What is JRT_8.1.4.exe?

JRT_8.1.4.exe is developed by Malwarebytes according to the JRT_8.1.4.exe version information.

JRT_8.1.4.exe's description is "Junkware Removal Tool"

JRT_8.1.4.exe is digitally signed by Malwarebytes Corporation.

JRT_8.1.4.exe is usually located in the 'C:\Users\Victor Elstad\Desktop\NEW APPS\' folder.

None of the anti-virus scanners at VirusTotal reports anything malicious about JRT_8.1.4.exe.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

The following is the available information on JRT_8.1.4.exe:

PropertyValue
Company nameMalwarebytes
File descriptionJunkware Removal Tool
Product version8.1.4
File version8.1.4

Here's a screenshot of the file properties when displayed by Windows Explorer:

Company nameMalwarebytes
File descriptionJunkware Removal Tool
Product version8.1.4
File version8.1.4

Digital signatures [?]

JRT_8.1.4.exe has a valid digital signature.

PropertyValue
Signer nameMalwarebytes Corporation
Certificate issuer nameDigiCert Assured ID Code Signing CA-1
Certificate serial number044e3bf58976880ffd074448a8f7a058

VirusTotal report

None of the 68 anti-virus programs at VirusTotal detected the JRT_8.1.4.exe file.

None of the 68 anti-virus programs detected the JRT_8.1.4.exe file.

Sandbox Report

The following information was gathered by executing the file inside Cuckoo Sandbox.

Summary

Successfully executed process in sandbox.

Summary

{
    "guid": [
        "{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
        "{56fdf344-fd6d-11d0-958a-006097c9a090}"
    ],
    "file_recreated": [
        "\\??\\NUL"
    ],
    "directory_created": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp"
    ],
    "dll_loaded": [
        "NETMSG",
        "SETUPAPI.dll",
        "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
        "kernel32",
        "C:\\Windows\\syswow64\\MSCTF.dll",
        "IMM32.dll",
        "ADVAPI32.dll",
        "kernel32.dll",
        "UxTheme.dll",
        "OLEAUT32.DLL",
        "C:\\Windows\\system32\\ole32.dll",
        "dwmapi.dll",
        "rpcrt4.dll",
        "comctl32.dll",
        "C:\\Windows\\system32\\uxtheme.dll"
    ],
    "file_opened": [
        "",
        "C:\\",
        "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin",
        "\\\\?\\PIPE\\srvsvc",
        "\\Device\\NamedPipe\\",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
    ],
    "regkey_opened": [
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters",
        "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
    ],
    "resolves_host": [
        "www.google.com"
    ],
    "file_written": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_tasks.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkurls.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_appinit.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\grep-2.5.4-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkfiles.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_processes.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_firefox.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersC.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\shortcut.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget-1.11.4-1-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxml.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed-4.2.1-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxpi.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_services.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_toolbars.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersM.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrext.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_urls.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffext.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm",
        "\\\\?\\PIPE\\srvsvc",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersS.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\GNU utilities for Win32.url",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_services.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_tasks.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_values.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\clean_shortcut.vbs",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_bhos.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtcurrentmd5",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrstrg.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffplugin.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT"
    ],
    "file_exists": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT_NewerVersion",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat\"",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_tasks.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkurls.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_appinit.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\grep-2.5.4-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkfiles.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_processes.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_firefox.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersC.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\shortcut.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget-1.11.4-1-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxml.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed-4.2.1-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxpi.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_services.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_toolbars.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersM.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT_NewerVersion\\*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrext.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
        "C:\\Windows\\System32\\cmd.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_urls.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffext.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersS.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\GNU utilities for Win32.url",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_services.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtnewmd5",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_tasks.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_values.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\clean_shortcut.vbs",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_bhos.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtcurrentmd5",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\null",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrstrg.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffplugin.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp\\*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT"
    ],
    "file_created": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_tasks.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkurls.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_appinit.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\grep-2.5.4-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkfiles.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_processes.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_firefox.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersC.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\shortcut.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget-1.11.4-1-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxml.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed-4.2.1-GnuWin32.README",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxpi.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_services.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_toolbars.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersM.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrext.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_urls.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffext.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersS.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\GNU utilities for Win32.url",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_services.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_tasks.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed.txt",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_values.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\clean_shortcut.vbs",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_bhos.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtcurrentmd5",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\null",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrstrg.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffplugin.cfg",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT"
    ],
    "file_failed": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm"
    ],
    "command_line": [
        "net  session ",
        "PING  -n 1 www.google.com ",
        "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat\" ",
        "REG  QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName\" \/v ComputerName ",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "REG  QUERY \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" \/v ProductName ",
        "FIND  \"Windows XP\" ",
        "C:\\Windows\\system32\\net1  session ",
        "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName\" \/v ComputerName 2>NUL",
        "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" \/v ProductName 2>NUL",
        "C:\\Windows\\system32\\cmd.exe  \/S \/D \/c\" ECHO Windows 7 Professional\""
    ],
    "file_read": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin",
        "\\\\?\\PIPE\\srvsvc"
    ],
    "regkey_read": [
        "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
        "HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultTTL",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
        "HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
    ],
    "directory_enumerated": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\REG.*",
        "C:\\Windows\\SysWOW64",
        "C:\\Users\\cuck\\AppData",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT.*",
        "C:\\Python27\\REG",
        "C:\\Python27\\Scripts\\PING.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\FIND.*",
        "C:\\Python27\\Scripts\\PING",
        "C:\\Windows\\System32\\cmd.exe",
        "C:\\Windows\\System32\\net.*",
        "C:\\Python27\\Scripts\\FIND.*",
        "C:\\Windows\\System32\\FIND.*",
        "C:\\Python27\\PING.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp\\*",
        "C:\\Windows\\System32\\PING.COM",
        "C:\\Python27\\REG.*",
        "C:\\Windows\\System32\\find.exe",
        "C:\\Python27\\Scripts\\REG.*",
        "C:\\Users",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\PING",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\net",
        "C:\\Python27\\Scripts\\net",
        "C:\\Python27\\Scripts\\net.*",
        "C:\\Windows\\System32\\find.COM",
        "C:\\Python27\\net",
        "C:\\Python27\\FIND.*",
        "C:\\Windows\\System32\\PING.EXE",
        "C:\\Windows\\System32\\REG.*",
        "C:\\Windows\\System32\\reg.COM",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\REG",
        "C:\\Windows\\System32\\net.COM",
        "C:\\Users\\cuck",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtnewmd5",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Users\\cuck\\AppData\\Local",
        "C:\\Windows\\System32\\PING.*",
        "C:\\Python27\\Scripts\\FIND",
        "C:\\Python27\\PING",
        "C:\\Python27\\FIND",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\net.*",
        "C:\\Python27\\net.*",
        "C:\\Python27\\Scripts\\REG",
        "C:\\Windows\\System32\\net.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\FIND",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
        "C:\\Windows\\Sysnative\\cmd.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\PING.*",
        "C:\\Windows\\System32\\reg.exe"
    ]
}

