What is gremro.exe?
gremro.exe is usually located in the 'c:\downloads\' folder.
Some of the anti-virus scanners at VirusTotal detected gremro.exe.
If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.
Digital signatures [?]
gremro.exe is not signed.
VirusTotal report
8 of the 70 anti-virus programs at VirusTotal detected the gremro.exe file. That's a 11% detection rate.
| Scanner | Detection Name |
|---|---|
| AegisLab | Trojan.Win32.Generic.4!c |
| APEX | Malicious |
| AVG | FileRepMetagen [Malware] |
| Cylance | Unsafe |
| F-Secure | Trojan.TR/Crypt.ZPACK.Gen |
| Microsoft | PUA:Win32/Presenoker |
| Qihoo-360 | Win32/Trojan.be3 |
| Trapmine | malicious.high.ml.score |
Sandbox Report
The following information was gathered by executing the file inside Cuckoo Sandbox.
Summary
Successfully executed process in sandbox.
Summary
{
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\krm.dll",
"C:\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Setup.ini",
"C:\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\License.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\GREmailRobot.exe",
"C:\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\FILE_ID.DIZ",
"C:\\GREmailrobot.chm",
"C:\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe"
],
"file_recreated": [
"C:\\GREmailRobot.url"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot\\UninstallString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot\\DisplayName"
],
"dll_loaded": [
"OLEAUT32.DLL",
"SETUPAPI.dll",
"SHELL32.dll",
"COMCTL32.DLL",
"C:\\Windows\\syswow64\\MSCTF.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"ADVAPI32.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\ole32.dll",
"rpcrt4.dll",
"dwmapi.dll",
"comctl32",
"ole32.dll",
"comctl32.dll",
"IMM32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\13586a08d1df74f7a2623895bfd9acf0f5a4e02c444f5daf996c8fe45f014c4b.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\notepad.exe",
"HKEY_CLASSES_ROOT\\.txt",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailrobot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\Clsid",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Notepad\\DefaultFonts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CLASSES_ROOT\\.txt\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\text",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\notepad.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\ShellEx\\IconHandler",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\setup.exe",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\txtfile",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.txt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\(Default)",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Lucida Console",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\krm.dll",
"C:\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Setup.ini",
"C:\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\License.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\GREmailRobot.exe",
"C:\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\FILE_ID.DIZ",
"C:\\GREmailrobot.chm",
"C:\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\GREmailrobot"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\FILE_ID.DIZ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.bmp"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip pack.zip",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup.exe\"",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup.exe\" ",
"notepad.exe ReadMe.txt"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\13586a08d1df74f7a2623895bfd9acf0f5a4e02c444f5daf996c8fe45f014c4b.bin",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\*.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup*.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\*.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\*.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup.*"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware"
]
}Dropped
[
{
"yara": [],
"sha1": "7d96ff3de912548e4a5cd090a038908982a27dfe",
"name": "029fc03aee59cc30_Setup.ini",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"type": "ASCII text, with CRLF line terminators",
"sha256": "029fc03aee59cc30a8ae4170a245f0b83afb20c6bbc8491579ba0789854faacc",
"urls": [],
"crc32": "E8C35B5A",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/029fc03aee59cc30_Setup.ini",
"ssdeep": null,
"size": 657,
"sha512": "1eabb92534047c4980faed3919f14a2f83e1d47106ddcc226d7978467e41ebab2c05cb58e12a1c7995217b6f69db604454f57f7a547ddeb05d689d7e973fd7b7",
