": "CREATE_DEFAULT_ERROR_MODE|CREATE_NEW_CONSOLE|CREATE_SUSPENDED|CREATE_UNICODE_ENVIRONMENT|EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 2816,
"type": "call",
"cid": 3604
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 2056,
"thread_handle": "0x00000124",
"process_identifier": 2256,
"current_directory": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042",
"filepath": "",
"track": 1,
"command_line": "C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\naf.exe C:\\Users\\cuck\\AppData\\Local\\Temp\\61899042\\DTLMC",
"filepath_r": "",
"stack_pivoted": 0,
"creation_flags": 524288,
"process_handle": "0x00000128",
"inherit_handles": 0
},
"time": 1599652408.124875,
"tid": 964,
"flags": {
"creation_flags": "EXTENDED_STARTUPINFO_PRESENT"
}
},
"pid": 3016,
"type": "call",
"cid": 127988
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "CreateProcessInternalW",
"return_value": 1,
"arguments": {
"thread_identifier": 1496,
"thread_handle": "0x00000128",
"process_identifier": 2792,
"current_directory": "",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"track": 1,
"command_line": "",
"filepath_r": "C:\\Users\\cuck\\AppData\\Local\\Temp\\RegSvcs.exe",
"stack_pivoted": 0,
"creation_flags": 4,
"process_handle": "0x00000124",
"inherit_handles": 0
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {
"creation_flags": "CREATE_SUSPENDED"
}
},
"pid": 2256,
"type": "call",
"cid": 930
},
{
"call": {
"category": "process",
"status": 0,
"stacktrace": [],
"last_error": 18,
"nt_status": -2147483642,
"api": "NtUnmapViewOfSection",
"return_value": 3221225497,
"arguments": {
"process_identifier": 2792,
"region_size": 4521984,
"process_handle": "0x00000124",
"base_address": "0x00400000"
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 932
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtAllocateVirtualMemory",
"return_value": 0,
"arguments": {
"process_identifier": 2792,
"region_size": 172032,
"stack_dep_bypass": 0,
"stack_pivoted": 0,
"heap_dep_bypass": 0,
"protection": 64,
"process_handle": "0x00000124",
"allocation_type": 12288,
"base_address": "0x00400000"
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {
"protection": "PAGE_EXECUTE_READWRITE",
"allocation_type": "MEM_COMMIT|MEM_RESERVE"
}
},
"pid": 2256,
"type": "call",
"cid": 934
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2792,
"buffer": "MZER\u00e8\u0000\u0000\u0000\u0000X\u0083\u00e8\t\u008b\u00c8\u0083\u00c0<\u008b\u0000\u0003\u00c1\u0083\u00c0(\u0003\b\u00ff\u00e1\u0090\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u0000\u0000\u0000\u000e\u001f\u00ba\u000e\u0000\u00b4\t\u00cd!\u00b8\u0001L\u00cd!This program cannot be run in DOS mode.\r\r\n$\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00df\u00aaC\u00c2\u009b\u00cb-\u0091\u009b\u00cb-\u0091\u009b\u00cb-\u0091\u0080V\u0086\u0091\u00d9\u00cb-\u0091\u0080V\u00b3\u0091\u0098\u00cb-\u0091\u0080V\u00b0\u0091\u009a\u00cb-\u0091Rich\u009b\u00cb-\u0091\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000PE\u0000\u0000L\u0001\u0001\u0000\u00f6R\u0093P\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00e0\u0000\u0002\u0001\u000b\u0001\n\u0000\u0000\u008c\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u00c0\u00b5\u0001\u0000\u0000\u0010\u0000\u0000\u0000\u00a0\u0002\u0000\u0000\u0000@\u0000\u0000\u0010\u0000\u0000\u0000\u0002\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0005\u0000\u0001\u0000\u0000\u0000\u0000\u0000\u0000\u00a0\u0002\u0000\u0000\u0002\u0000\u0000\u0000\u0000\u0000\u0000\u0002\u0000@\u0081\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000.text\u0000\u0000\u0000\u00ec\u008a\u0002\u0000\u0000\u0010\u0000\u0000\u0000\u008c\u0002\u0000\u0000\u0010\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000 \u0000\u0000`\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000",
"process_handle": "0x00000124",
"base_address": "0x00400000"
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 936
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"buffer": "d1e5fd4b3d15a9a26a7b6d8313b71a72be234a32",
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2792,
"buffer": "",
"process_handle": "0x00000124",
"base_address": "0x00401000"
},
"time": 1599652410.671751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 940
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtGetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000128"
},
"time": 1599652410.687751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 942
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "WriteProcessMemory",
"return_value": 1,
"arguments": {
"process_identifier": 2792,
"buffer": "\u0000\u0000@\u0000",
"process_handle": "0x00000124",
"base_address": "0x7efde008"
},
"time": 1599652410.687751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 944
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtSetContextThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000128",
"registers": {
"eip": 2008678852,
"esp": 4192256,
"edi": 0,
"eax": 4306368,
"ebp": 0,
"edx": 0,
"ebx": 2130567168,
"esi": 0,
"ecx": 0
},
"process_identifier": 2792
},
"time": 1599652410.687751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 946
},
{
"call": {
"category": "process",
"status": 1,
"stacktrace": [],
"api": "NtResumeThread",
"return_value": 0,
"arguments": {
"thread_handle": "0x00000128",
"suspend_count": 1,
"process_identifier": 2792
},
"time": 1599652410.718751,
"tid": 2056,
"flags": {}
},
"pid": 2256,
"type": "call",
"cid": 948
}
],
"references": [],
"name": "injection_runpe"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.1760988235473633,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.171701908111572,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.044064998626709,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0247859954833984,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.112398862838745,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.5331218242645264,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.10098099708557129,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.5469248294830322,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0468318462371826,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1246399879455566,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "0ceff0852e05ed5b630240a085e16c31c784f9eedaf77d2de00cdbe063681cc3",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "6fc209790c977c1da62fbaeae33b137096c766e35647da50bef0e1846d7341b1",
"irc": [],
"https_ex": []
}Screenshots
bombux.exe removal instructions
The instructions below shows how to remove bombux.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the bombux.exe file for removal, restart your computer and scan it again to verify that bombux.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate bombux.exe in the scan result and tick the checkbox next to the bombux.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate bombux.exe in the scan result.
c:\downloads\bombux.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the bombux.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If bombux.exe still remains in the scan result, proceed with the next step. If bombux.exe is gone from the scan result you're done.
- If bombux.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that bombux.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | 1bffe9687e01df8c022e3a941b61eb45 |
| SHA256 | e89d5d56ae0b6acdabf4b7f294b53eb68fb1be281c40b75f53c42bd847cba318 |
Error Messages
These are some of the error messages that can appear related to bombux.exe:
bombux.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
bombux.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
bombux.exe has stopped working.
End Program - bombux.exe. This program is not responding.
bombux.exe is not a valid Win32 application.
bombux.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with bombux.exe?
To help other users, please let us know what you will do with bombux.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.