Dropped

[
    {
        "yara": [],
        "sha1": "f601668d6d32c32c46ca1e8106c4da73ac6979fe",
        "name": "2ed0e36467124ffe_gnu utilities for win32.url",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\GNU utilities for Win32.url",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "2ed0e36467124ffeabd7d18f826c9600871acfa9c1715664876feae9675caf6e",
        "urls": [
            "http:\/\/unxutils.sourceforge.net\/UnxUtils.html"
        ],
        "crc32": "731D0F24",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/2ed0e36467124ffe_gnu utilities for win32.url",
        "ssdeep": null,
        "size": 134,
        "sha512": "26590590fd358f76e84f8308cf0214fd9e13d38464c1b1409d8c624b7d0f9296bb7d81b5ee54c508154a77f14d213b3ba3a1243a0277affc76beaa0e4127032a",
        "pids": [
            2816
        ],
        "md5": "348277d96e58a174fe4df031dfddb469"
    },
    {
        "yara": [],
        "sha1": "d66b4f5a209909f1672957f7f79c09ad78500df3",
        "name": "8a46531e08da9c76_wl_bhos.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_bhos.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "8a46531e08da9c769c3faf903f4022ed671e9bb4160b772ad78b0167323cdd02",
        "urls": [],
        "crc32": "62926245",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/8a46531e08da9c76_wl_bhos.cfg",
        "ssdeep": null,
        "size": 91768,
        "sha512": "c16ff0719ac4a5b779432b6583a276d7b611fd51a4a12fec4a2207aa17de96d8968d082868fe4a5575af9436fb622873e288658f8622aece784cb1b5340badcf",
        "pids": [
            2816
        ],
        "md5": "0feea4ef5b7e9307e66a9772cbab15f3"
    },
    {
        "yara": [],
        "sha1": "08b1cf463c5470de5a644e5441a274122789cc53",
        "name": "0db7176d6b10da94_sort_.dat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT",
        "type": "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "0db7176d6b10da94a7abb592d50b3fd42d853a779f8674885e50b6c63b7b63ca",
        "urls": [],
        "crc32": "9F5FDAED",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/0db7176d6b10da94_sort_.dat",
        "ssdeep": null,
        "size": 96256,
        "sha512": "21dbc59412da4f0c711ebb927e3ab1e7e604eb88e3ceab840adea034b88e99a1d00bd065dc72aa574ae5dc2149542ccd27e22e883329a7e7cec819825103374b",
        "pids": [
            2816
        ],
        "md5": "4de87d064877fa6726654f6812a719b0"
    },
    {
        "yara": [],
        "sha1": "a7e1c4dfc4737da8e889cdc26eb342c2a4ecae89",
        "name": "40f4f6b1dabdf0de_cut.dat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
        "type": "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "40f4f6b1dabdf0defce4846138f01271748d2c31a519116580a077a1dbefb820",
        "urls": [],
        "crc32": "12F077A8",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/40f4f6b1dabdf0de_cut.dat",
        "ssdeep": null,
        "size": 17920,
        "sha512": "af50dab75d37864b769d656911d13ea2f869525734c47b1657dcc15abe2da5d1aaa85ac55e6e1bb6e4edc10e92c4ec354e9140045dc5b795f4450b8cc6fb686a",
        "pids": [
            2816
        ],
        "md5": "04e0bbeece6d733860cdd6b4be21ae80"
    },
    {
        "yara": [],
        "sha1": "7dea7e485b5e8692f1b9a3a09fa3175ed93e8cce",
        "name": "f8cabd8b180fbd67_bl_values.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_values.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "f8cabd8b180fbd6760550355124823cf1df0229efb2cabd8fa96520edda00048",
        "urls": [],
        "crc32": "D8478C47",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/f8cabd8b180fbd67_bl_values.cfg",
        "ssdeep": null,
        "size": 5463,
        "sha512": "520607f06b899ebe00d22087e95fa64e1d8ee1d208af8711727fb02385c36147e1e752c89afd3b526f34e0eeaa31b66e6d3717c5957aed0991ac67a56d57ff8b",
        "pids": [
            2816
        ],
        "md5": "120c64228012b22c47f93bf6ddc29e76"
    },
    {
        "yara": [],
        "sha1": "24565da5d6247018288e84f5bd923a8f4aa47f45",
        "name": "c8a8a4818146dd89_sed.txt",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed.txt",
        "type": "ASCII text, with very long lines, with CRLF line terminators",
        "sha256": "c8a8a4818146dd8960849c2b028e565a94c8d4e036e01e1e28e0fa91d42c7e43",
        "urls": [
            "http:\/\/gnuwin32.sourceforge.net\/packages\/libgw32c.htm.",
            "http:\/\/groups.yahoo.com\/group\/sed-users",
            "http:\/\/sed.sourceforge.net",
            "http:\/\/sedsed.sourceforge.net",
            "http:\/\/www.grymoire.com\/Unix\/Sed.html",
            "http:\/\/sed.sourceforge.net\/sedfaq.html",
            "http:\/\/www.opengroup.org\/onlinepubs\/009695399\/basedefs\/xbd_chap09.html",
            "http:\/\/ftp.gnu.org\/gnu\/sed\/sed-4.2.1.tar.gz",
            "http:\/\/gnuwin32.sourceforge.net\/compile.html",
            "http:\/\/www.gnu.org\/software\/sed\/sed.html",
            "http:\/\/main.rtfiber.com.tw\/",
            "http:\/\/www.panix.com\/",
            "http:\/\/www-106.ibm.com\/developerworks\/linux\/library\/l-sed1.html",
            "http:\/\/www-106.ibm.com\/developerworks\/linux\/library\/l-sed3.html",
            "http:\/\/www-106.ibm.com\/developerworks\/linux\/library\/l-sed2.html",
            "http:\/\/gnuwin32.sourceforge.net",
            "http:\/\/www.opengroup.org\/onlinepubs\/009695399\/utilities\/sed.html"
        ],
        "crc32": "CED684DB",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/c8a8a4818146dd89_sed.txt",
        "ssdeep": null,
        "size": 3271,
        "sha512": "42480aeaf64b24c0e85eea78501e01907c7392576414dddfd09ed3acb878a748b4b57c3345f01ac194439595bdb2ce39278b477416a4fdea22e5bd8781ac6e4a",
        "pids": [
            2816
        ],
        "md5": "13171419a6d180fdd8b52ceae16ddadf"
    },
    {
        "yara": [],
        "sha1": "d47f8b60f35fe3f43928cad66db59785b8b9501d",
        "name": "dbedb3193dda09ac_bl_chrext.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrext.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "dbedb3193dda09ac6df38a640a08bee54041d020d46223ad7b3f297e4253360f",
        "urls": [],
        "crc32": "9E913AC5",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/dbedb3193dda09ac_bl_chrext.cfg",
        "ssdeep": null,
        "size": 32841,
        "sha512": "758df10bae855a7350c21a73fcc58a6c144509463dd57c1cd670e9d1dace3979370f2f61bae36ac03d10dc6a8f815636331085679840f491a3be0d973aa49ad4",
        "pids": [
            2816
        ],
        "md5": "935ed2949d1eceac23c52564cba49529"
    },
    {
        "yara": [],
        "sha1": "0f73d47122080a0c5c423841b16f4e6c62d79aff",
        "name": "6deedad652bfab7b_libiconv2.dll",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
        "type": "PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "6deedad652bfab7b09ebd0e06045810390b6ac6cb5aa9ef41c9daa5616181f22",
        "urls": [],
        "crc32": "E8DB6919",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/6deedad652bfab7b_libiconv2.dll",
        "ssdeep": null,
        "size": 1008128,
        "sha512": "afef454b85fb28b41fc4261188fee7a3122e2986b2e1a47e66fce9005cb2ec69c47644115bc52b9719eed15707978262b80e18eedadd0b39ccf5f2b441654a13",
        "pids": [
            2816
        ],