"pids": [
1948,
2456
],
"md5": "18c8a4f820e12827401da5ab893ad098"
},
{
"yara": [],
"sha1": "c0eb3541e32bd46273e2735c6ae0d8947c30d74a",
"name": "6cb8321252da4886_krm.dll",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"type": "PE32 executable (DLL) (GUI) Intel 80386, for MS Windows",
"sha256": "6cb8321252da48863293484b91a713c13fd263aaec1551598501045d91a145a8",
"urls": [
"http:\/\/CSC3-2004-crl.verisign.com\/CSC3-2004.crl0D",
"http:\/\/crl.verisign.com\/ThawteTimestampingCA.crl0",
"http:\/\/ocsp.verisign.com0",
"http:\/\/CSC3-2004-aia.verisign.com\/CSC3-2004-aia.cer0",
"https:\/\/www.verisign.com\/rpa",
"https:\/\/www.verisign.com\/rpa01",
"http:\/\/crl.verisign.com\/pca3.crl0",
"https:\/\/www.verisign.com\/rpa0",
"http:\/\/crl.verisign.com\/tss-ca.crl0",
"http:\/\/www.kagi.com\/KRM"
],
"crc32": "7A3D1E5E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/6cb8321252da4886_krm.dll",
"ssdeep": null,
"size": 247376,
"sha512": "d24eb129f97550f83c0926e18088289fc73e422579b175b9d4833f4be06ce002c530cefd7eeb4dfe81478698e4a0f4f72c1a18127d5b360d388c13b6acdc9db8",
"pids": [
1948,
2456
],
"md5": "8bee72599fd999504d9563dc16dc74df"
},
{
"yara": [],
"sha1": "be07ba4ff13523c1fbcf62fd75d9068a0b2ec370",
"name": "3e3a6183ee5cd3a8_ReadMe.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"type": "ASCII text, with very long lines, with CRLF line terminators",
"sha256": "3e3a6183ee5cd3a82ee8294597142e08b2d08061f501875433c3c25841d37311",
"urls": [
"http:\/\/store.kagi.com\/cgi-bin\/store.cgi?storeID=LU_LIVE",
"http:\/\/www.grsoftware.net",
"http:\/\/www.asp-shareware.com\/omb."
],
"crc32": "75DC285D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/3e3a6183ee5cd3a8_ReadMe.txt",
"ssdeep": null,
"size": 8064,
"sha512": "fb0450f2055de89f3049feea19f493c99d34108695ec6d2183376347a737ee8abff6bc7aee1304894dcee68eed2cd5cd243c38234d1d15840cfef90c3c91d548",
"pids": [
1948,
2456
],
"md5": "952683719c9d645afd3ae84f3b8a9ebf"
},
{
"yara": [
{
"meta": {
"description": "Contains an embedded PE32 file",
"author": "nex"
},
"name": "embedded_pe",
"offsets": {
"b": [
[
1242,
0
]
]
},
"strings": [
"VGhpcyBwcm9ncmFt"
]
}
],
"sha1": "466bbc3edc18feacbe7109a278caff9ffa6d2c54",
"name": "26e0e52a1ce8d007_License.txt",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt",
"type": "ASCII text, with very long lines, with CRLF line terminators",
"sha256": "26e0e52a1ce8d00741b6bde56b3a4bd18ca9440c0c13f978f5a8f27a4ff21016",
"urls": [],
"crc32": "ED21145D",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/26e0e52a1ce8d007_License.txt",
"ssdeep": null,
"size": 3317,
"sha512": "b7d42d2ae07113279b79f732a39d9d4a23c59576743edeacfa5c2f8c8017e10c55aea9d5d380f7e11e9c758ecf15a35d9faff0d0b67ef793991f310a9b1828a5",
"pids": [
1948,
2456
],
"md5": "23eb4da6d93341b2ab617be9b9f2115b"
},
{
"yara": [],
"sha1": "128f8b0b44aa2b9bd2eee11d95f93656b5f2e7f8",
"name": "f65178f9d36e5c0e_GREmailRobot.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "f65178f9d36e5c0e9cde84b26e499a61a80b397e761e88eabdbb5a39ac2809a8",
"urls": [
"http:\/\/store.kagi.com\/cgi-bin\/store.cgi?storeID=LU_LIVE",
"http:\/\/www.grsoftware.net\/transactionFailure.htm",
"http:\/\/www.grsoftware.net\/connectionFailure.htm",
"http:\/\/www.grsoftware.net"
],
"crc32": "572C703C",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/f65178f9d36e5c0e_GREmailRobot.exe",
"ssdeep": null,
"size": 634880,
"sha512": "722a4f3302135568348a28bf372860481075d4058ac3798f01b10dcb3eeece565b5c26e513023203f920bf35487a999fe7ffe129d70d62e0d277aa9722cac38a",
"pids": [
1948,
2456
],
"md5": "d24be2791b65c26975f96a20dcf506bd"
},
{
"yara": [],
"sha1": "4cdf744b740dcc6bdeb6fed07d864ecdf3132512",
"name": "12be5f73734d997f_FILE_ID.DIZ",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\FILE_ID.DIZ",
"type": "ASCII text, with CRLF line terminators",
"sha256": "12be5f73734d997f02fca01b0fb5e3d3eff650ad606060e32f786962ade98f19",
"urls": [],
"crc32": "8C996456",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/12be5f73734d997f_FILE_ID.DIZ",
"ssdeep": null,
"size": 471,
"sha512": "b1f992bae7429209a8a7f5dff9b4ba81af08f8d3f394aeea13ba522ab2816e72685221635ff03c7a43167335c0e32a6873ae3ac190ff025161b87e4521222c1c",
"pids": [
1948,
2456
],
"md5": "6f64b597786b8a13c393289c0af88b07"
},
{
"yara": [],
"sha1": "4ed5072266cdc84a205e43f60424087e74d97936",
"name": "c869ae7c378c4b3e_GREmailrobot.chm",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"type": "MS Windows HtmlHelp Data",
"sha256": "c869ae7c378c4b3e428d092694c6f1a94fdcd50b87ac3325fea4819b9c2f8fdd",
"urls": [],