        "md5": "e0dc8c6bbc787b972a9a468648dbfd85"
    },
    {
        "yara": [],
        "sha1": "92ad08dc9fcbe2eb9d6bc13bc5743e0631295d81",
        "name": "2d7e65b84af88a37_bl_lnkurls.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkurls.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "2d7e65b84af88a378bf968cc7766e25ca8957847cd265f5e0050fb67b141a968",
        "urls": [],
        "crc32": "83D3011B",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/2d7e65b84af88a37_bl_lnkurls.cfg",
        "ssdeep": null,
        "size": 1204,
        "sha512": "5c591b4e5624d1234357eb752348855fa2bf98b6d1cbc7797a15a1db9508caf8bce81338a82fb0fefb0710091a9e02f2df6307935dfdf70eed3d22a0bf68b5f7",
        "pids": [
            2816
        ],
        "md5": "74a83514df51a7e8ca94a9376a5e2f79"
    },
    {
        "yara": [],
        "sha1": "87c1bb22dd1dde0d5d6ed1883374676b087d5d8c",
        "name": "b12a7a3a5bf8f63e_bl_ffxpi.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxpi.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "b12a7a3a5bf8f63e4016a56931d7ea0f575cee0cc679913bf17bed1c23e91899",
        "urls": [],
        "crc32": "3444D53C",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/b12a7a3a5bf8f63e_bl_ffxpi.cfg",
        "ssdeep": null,
        "size": 7076,
        "sha512": "138ca99982da3a230a8115960b2819fe1d7a45839bdd195f3d020107c8f72cf680785284f5151cd089a5391d0305f17dbb678565f0a428da86bbf9b4bf94fd7a",
        "pids": [
            2816
        ],
        "md5": "385dbfc80e63f0cf3cbfca1247f72f02"
    },
    {
        "yara": [],
        "sha1": "9ea97899c8c7677c633cc24edfa034de6e86350c",
        "name": "094e2fa2c6df5fee_shortcut.txt",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\shortcut.txt",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "094e2fa2c6df5fee039ba345067ba5b2c22e8c54ca4a8d7b35e86a91c1e8e320",
        "urls": [],
        "crc32": "F8DECE41",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/094e2fa2c6df5fee_shortcut.txt",
        "ssdeep": null,
        "size": 2123,
        "sha512": "bfd5d701631ce8d7e992f30e6682479454c3ebab8e35287b3362cb56963b7d736edead9a5ffad4dd23350059b408cdeaa60c032fb34532a938a384c97448e052",
        "pids": [
            2816
        ],
        "md5": "3a26827485c683aacd1e0194f34a0cfa"
    },
    {
        "yara": [],
        "sha1": "ae14f047e1143b1da76d73f0bbc7ab8ba4408327",
        "name": "480d7ad39761e3bb_bl_services.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_services.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "480d7ad39761e3bb57c8fe60531d19301d50a36f23e4aca1302b35d53590df73",
        "urls": [],
        "crc32": "DC4EBBB3",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/480d7ad39761e3bb_bl_services.cfg",
        "ssdeep": null,
        "size": 12684,
        "sha512": "1e4b74928542352f6296b3cf50bb7143a35bd608eb9766ef738d3dd6c40c9502d58940812fbe5490e5fba73f86d7b58d014aaee250bffb8ce7faf1f54a13ce0e",
        "pids": [
            2816
        ],
        "md5": "57e41fcc47169a978c4b789420f21267"
    },
    {
        "yara": [],
        "sha1": "8b7781c2cdc6bda4a5878e7fda41db8b5dc7aea1",
        "name": "69eb2c63bab14f7e_bl_foldersc.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersC.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "69eb2c63bab14f7e91ca4483e741583d8f6b8994f79c53fdf17ce6af7774738f",
        "urls": [],
        "crc32": "421A3F7F",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/69eb2c63bab14f7e_bl_foldersc.cfg",
        "ssdeep": null,
        "size": 512,
        "sha512": "0038c3d0841ade299d00135e82f55e31be0ebd82e8c1440cf5e8de02a656e7d635f026840e1b2a6a0332e3a8b8b78407916bd6a43328334919346540f36282be",
        "pids": [
            2816
        ],
        "md5": "ae4c96d8f463036c8efea6a0565c2f50"
    },
    {
        "yara": [
            {
                "meta": {
                    "description": "Possibly employs anti-virtualization techniques",
                    "author": "nex"
                },
                "name": "vmdetect",
                "offsets": {
                    "virtualbox3": [
                        [
                            1718,
                            2
                        ]
                    ],
                    "virtualbox2": [
                        [
                            1696,
                            1
                        ]
                    ],
                    "vmware21": [
                        [
                            1755,
                            0
                        ]
                    ]
                },
                "strings": [
                    "dm10b29scw==",
                    "dmJveHNlcnZpY2U=",
                    "dmJveHRyYXk="
                ]
            }
        ],
        "sha1": "644fa1acd9b3b1a899d010893855013f1595f0fc",
        "name": "f53c195fe5b3fb1c_wl_processes.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_processes.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "f53c195fe5b3fb1caf439289ca3da36906ad2371547ce3895d887389a9cc1b28",
        "urls": [],
        "crc32": "1778FFB1",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/f53c195fe5b3fb1c_wl_processes.cfg",
        "ssdeep": null,
        "size": 1862,
        "sha512": "3d7f47170be2c6522966077e34635ea4c3677d36e2ef36c13baa561f96d73d56dd15919f7859eb71f781cd9dc3ffd3c132aadf99141e2140c439098eebc5e666",
        "pids": [
            2816
        ],
        "md5": "8e839e89498629722f6a17937c241f23"
    },
    {
        "yara": [],
        "sha1": "d2eb14fd8bdac6f03b1457b3673f15c8cef83376",
        "name": "45e61b86ac70cf14_wl_tasks.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_tasks.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "45e61b86ac70cf14a1b51e41423a7a75d9bac327f783457a4d6f5296bea83203",
        "urls": [],
        "crc32": "61DBAC09",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/45e61b86ac70cf14_wl_tasks.cfg",
        "ssdeep": null,
        "size": 131,
        "sha512": "95720b4b473ecf3b581665f58d423ee582776baf495cde2f870465d5fda04b8640ff28929574ee581fdda7e069b874a5bc6eccc62a0f72cc51ed4ee187bf0642",
        "pids": [
            2816
        ],
        "md5": "e128b804560c927f907c2dcce259713e"
    },
    {
        "yara": [],
        "sha1": "73e0f6856629ae7a1384fc426fa1a37f341c284e",
        "name": "449b9f2dc6b67a6e_clean_shortcut.vbs",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\clean_shortcut.vbs",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "449b9f2dc6b67a6eccf0fbe16ff91af50efb57e0978393a2c3f1b3fafd1189d9",
        "urls": [],
        "crc32": "959176D7",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/449b9f2dc6b67a6e_clean_shortcut.vbs",
        "ssdeep": null,
        "size": 428,
        "sha512": "de1ed7bc00c76e9fc7867593a994c7afcfebfcdaaf64568a38a45da22b1c5c80e8e98aa83b85c8fc4ddefe44119d5f9d19e9ab6dc160b6759e94bf61b3d4d719",
        "pids": [
            2816
        ],
        "md5": "fa73fe2c0d3c62e8732a71282e2e491c"
    },
    {
        "yara": [],
        "sha1": "852b4a2892baa1ec2b92e814ea20bf3dcdd3fcbd",
        "name": "47f82f1d3dbfc6c0_bl_urls.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_urls.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "47f82f1d3dbfc6c02b5fb3da6691cccffbec675c57a194cdf9e6ff439c5b8e77",
        "urls": [],
        "crc32": "7AC59EF8",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/47f82f1d3dbfc6c0_bl_urls.cfg",
        "ssdeep": null,
        "size": 11511,
        "sha512": "37b6290972451078b4d67120ca8a6d424ccba265bb8d0f89351b1ad72cb9f5110dfffaf9ab84c6a375c5c8589bbeacd5ebc3aee88177db103ebc8fe5250dff23",
        "pids": [
            2816
        ],
        "md5": "6126a6b5ea1244a195baddb40c5df003"
    },
    {
        "yara": [],
        "sha1": "e532e5a3e74926f6a750b3a80d3ea232dd251e4a",
        "name": "3a71bf90e8bddfb8_regex2.dll",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
        "type": "PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "3a71bf90e8bddfb813b44f9cbcecf431311a7979c1debc976767b3e5e59031af",
        "urls": [],
        "crc32": "80AD4456",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/3a71bf90e8bddfb8_regex2.dll",
        "ssdeep": null,
        "size": 79360,
        "sha512": "bff4b9a92ab9954da46b0730c42da52342a2c4d0db0d052031299cac0cbe5001cffb976b84a44d06b2105de0957c3fdc2408fd640eac8230dd3341be286639db",
        "pids": [
            2816
        ],
        "md5": "547c43567ab8c08eb30f6c6bacb479a3"
    },
    {
        "yara": [],
        "sha1": "18d24061e69de4af120bc83544045f95a5cf4b52",
        "name": "1acbf2a4a53db859_wget-1.11.4-1-gnuwin32.readme",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget-1.11.4-1-GnuWin32.README",
        "type": "ASCII text, with very long lines, with CRLF line terminators",
        "sha256": "1acbf2a4a53db8597cc3774b6d312f207ac2011fd4ceeeca9523452d016a9315",
        "urls": [
            "http:\/\/gnuwin32.sourceforge.net\/packages\/openssl.htm",
            "http:\/\/gnuwin32.sourceforge.net\/packages\/libiconv.htm",
            "http:\/\/gnuwin32.sourceforge.net\/packages\/libintl.htm",
            "http:\/\/ftp.gnu.org\/gnu\/wget\/wget-1.11.4.tar.gz",
            "http:\/\/www.gnu.org\/software\/wget",
            "http:\/\/www.microsoft.com\/windows\/ie",
            "http:\/\/support.microsoft.com\/kb\/259403",
            "http:\/\/gnuwin32.sourceforge.net",
            "http:\/\/gnuwin32.sourceforge.net\/compile.html",
            "http:\/\/gnuwin32.sourceforge.net\/packages\/libgw32c.htm."
        ],
        "crc32": "6E252E08",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/1acbf2a4a53db859_wget-1.11.4-1-gnuwin32.readme",
        "ssdeep": null,
        "size": 3146,
        "sha512": "13ad4403fbc72b0af06419f1bd29f51f16068b2a47bd818527b1812ba819cdd125fbf7dea52708a69f2e427fb21e4b81b96efec834b0078a94156db445d65dac",
        "pids": [
            2816
        ],
        "md5": "a541c96318f0fe10d90415e7b6a57080"
    },
    {
        "yara": [],
        "sha1": "7d723cf82658da76bda85ae00bf20cb01b43edc8",
        "name": "95a2e2cacfb63d09_sed.dat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
        "type": "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "95a2e2cacfb63d095de385a98f1d5d4a21f0e7e8de485cbaf5b872434d43fb73",
        "urls": [],
        "crc32": "38F1CDD9",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/95a2e2cacfb63d09_sed.dat",
        "ssdeep": null,
        "size": 98816,
        "sha512": "16a68add6c2f6011c3c69dd3a3bf9496730c712e631c4992c19a83747020e8b560e3b93b08e95c536f245508a9c923f18488b2aef300acbe2ecedbe4ff3e5ca2",
        "pids": [
            2816
        ],
        "md5": "2b657a67aebb84aea5632c53e61e23bf"
    },
    {
        "yara": [],
        "sha1": "20fd14fc58b1363f170a918bd9f648b1290dbbb3",
        "name": "f88515a3a4ab36c4_bl_lnkfiles.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkfiles.cfg",
        "type": "ISO-8859 text, with CRLF line terminators",
        "sha256": "f88515a3a4ab36c42a681ad0ba14e8f5b8ef8278399fc173ac240720799443ba",
        "urls": [],
        "crc32": "162187D7",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/f88515a3a4ab36c4_bl_lnkfiles.cfg",
        "ssdeep": null,
        "size": 8964,
        "sha512": "aeafcac5a2bb24f0112d44cf3840a81bf4dac28092c917ef44b517dacc9a93febf9525c3a6895d0c77a41bd926688bcacd4af3c9c9752b0aaf4f8ea53d230dea",
        "pids": [
            2816
        ],
        "md5": "f28ff60edec9da7f2691ae8f012961c6"
    },
    {
        "yara": [],
        "sha1": "0485637b24393a5d298d173d4fa9a1a84bf0cc72",
        "name": "fb5a9a5c71a54d05_jrtcurrentmd5",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtcurrentmd5",
        "type": "ASCII text, with no line terminators",
        "sha256": "fb5a9a5c71a54d055c3a66fd0d1b404a04a6c5ad5e36ca571c7ec88c16701057",
        "urls": [],
        "crc32": "56528E8D",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/fb5a9a5c71a54d05_jrtcurrentmd5",
        "ssdeep": null,
        "size": 13,
        "sha512": "7542ea895a678dc4b63d71799f03d29fcc59ee6020644091fc42495503ae47a5cee4b4559c8845eba1537d5e277d8e3aaad299977e4a94d9de3f5ca323326848",
        "pids": [
            2816
        ],
        "md5": "36d3663c87c5b5e7a1093afd56824a43"
    },
    {
        "yara": [],
        "sha1": "0f238e3a747d348599b9c83870a9af4a71c07b01",
        "name": "e8030db6e3438355_grep.dat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
        "type": "PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "e8030db6e3438355d098533b3ccdcbde1801ab67fa8917506fe50489c11a5751",
        "urls": [
            "http:\/\/gnu.org\/licenses\/gpl.html",
            "http:\/\/www.gnu.org\/software\/grep\/",
            "http:\/\/www.gnu.org\/gethelp\/"
        ],
        "crc32": "1966DADB",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/e8030db6e3438355_grep.dat",
        "ssdeep": null,
        "size": 96256,
        "sha512": "069410a12d5afaaed4ac744298cd6e0ef69b6c6640d365fa2ee4668f1ff5341055ebf9a8b3197414081641c0ea1f7d5d5080e2f5f2bca42bac1f602471fb662e",
        "pids": [
            2816
        ],
        "md5": "83a3d89f40a05038760110b1e6e54762"
    },
    {
        "yara": [],
        "sha1": "d70fa160c2db2ea4df8423a02c0003fedc590b38",
        "name": "12448235e23697e8_bl_tasks.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_tasks.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "12448235e23697e8644d732bd0aa6fef2994361f3b855298db8740d869cc1473",
        "urls": [],
        "crc32": "6C95402B",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/12448235e23697e8_bl_tasks.cfg",
        "ssdeep": null,
        "size": 5544,
        "sha512": "f2adf345b48a1dddfb2b28ccf7f4d466e33cfb05ca5579f373ca8b4ae10c143e824f7cad98bb1e1cc552f46fb10685eb15a371c11587873e58217d3cdfbce6cb",
        "pids": [
            2816
        ],
        "md5": "e1c51517350010a4fc12d62ec38e41c4"
    },
    {
        "yara": [],
        "sha1": "cd4fbc43677f5e355d2a865a21c764dff4cfc45b",
        "name": "e3a4472edbe6f6cf_grep-2.5.4-gnuwin32.readme",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\grep-2.5.4-GnuWin32.README",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "e3a4472edbe6f6cf0aac5254e4e0ef9053d11f9b4b2cac725186f042b754be7e",
        "urls": [
            "http:\/\/gnuwin32.sourceforge.net\/packages\/libiconv.htm",
            "http:\/\/gnuwin32.sourceforge.net\/packages\/libintl.htm",