"crc32": "9B25B0DF",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/c869ae7c378c4b3e_GREmailrobot.chm",
"ssdeep": null,
"size": 253325,
"sha512": "249d04bd4726e282a51913e526f78151776d022b83f88c1c93508d547c39dc9af45468e1bcca0799e5c95b6eb40847fc356f7c6658005c1984c7e5f6d53f635c",
"pids": [
1948,
2456
],
"md5": "2d864043bf566d307d947b71b1e1d5d8"
},
{
"yara": [],
"sha1": "80d406565ca61a86f5056f1553b3d3fe509a1413",
"name": "03e1259f271b902e_GREmailRobot.url",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"type": "MS Windows 95 Internet shortcut text (URL=), ASCII text, with CRLF line terminators",
"sha256": "03e1259f271b902eaf20d288aa49335e6968bc6c44e24f0afa00ab16776ee9c3",
"urls": [
"http:\/\/www.grsoftware.net\/email\/software\/GREmailRobot.html"
],
"crc32": "211AA717",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/03e1259f271b902e_GREmailRobot.url",
"ssdeep": null,
"size": 84,
"sha512": "3a60eeec5fb507b3035f7f201201d33cfbf9c109c50050a6c08e42b3703a96e94eff7cdc5a0538354fec2a261e229286a19df7bb9a1b5ba9cc225797542c297a",
"pids": [
1948,
2456
],
"md5": "d05b93df3bddb047b3387783a5b5d8a9"
},
{
"yara": [],
"sha1": "f5336e8c1ae4020c54825c214d9060a322f7845f",
"name": "efd893c11eadd22d_MiniUnzip.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "efd893c11eadd22dd4866d70d73f8cede364f4ba04f96246bbfe25e888b36243",
"urls": [],
"crc32": "7DC26B4E",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/efd893c11eadd22d_MiniUnzip.exe",
"ssdeep": null,
"size": 7685,
"sha512": "5b75bc543f3ed36ab494b579529820cfd8ec7e2e2e13c7d9d42e6a0c8d974cc08b2af6ef4a5204ee1164e95910cb41c9141f32dba243a58a48f6fdc44a75f6d2",
"pids": [
2456
],
"md5": "0267b63314baa3f0c1bdafd970e87475"
},
{
"yara": [],
"sha1": "98d64f96f092e3e5487ae786354d6bca53688123",
"name": "e3c3d39a86879446_BuyNow.url",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"type": "MS Windows 95 Internet shortcut text (URL=), ASCII text, with CRLF line terminators",
"sha256": "e3c3d39a868794462e2eda5d8bc5130e59a87afdcdc7d1e6c202ca94cf6bbcc0",
"urls": [
"https:\/\/order.kagi.com\/?LU"
],
"crc32": "3ACA5ACC",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/e3c3d39a86879446_BuyNow.url",
"ssdeep": null,
"size": 60,
"sha512": "7bd68df096fba7c8a6236910e68bc241559e8684189147251b3e2034e20e868844063f861073a01c6ec678733550a74ab4b227b23ac5bddfe2b9722883d9d575",
"pids": [
1948,
2456
],
"md5": "9977a69e094cf581711515402b16217c"
},
{
"yara": [],
"sha1": "c95456d98b108e3c6de475e493f9b42f5ae9f239",
"name": "1c4b690abac47aed_Setup.exe",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"type": "PE32 executable (GUI) Intel 80386, for MS Windows",
"sha256": "1c4b690abac47aed4c60db703f05076c4055f99e81160617ac85ce21267cd8d4",
"urls": [],
"crc32": "DB89FA7F",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/1c4b690abac47aed_Setup.exe",
"ssdeep": null,
"size": 389120,
"sha512": "59d04c75d6a5a55b3ecc8d16222cda7a110aff7e4cbdee2f595934029b5ff423525bba7faf97c4718c1edb50991bfcf75f3db88c73fce44f976036c67b464ff0",
"pids": [
1948,
2456
],
"md5": "3ad67d6a8f1d59b1e700684f4bb948b9"
},
{
"yara": [],
"sha1": "11398caf46706bac76c40c0654c2509a708cb99f",
"name": "1a969e3bcc275820_pack.zip",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip",
"type": "Zip archive data, at least v1.0 to extract",
"sha256": "1a969e3bcc2758203b7cee2ee67689c5319850c288fce54a65f24a743855f7cb",
"urls": [
"https:\/\/order.kagi.com\/?LU"
],
"crc32": "7625A849",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/1a969e3bcc275820_pack.zip",
"ssdeep": null,
"size": 905080,
"sha512": "e0cf3dfdf338cea5fe32b0a586da5997b3a4c5f8e77b06f63a46d500a168ce8ddf14a91b285c9eaa84d46226d1acec7600f5fac065ab431e09ce280fd05cb918",
"pids": [
2456
],
"md5": "ad44c1da2b791332462fc56ac857b658"
},
{
"yara": [],
"sha1": "6af15dbda19bbdc51f05cda789901f5ceeb7b77b",
"name": "dbc972a2f231abfd_EmailUs.url",
"filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"type": "MS Windows 95 Internet shortcut text (URL=), ASCII text, with CRLF line terminators",
"sha256": "dbc972a2f231abfd32508caeeb30d306d7ee621e76567bc4ec5c1055b4d6e60a",
"urls": [],
"crc32": "9D8BF14B",
"path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/642\/files\/dbc972a2f231abfd_EmailUs.url",
"ssdeep": null,
"size": 53,
"sha512": "f282f329f35018a07b435ee398fa30d76c2005dcfe446784c7b3bf26b0b3e79e95e43d7b1a80130bf72eeb7d57beed3068b9042827a7e9ba26c2030bfc12ea4a",
"pids": [
1948,
2456
],
"md5": "9897b788c2c7058f3123e22743c840b7"
}
] Generic
[
{
"process_path": "C:\\Windows\\SysWOW64\\notepad.exe",
"process_name": "notepad.exe",
"pid": 2792,
"summary": {