            "http:\/\/gnuwin32.sourceforge.net\/packages\/libgw32c.htm.",
            "http:\/\/ftp.gnu.org\/gnu\/grep\/grep-2.5.4.tar.gz",
            "http:\/\/www.microsoft.com\/windows\/ie",
            "http:\/\/support.microsoft.com\/kb\/259403",
            "http:\/\/www.gnu.org\/software\/grep\/grep.html",
            "http:\/\/gnuwin32.sourceforge.net",
            "http:\/\/gnuwin32.sourceforge.net\/compile.html",
            "http:\/\/gnuwin32.sourceforge.net\/packages\/regex.htm",
            "http:\/\/gnuwin32.sourceforge.net\/packages\/pcre.htm"
        ],
        "crc32": "7945C10F",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/e3a4472edbe6f6cf_grep-2.5.4-gnuwin32.readme",
        "ssdeep": null,
        "size": 1940,
        "sha512": "0b7fa744a5435ca32d2184f993332257488110c242fc732a5f571f3fe29fdb3e408b00326842d3722120272d823ffe5bcaab8b94e512a73cf270656790669371",
        "pids": [
            2816
        ],
        "md5": "d8f87c00f2e66d08c26c840916b7ea8a"
    },
    {
        "yara": [],
        "sha1": "b7aef73fd5c9610860e2f3f6a3b8a21cb6873261",
        "name": "74cd07ef186d995a_shortcut.dat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
        "type": "PE32 executable (console) Intel 80386, for MS Windows",
        "sha256": "74cd07ef186d995ad75a0c2a153d1dd6f7b563987f5aa0fefef0a095708c02dd",
        "urls": [],
        "crc32": "BBCB3ED9",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/74cd07ef186d995a_shortcut.dat",
        "ssdeep": null,
        "size": 57344,
        "sha512": "eaa013b4885a4f05e998366317fe5bc46b7057c1f29653004787b0a6c40b445728a8ec63d0fa577e56293c34a27b508b7cc17a7a6ac95de3c42541a51ecd12cc",
        "pids": [
            2816
        ],
        "md5": "59375510bde2ff0dba7a8197ad9f12bb"
    },
    {
        "yara": [],
        "sha1": "c0be1545703ff0469c83688b677e7666a782160c",
        "name": "e050308c4a297f63_nircmd.chm",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm",
        "type": "MS Windows HtmlHelp Data",
        "sha256": "e050308c4a297f637a848109d719c65a62f6ab6ed0d854d026cc2df257515d32",
        "urls": [],
        "crc32": "AC3B8210",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/e050308c4a297f63_nircmd.chm",
        "ssdeep": null,
        "size": 45977,
        "sha512": "7b9b3497061e830ea8abd2b585afcb787fa41bd0028fd94673612ca8757c91c2069e3b7e2423ba66924deaef255f8bcd9ccc47c9fe7346974e38c4ecc8232047",
        "pids": [
            2816
        ],
        "md5": "66729efe2819e71c060af7fd49732c28"
    },
    {
        "yara": [],
        "sha1": "457e209ab441abb501dc3bf20557b748719b8bb1",
        "name": "8861aaaf4c65eb97_pcre3.dll",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
        "type": "PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "8861aaaf4c65eb975b927292f7283bf1aeacdae8428700e81ddfd0fa2c379d62",
        "urls": [],
        "crc32": "60852C8F",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/8861aaaf4c65eb97_pcre3.dll",
        "ssdeep": null,
        "size": 140288,
        "sha512": "546531682ba91ba36909395c5e070e6d14512817030e7cbb76d36ae861e1bd24329482a6c8692596ec8c03a220d4dbbc59f770fbc2cd855cd7831be5a5a9ca3c",
        "pids": [
            2816
        ],
        "md5": "57cac848fa14ae38f14f9441f8933282"
    },
    {
        "yara": [
            {
                "meta": {
                    "description": "Possibly employs anti-virtualization techniques",
                    "author": "nex"
                },
                "name": "vmdetect",
                "offsets": {
                    "virtualbox6": [
                        [
                            9707,
                            8
                        ]
                    ],
                    "virtualbox5": [
                        [
                            9648,
                            6
                        ]
                    ],
                    "virtualbox4": [
                        [
                            9659,
                            5
                        ]
                    ],
                    "virtualbox2": [
                        [
                            9694,
                            7
                        ]
                    ],
                    "vmware22": [
                        [
                            9950,
                            4
                        ]
                    ],
                    "vmware16": [
                        [
                            9941,
                            3
                        ]
                    ],
                    "vmware15": [
                        [
                            9857,
                            1
                        ]
                    ],
                    "vmware21": [
                        [
                            9970,
                            0
                        ]
                    ],
                    "vmware17": [
                        [
                            9898,
                            2
                        ]
                    ]
                },
                "strings": [
                    "dm10b29scw==",
                    "dm1pY2hlYXJ0YmVhdA==",
                    "dm1pY3NodXRkb3du",
                    "dm1pY3Zzcw==",
                    "dm1tZW1jdGw=",
                    "dmJveG1vdXNl",
                    "dmJveGd1ZXN0",
                    "dmJveHNlcnZpY2U=",
                    "dmJveHNm"
                ]
            }
        ],
        "sha1": "6296b206366f970c0bd4b629f0e8ab0bdcf4570d",
        "name": "7e6ddf7437e6af57_wl_services.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_services.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "7e6ddf7437e6af57724f6f99477208cf9b0bf9f4faca160b5ad00c9458ce2c1f",
        "urls": [],
        "crc32": "14E35C96",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/7e6ddf7437e6af57_wl_services.cfg",
        "ssdeep": null,
        "size": 10993,
        "sha512": "16a4a99746e3a15d0e1a3ba91a68b97a4376783d2489ccdc5b0b7334f68b60b6dfbbc58b2c8395c685990f5999f511640995cb59a863323dae7e0111d1e22dc7",
        "pids": [
            2816
        ],
        "md5": "e4693721b5f2ae2a885c9199b5505bf7"
    },
    {
        "yara": [
            {
                "meta": {
                    "description": "Possibly employs anti-virtualization techniques",
                    "author": "nex"
                },
                "name": "vmdetect",
                "offsets": {
                    "vmware_mac_2c": [
                        [
                            56985,
                            0
                        ],
                        [
                            68043,
                            0
                        ]
                    ],
                    "vmware_mac_3c": [
                        [
                            36503,
                            1
                        ]
                    ]
                },
                "strings": [
                    "MDA1MDU2",
                    "MDAwYzI5"
                ]
            }
        ],