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\UserChoice",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\notepad.exe",
"HKEY_CLASSES_ROOT\\.txt",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\ShellEx\\IconHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\DocObject",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_CLASSES_ROOT\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\Clsid",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Notepad\\DefaultFonts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_CLASSES_ROOT\\.txt\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\text",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\notepad.exe",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\ShellEx\\IconHandler",
"HKEY_CLASSES_ROOT\\Drive\\shellex\\FolderExtensions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\Clsid",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CLASSES_ROOT\\txtfile",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum",
"HKEY_CLASSES_ROOT\\SystemFileAssociations\\.txt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\(Default)",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\LanguagePack\\SurrogateFallback\\Lucida Console",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\CurVer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\Clsid",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Notepad",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts\\.txt\\OpenWithProgids",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\ShellEx\\IconHandler",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\(Default)",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\Attributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Hidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\(Default)",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\MapNetDriveVerbs",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowTypeOverlay",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\AllowFileCLSIDJunctions",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\QueryForInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideFolderVerbs",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\NonEnum\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoNetCrawling",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\AlwaysShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\WebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\Content Type",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\BrowseInPlace",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsParseDisplayName",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSetFolders",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\DocObject",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\IsShortcut",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoSimpleStartMenu",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\AlwaysShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\NeverShowExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowCompColor",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsAliasedNotifications",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\lfFaceName",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\NoFileFolderJunction",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Notepad\\DefaultFonts\\iPointSize",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\DontShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HasNavigationEnum",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORDISPLAY",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\UseDropHandler",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoCommonGroups",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideInWebView",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\IconsOnly",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\RestrictedAttributes",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\MapNetDrvBtn",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\PinToNameSpaceTree",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Filter",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\HideOnDesktopPerUser",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\DontPrettyPath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowInfoTip",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesRecycleBin",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\CallForAttributes",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\.txt\\PerceivedType",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoPropertiesMyComputer",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\ShowSuperHidden",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoControlPanel",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Drive\\shellex\\FolderExtensions\\{fbeb8a05-beee-4442-804e-409d6c4515e9}\\DriveMask",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoInternetIcon",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsUniversalDelegate",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\ClassicShell",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\NoWebView",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\BrowseInPlace",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideFileExt",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\HideIcons",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\ShellFolder\\WantsFORPARSING",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\text\\DocObject",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\SeparateProcess",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\NeverShowExt",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\SystemFileAssociations\\.txt\\IsShortcut",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\txtfile\\IsShortcut",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\AutoCheckSelect",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellState"
],
"dll_loaded": [
"SHELL32.dll",
"ADVAPI32.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.dll",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"comctl32",
"ole32.dll",
"comctl32.dll",
"IMM32.dll"
]
},
"first_seen": 1561711997.2023,
"ppid": 1616
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"process_name": "Setup.exe",
"pid": 1616,
"summary": {
"file_created": [
"C:\\Setup.ini",
"C:\\GREmailRobot.exe",
"C:\\Setup.exe",
"C:\\GREmailRobot.url",
"C:\\GREmailrobot.chm",
"C:\\License.txt",
"C:\\krm.dll",
"C:\\BuyNow.url",
"C:\\ReadMe.txt",
"C:\\EmailUs.url"
],
"file_recreated": [
"C:\\GREmailRobot.url"
],
"regkey_written": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot\\UninstallString",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot\\DisplayName"
],
"dll_loaded": [
"COMCTL32.DLL",
"C:\\Windows\\syswow64\\MSCTF.dll",
"kernel32.dll",
"UxTheme.dll",
"OLEAUT32.DLL",
"C:\\Windows\\system32\\ole32.dll",
"dwmapi.dll",
"comctl32",
"comctl32.dll",
"IMM32.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt"
],
"regkey_opened": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailrobot",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\KnownClasses",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\setup.exe",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
],
"file_written": [
"C:\\Setup.ini",
"C:\\GREmailRobot.exe",
"C:\\Setup.exe",
"C:\\GREmailRobot.url",
"C:\\GREmailrobot.chm",
"C:\\License.txt",
"C:\\krm.dll",
"C:\\BuyNow.url",
"C:\\ReadMe.txt",
"C:\\EmailUs.url"
],
"regkey_deleted": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\GREmailrobot"
],
"file_exists": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.bmp"
],
"command_line": [
"notepad.exe ReadMe.txt"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt"
],
"regkey_read": [
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
"HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\FontSubstitutes\\MS Shell Dlg",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\*.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup*.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\*.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.*",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup.*"
]
},
"first_seen": 1561711991.9523,
"ppid": 2456
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\13586a08d1df74f7a2623895bfd9acf0f5a4e02c444f5daf996c8fe45f014c4b.bin",
"process_name": "13586a08d1df74f7a2623895bfd9acf0f5a4e02c444f5daf996c8fe45f014c4b.bin",
"pid": 2456,
"summary": {
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip"
],
"directory_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware"
],
"dll_loaded": [
"rpcrt4.dll",
"API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
"SETUPAPI.dll"
],
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\13586a08d1df74f7a2623895bfd9acf0f5a4e02c444f5daf996c8fe45f014c4b.bin"
],
"regkey_opened": [
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
"HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
"HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\"
],
"command_line": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip pack.zip",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup.exe\"",