        "sha1": "c1450dc00f3ca7570364dcd3230d0a35371125d6",
        "name": "d975125ee9f20700_wl_toolbars.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_toolbars.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "d975125ee9f20700eb19dc10b5d7665914cf3f23654199ad784407095775eccd",
        "urls": [],
        "crc32": "F35CD9E2",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/d975125ee9f20700_wl_toolbars.cfg",
        "ssdeep": null,
        "size": 72577,
        "sha512": "b40474a5bdefcfabf3e9e503e9cf0f838310f200a43ae98894a7b704167738f9dfc62a3ed20c8243c88728788425c935d4a012865151256a377ca998cb771880",
        "pids": [
            2816
        ],
        "md5": "5dec78c19b873478a4c87324544890a2"
    },
    {
        "yara": [],
        "sha1": "374632ff14e6b626f5a35884f21a8cd55f8a9ac2",
        "name": "73b6e8a72aaa99f4_createrestorepoint.exe",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
        "type": "PE32 executable (console) Intel 80386, for MS Windows",
        "sha256": "73b6e8a72aaa99f49b9f86f1dd6fec879a9536977681338a9601b8ba983d1d19",
        "urls": [
            "http:\/\/crl3.digicert.com\/DigiCertHighAssuranceEVRootCA.crl0",
            "http:\/\/crl4.digicert.com\/EVCodeSigningSHA2-g1.crl0K",
            "http:\/\/crl4.digicert.com\/DigiCertAssuredIDCA-1.crl0w",
            "http:\/\/cacerts.digicert.com\/DigiCertAssuredIDRootCA.crt0",
            "http:\/\/cacerts.digicert.com\/DigiCertHighAssuranceEVRootCA.crt0",
            "http:\/\/crl3.digicert.com\/EVCodeSigningSHA2-g1.crl07",
            "http:\/\/crl3.digicert.com\/DigiCertAssuredIDRootCA.crl0:",
            "http:\/\/crl4.digicert.com\/DigiCertHighAssuranceEVRootCA.crl0",
            "http:\/\/cacerts.digicert.com\/DigiCertAssuredIDCodeSigningCA-1.crt0",
            "http:\/\/ocsp.digicert.com0C",
            "http:\/\/crl.thawte.com\/ThawteTimestampingCA.crl0",
            "http:\/\/ocsp.digicert.com0A",
            "http:\/\/ts-crl.ws.symantec.com\/tss-ca-g2.crl0",
            "http:\/\/ocsp.digicert.com0L",
            "http:\/\/ocsp.digicert.com0I",
            "http:\/\/ocsp.digicert.com0H",
            "http:\/\/ocsp.thawte.com0",
            "http:\/\/crl3.digicert.com\/assured-cs-g1.crl00",
            "http:\/\/ts-aia.ws.symantec.com\/tss-ca-g2.cer0",
            "http:\/\/crl4.digicert.com\/DigiCertAssuredIDRootCA.crl0",
            "http:\/\/cacerts.digicert.com\/DigiCertAssuredIDCA-1.crt0",
            "http:\/\/cacerts.digicert.com\/DigiCertEVCodeSigningCA-SHA2.crt0",
            "http:\/\/crl4.digicert.com\/assured-cs-g1.crl0L",
            "http:\/\/ts-ocsp.ws.symantec.com07",
            "https:\/\/www.digicert.com\/CPS0",
            "http:\/\/www.digicert.com\/ssl-cps-repository.htm0",
            "http:\/\/crl3.digicert.com\/DigiCertAssuredIDCA-1.crl08"
        ],
        "crc32": "08680A05",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/73b6e8a72aaa99f4_createrestorepoint.exe",
        "ssdeep": null,
        "size": 106448,
        "sha512": "1edb4acae18c1ff91c903b3aabe9a1aebbfb8d78cdf0cfb17d96db98cc9a931793e96158eaa88ac7ebfcb9c32f5e14ed5333c76ac8cba73d864fa83a1a513682",
        "pids": [
            2816
        ],
        "md5": "2251ceb04adffb068f80a6c98f5b7abb"
    },
    {
        "yara": [],
        "sha1": "bebfb31f3c0b31c41d3e6e35f0bab1f07d19096a",
        "name": "de626b2e02db7539_bl_ffxml.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxml.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "de626b2e02db7539121a83ba38f760a875f124d9c3dd05ccc7bbc589f298b00a",
        "urls": [],
        "crc32": "5669E905",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/de626b2e02db7539_bl_ffxml.cfg",
        "ssdeep": null,
        "size": 4200,
        "sha512": "5cde40ffbc62e046bc6dc6f06b3011deeeec43c3d3b524778456faf06c9b2b5bf01afeb2616ea55b1821e2c0efff58639d8749ddb9ce939f778f455dbd7482df",
        "pids": [
            2816
        ],
        "md5": "cdef3abcae8ad1b6b6caafc7ba8c5d73"
    },
    {
        "yara": [],
        "sha1": "1fa9c33e354a0f550ddd5b6d1a17129a0fdd2931",
        "name": "691e2f088e116ff7_bl_ffplugin.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffplugin.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "691e2f088e116ff729cf64535c2fe4389d0000a7da8d4fbf1da4c7cbd6d451f8",
        "urls": [],
        "crc32": "A10B1A20",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/691e2f088e116ff7_bl_ffplugin.cfg",
        "ssdeep": null,
        "size": 3898,
        "sha512": "f1a66f03eab211ff728820b860be4d8e1a1a863a575f4c509ea87d25259448013cf5e693d7d4bea941b5d1346610535030ffdc5aa910b0d912e331eb828ea694",
        "pids": [
            2816
        ],
        "md5": "6c0a5b19478b5cc273e9de5c2aa0e165"
    },
    {
        "yara": [
            {
                "meta": {
                    "description": "Possibly employs anti-virtualization techniques",
                    "author": "nex"
                },
                "name": "vmdetect",
                "offsets": {
                    "vmware6": [
                        [
                            22877,
                            2
                        ]
                    ],
                    "vmware4": [
                        [
                            22377,
                            1
                        ]
                    ],
                    "vmware_mac_2c": [
                        [
                            22013,
                            0
                        ]
                    ]
                },
                "strings": [
                    "MDA1MDU2",
                    "aGdmcy5zeXM=",
                    "cHJsZXRoLnN5cw=="
                ]
            }
        ],
        "sha1": "fd246695d89a6a69722f69ebe6c8c8a1b745a912",
        "name": "f793fa295e159855_get.bat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
        "type": "ASCII text, with very long lines, with CRLF line terminators",
        "sha256": "f793fa295e1598556a6b91eb73b68d825d5edbcb0a764d9d58a570a6a4b5bf0f",
        "urls": [
            "http:\/\/imgur.com\/b71EmoM",
            "http:\/\/imgur.com\/tnT8DZu",
            "http:\/\/data-cdn.mbamupdates.com\/v1\/tools\/jrt\/jrtnewmd5",
            "http:\/\/downloads.malwarebytes.org\/file\/jrt_update",
            "http:\/\/stackoverflow.com\/questions\/16414410\/delete-empty-lines-using-sed"
        ],
        "crc32": "80B61EE4",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/f793fa295e159855_get.bat",
        "ssdeep": null,
        "size": 129459,
        "sha512": "b5cba83881421b9cdcb3bf074f01cf6f3ae7998ddfb85ce60338989575e352ba270399776ced58084213dfb3b677a8bb3671a42db9aee0b091c4cd0de31510bc",
        "pids": [
            2816
        ],
        "md5": "6142e0a5c78fa8b63993357af48d7ab9"
    },
    {
        "yara": [],
        "sha1": "192e597d8ff0192f6c4e4643361f84277ed51121",
        "name": "f48ce1866602b114_libintl3.dll",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
        "type": "PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows",
        "sha256": "f48ce1866602b114e653c876334b771107559acf1c685373d2305034613958f0",
        "urls": [],
        "crc32": "849CB78C",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/f48ce1866602b114_libintl3.dll",
        "ssdeep": null,
        "size": 103424,
        "sha512": "706d74c56ce8d08539c729bdb6c8d57c9a4b0a1c795b8574a1bb2c452358e1bfd5d4fca5a00ab7568dea4ae02c553ce6ab199b3c6418a44cb8915f7e26bd2988",
        "pids": [
            2816
        ],
        "md5": "d202baa425176287017ffe1fb5d1b77c"
    },
    {
        "yara": [],
        "sha1": "457b1cd985ed07baffd8c66ff40e9c1b6da93753",
        "name": "a48ad33695a44de8_wget.dat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
        "type": "PE32 executable (console) Intel 80386, for MS Windows, UPX compressed",
        "sha256": "a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599",
        "urls": [
            "http:\/\/upx.tsx.org"
        ],
        "crc32": "43F4C4C7",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/a48ad33695a44de8_wget.dat",
        "ssdeep": null,
        "size": 401408,
        "sha512": "3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a",
        "pids": [
            2816
        ],
        "md5": "bd126a7b59d5d1f97ba89a3e71425731"
    },
    {
        "yara": [],
        "sha1": "98c9390b549af946a5d25f65c9a62c33d751a92c",
        "name": "6767c800257e09ac_bl_folderss.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersS.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "6767c800257e09ac3cc886f1e5cad05ab9e6144cb08b28b385ae07eb62ae1a1c",
        "urls": [],
        "crc32": "90E42A28",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/6767c800257e09ac_bl_folderss.cfg",
        "ssdeep": null,
        "size": 4308,
        "sha512": "40babdd33606871e9f9d55d0b0df9cdd8f95dd4524572827ac67de5725b83a85fc70cfee6e140bc6940c7cf36d3efa2a800d54793d65001408d445fea8f8ab52",
        "pids": [
            2816
        ],
        "md5": "97b7fd68b9e6cc1194a000ff783eaaf7"
    },
    {
        "yara": [],
        "sha1": "56c9a43a4ab6d54ad221bc216800545d5e384899",
        "name": "47241bf693575552_bl_ffext.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffext.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "47241bf6935755524e8fc3c781718630278c2ad1f1ba81790a35b5d4cbea8dab",
        "urls": [],
        "crc32": "6F49E012",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/47241bf693575552_bl_ffext.cfg",
        "ssdeep": null,
        "size": 12711,
        "sha512": "afc97a0466bfcfe281a21f44a8eb27989fe1ffc362e79182f7a1d5136ac714133e982abc040cc18195e537db1e9ad97128841852b90b0d1d115db053316ddb35",
        "pids": [
            2816
        ],
        "md5": "3e03ed48daa500ac767092b38b8a5e28"
    },
    {
        "yara": [],
        "sha1": "a3bbbba563eac751692ba814ada18c3f1c33dd9b",
        "name": "f2bd35063b92a8f7_nircmdc.exe",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
        "type": "PE32 executable (console) Intel 80386, for MS Windows, UPX compressed",
        "sha256": "f2bd35063b92a8f7d0f8d1a5448ff6836d22972fe3fe4a55fcaecafb7d4044cb",
        "urls": [],
        "crc32": "5773C9D2",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/f2bd35063b92a8f7_nircmdc.exe",
        "ssdeep": null,
        "size": 43520,
        "sha512": "90414a718453ddb1065f912c344f3774b1d1d5759aa5d86e6b31faee2ba92d26b2164212196b97611fccb52f50866540d0b7c1f2c4940cb494ff3fcbad090aad",
        "pids": [
            2816
        ],
        "md5": "2f9c7fda92c346cb5aa32091536ae0cb"
    },
    {
        "yara": [],
        "sha1": "65635472d84f8320c2fc1c2237e09bf9a02b0b95",
        "name": "8713ddf34ac396a0_bl_foldersm.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersM.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "8713ddf34ac396a003c6af549979d5133956f4a296e8389bdac205b49b2841f4",
        "urls": [],
        "crc32": "4A22657E",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/8713ddf34ac396a0_bl_foldersm.cfg",
        "ssdeep": null,
        "size": 46325,
        "sha512": "f48269d0ef3379783f8c4501c33467731d391b86acaac6715d7a94e7a0df69c91acaa9bfe40eada07f72f086d283ed61a01ca1fa21d68b1be930d5f086a99c00",
        "pids": [
            2816
        ],
        "md5": "05e5adb8b23a6e536df993c489a50e4e"
    },
    {
        "yara": [],
        "sha1": "776cf06e45a70d69e86e6fa1c620ff86817b4526",
        "name": "613dec5ae47c9fcc_bl_chrstrg.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrstrg.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "613dec5ae47c9fcc4eff4e50fe811fd41a9442796a57dbb0e63fbe36178c0663",
        "urls": [],
        "crc32": "9CEF881A",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/613dec5ae47c9fcc_bl_chrstrg.cfg",
        "ssdeep": null,
        "size": 63094,
        "sha512": "30e92c37ec45b1e022a4e01af36d95a4106c5d8e7c69cae0a4a09710714a32efd4c30991ce52a77d3c9fe1e90dc0474ddc3f65c3a908c27b2211f5ab6b097b37",
        "pids": [
            2816
        ],
        "md5": "ebdfde9f11720dfc627933f37e8ae319"
    },
    {
        "yara": [],
        "sha1": "7e7998642babcb567ff7845cfaf4f3636ce209f7",
        "name": "582051a1951ae73e_nircmd.dat",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
        "type": "PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed",
        "sha256": "582051a1951ae73e26ca5e7d6bd8a5e4120ada369d2e3a85a2aac191c3f7ac10",
        "urls": [],
        "crc32": "86E4E133",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/582051a1951ae73e_nircmd.dat",
        "ssdeep": null,
        "size": 43520,
        "sha512": "99f2d69023210ce67f05a87b19d8b9a09945e46cee57c32bdde399434877cfc388aff7dc6085cdbf4069d4b05f8914b26106d55563ab120ef76b6157592336e6",
        "pids": [
            2816
        ],
        "md5": "466a42aea0abdf4c6b610f0f5e61cfa2"
    },
    {
        "yara": [],
        "sha1": "64cda0b66aab554d4d1c8b133084aa30d990f01d",
        "name": "95691814d1051081_bl_appinit.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_appinit.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "95691814d105108152b96e41d0f0ff30462d0a060af32431089c312604c235b6",
        "urls": [],
        "crc32": "321A7EA5",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/95691814d1051081_bl_appinit.cfg",
        "ssdeep": null,
        "size": 429,
        "sha512": "f0a7d8680d7742906b3aa65df99d4fc735d990b7058b2e63d3745a79f4acf07f002d1bc8155ae035764439cb9410bbf3225b59dd51984efc73c848ed198f86a1",
        "pids": [
            2816
        ],
        "md5": "cc6a968ccda289be7b69e039646d0bc9"
    },
    {
        "yara": [],
        "sha1": "fcb1f3baebe82e1e203492a2077e675a7532d9d1",
        "name": "e5798badbea66234_wl_firefox.cfg",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_firefox.cfg",
        "type": "ASCII text, with CRLF line terminators",
        "sha256": "e5798badbea66234454b9a363db3a7e9d44b586d2b9909937c03482f75ffbd9a",
        "urls": [],
        "crc32": "C7DDB011",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/2446\/files\/e5798badbea66234_wl_firefox.cfg",
        "ssdeep": null,
        "size": 245,
        "sha512": "3a80fde28f570d2103e2ad444f254927f64514f78c3b2463b80b78ab4559aae31b8f3c00658922313217d7120c456555c5fc71c1a32f9114d5658b899e3a9559",
        "pids": [
            2816
        ],
        "md5": "90407f86a44493c61f8c394503d5fe0e"
    }
]