"\"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\setup.exe\" "
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip"
],
"file_deleted": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\FILE_ID.DIZ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini"
],
"directory_removed": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\13586a08d1df74f7a2623895bfd9acf0f5a4e02c444f5daf996c8fe45f014c4b.bin"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
"HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName"
],
"directory_enumerated": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\*.*"
]
},
"first_seen": 1561711989.6719,
"ppid": 2780
},
{
"process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe",
"process_name": "MiniUnzip.exe",
"pid": 1948,
"summary": {
"file_opened": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip"
],
"file_created": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\FILE_ID.DIZ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt"
],
"file_read": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\pack.zip"
],
"regkey_read": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
],
"file_written": [
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.ini",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\ReadMe.txt",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\FILE_ID.DIZ",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailrobot.chm",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\EmailUs.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\BuyNow.url",
"C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\License.txt"
]
},
"first_seen": 1561711991.6085,
"ppid": 2456
},
{
"process_path": "C:\\Windows\\System32\\lsass.exe",
"process_name": "lsass.exe",
"pid": 476,
"summary": {},
"first_seen": 1561711989.3281,
"ppid": 376
}
]Signatures
[
{
"markcount": 1,
"families": [],
"description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
"severity": 1,
"marks": [
{
"call": {
"category": "system",
"status": 1,
"stacktrace": [],
"api": "GlobalMemoryStatusEx",
"return_value": 1,
"arguments": {},
"time": 1561711991.7499,
"tid": 2860,
"flags": {}
},
"pid": 2456,
"type": "call",
"cid": 63
}
],
"references": [],
"name": "antivm_memory_available"
},
{
"markcount": 1,
"families": [],
"description": "Drops a binary and executes it",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "dropper"
},
{
"markcount": 4,
"families": [],
"description": "Drops an executable to the user AppData folder",
"severity": 2,
"marks": [
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\krm.dll",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\GREmailRobot.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\MiniUnzip.exe",
"type": "ioc",
"description": null
},
{
"category": "file",
"ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\GRSoftware\\Setup.exe",
"type": "ioc",
"description": null
}
],
"references": [],
"name": "exe_appdata"
},
{
"markcount": 3,
"families": [],
"description": "Queries for potentially installed applications",
"severity": 2,
"marks": [
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "RegOpenKeyExA",
"return_value": 2,
"arguments": {
"access": "0x02000000",
"base_handle": "0x80000002",
"key_handle": "0x00000000",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailrobot",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailrobot",
"options": 0
},
"time": 1561711997.0773,
"tid": 2284,
"flags": {}
},
"pid": 1616,
"type": "call",
"cid": 1249
},
{
"call": {
"category": "registry",
"status": 0,
"stacktrace": [],
"last_error": 0,
"nt_status": -1073741772,
"api": "RegOpenKeyExA",
"return_value": 2,
"arguments": {
"access": "0x02000000",
"base_handle": "0x80000002",
"key_handle": "0x00000000",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot",
"options": 0
},
"time": 1561711997.0773,
"tid": 2284,
"flags": {}
},
"pid": 1616,
"type": "call",
"cid": 1250
},
{
"call": {
"category": "registry",
"status": 1,
"stacktrace": [],
"api": "RegOpenKeyExA",
"return_value": 0,
"arguments": {
"access": "0x02000000",
"base_handle": "0x80000002",
"key_handle": "0x000001a8",
"regkey": "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot",
"regkey_r": "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\GREmailRobot",
"options": 0
},
"time": 1561711997.0773,
"tid": 2284,
"flags": {}
},
"pid": 1616,
"type": "call",
"cid": 1254
}
],
"references": [],
"name": "queries_programs"
}
]Yara
The Yara rules did not detect anything in the file.
Network
{
"tls": [],
"udp": [
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 546,
"time": 3.0789051055908,
"dport": 137,
"sport": 137
},
{
"src": "192.168.56.101",
"dst": "192.168.56.255",
"offset": 5226,
"time": 9.0788760185242,
"dport": 138,
"sport": 138
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7070,
"time": 3.0149519443512,
"dport": 5355,
"sport": 51001
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7398,
"time": 1.0306971073151,
"dport": 5355,
"sport": 53595
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 7726,
"time": 3.0241250991821,
"dport": 5355,
"sport": 53848
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8054,
"time": 1.5346300601959,
"dport": 5355,
"sport": 54255
},
{
"src": "192.168.56.101",
"dst": "224.0.0.252",
"offset": 8382,
"time": -0.10247302055359,
"dport": 5355,
"sport": 55314
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 8710,
"time": 1.1010370254517,
"dport": 1900,
"sport": 1900
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 28120,
"time": 1.0616409778595,
"dport": 3702,
"sport": 49152
},
{
"src": "192.168.56.101",
"dst": "239.255.255.250",
"offset": 36504,
"time": 3.1810231208801,
"dport": 1900,
"sport": 53598
}
],
"dns_servers": [],
"http": [],
"icmp": [],
"smtp": [],
"tcp": [],
"smtp_ex": [],
"mitm": [],
"hosts": [],
"pcap_sha256": "e43894afbdf253811b15db9ee3403bd59a19a5efcf2cb689bbb69b5156b16572",
"dns": [],
"http_ex": [],
"domains": [],
"dead_hosts": [],
"sorted_pcap_sha256": "e13d20ebda19a9df2e905a71aa40a0b249e072160b25fc17de67f7594835ac77",
"irc": [],
"https_ex": []
}Screenshots
gremro.exe removal instructions
The instructions below shows how to remove gremro.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the gremro.exe file for removal, restart your computer and scan it again to verify that gremro.exe has been successfully removed. Here are the removal instructions in more detail:
- Download and install FreeFixer: http://www.freefixer.com/download.html
- Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
- When the scan is finished, locate gremro.exe in the scan result and tick the checkbox next to the gremro.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate gremro.exe in the scan result.
c:\downloads\gremro.exe 
- Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the gremro.exe file.
- Restart your computer.
- Start FreeFixer and scan your computer again. If gremro.exe still remains in the scan result, proceed with the next step. If gremro.exe is gone from the scan result you're done.
- If gremro.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
- Restart your computer.
- Start FreeFixer and scan your computer again. Verify that gremro.exe no longer appear in the scan result.
Hashes [?]
| Property | Value |
|---|---|
| MD5 | dc2d44b7b7f4a7e5f58b0497cf1c9fc4 |
| SHA256 | 13586a08d1df74f7a2623895bfd9acf0f5a4e02c444f5daf996c8fe45f014c4b |
Error Messages
These are some of the error messages that can appear related to gremro.exe:
gremro.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
gremro.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.
gremro.exe has stopped working.
End Program - gremro.exe. This program is not responding.
gremro.exe is not a valid Win32 application.
gremro.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.
What will you do with gremro.exe?
To help other users, please let us know what you will do with gremro.exe:
Comments
Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.
I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.
No comments posted yet.