Generic

[
    {
        "process_path": "C:\\Windows\\SysWOW64\\reg.exe",
        "process_name": "reg.exe",
        "pid": 2784,
        "summary": {
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ]
        },
        "first_seen": 1568213587.9991,
        "ppid": 2844
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\net.exe",
        "process_name": "net.exe",
        "pid": 1232,
        "summary": {
            "command_line": [
                "C:\\Windows\\system32\\net1  session "
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
                "HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
            ]
        },
        "first_seen": 1568213588.3898,
        "ppid": 2384
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 2912,
        "summary": {
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                "C:\\Users\\cuck\\AppData\\Local"
            ]
        },
        "first_seen": 1568213588.2023,
        "ppid": 2384
    },
    {
        "process_path": "C:\\Windows\\System32\\lsass.exe",
        "process_name": "lsass.exe",
        "pid": 476,
        "summary": {},
        "first_seen": 1568213585.4844,
        "ppid": 376
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 2572,
        "summary": {
            "file_recreated": [
                "\\??\\NUL"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt"
            ],
            "command_line": [
                "REG  QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName\" \/v ComputerName "
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Python27\\REG",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\REG.*",
                "C:\\Users\\cuck\\AppData",
                "C:\\Windows\\System32\\reg.COM",
                "C:\\Windows\\System32\\REG.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\REG",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Python27\\REG.*",
                "C:\\Users\\cuck",
                "C:\\Python27\\Scripts\\REG",
                "C:\\Python27\\Scripts\\REG.*",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Windows\\System32\\reg.exe"
            ]
        },
        "first_seen": 1568213587.4366,
        "ppid": 2384
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\net1.exe",
        "process_name": "net1.exe",
        "pid": 2736,
        "summary": {
            "dll_loaded": [
                "rpcrt4.dll",
                "NETMSG"
            ],
            "file_opened": [
                "\\\\?\\PIPE\\srvsvc"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc"
            ],
            "file_written": [
                "\\\\?\\PIPE\\srvsvc"
            ],
            "file_read": [
                "\\\\?\\PIPE\\srvsvc"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language\\InstallLanguageFallback",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
                "HKEY_CURRENT_USER\\Control Panel\\Desktop\\PreferredUILanguages",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\Type",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\MUI\\UILanguages\\en-US\\AlternateCodePage",
                "HKEY_CURRENT_USER\\Control Panel\\Desktop\\MuiCached\\MachinePreferredUILanguages",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\EMPTY",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
            ]
        },
        "first_seen": 1568213588.5929,
        "ppid": 1232
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\reg.exe",
        "process_name": "reg.exe",
        "pid": 2648,
        "summary": {
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ]
        },
        "first_seen": 1568213587.6398,
        "ppid": 2572
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 2384,
        "summary": {
            "file_recreated": [
                "\\??\\NUL"
            ],
            "dll_loaded": [
                "ADVAPI32.dll",
                "kernel32.dll"
            ],
            "file_opened": [
                "",
                "C:\\",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
                "\\Device\\NamedPipe\\",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "C:\\Windows\\SysWOW64\\en-US\\KERNELBASE.dll.mui"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Windows\\System32\\cmd.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT_NewerVersion\\*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\\"C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat\"",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp\\*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtnewmd5",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT_NewerVersion",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp"
            ],
            "command_line": [
                "net  session ",
                "PING  -n 1 www.google.com ",
                "FIND  \"Windows XP\" ",
                "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName\" \/v ComputerName 2>NUL",
                "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" \/v ProductName 2>NUL",
                "C:\\Windows\\system32\\cmd.exe  \/S \/D \/c\" ECHO Windows 7 Professional\""
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\LogFileName",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\DefaultLevel",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\SaferFlags",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\PolicyScope",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Srp\\GP\\RuleCount",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\safer\\codeidentifiers\\Levels",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun"
            ],
            "directory_enumerated": [
                "C:\\Python27\\Scripts\\PING",
                "C:\\Windows\\SysWOW64",
                "C:\\Users\\cuck\\AppData",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\JRT.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Python27\\Scripts\\PING.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\FIND.*",
                "C:\\Windows\\System32\\cmd.exe",
                "C:\\Windows\\System32\\net.*",
                "C:\\Python27\\Scripts\\FIND.*",
                "C:\\Windows\\System32\\FIND.*",
                "C:\\Python27\\PING.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp\\*",
                "C:\\Windows\\System32\\PING.COM",
                "C:\\Windows\\System32\\find.COM",
                "C:\\Windows\\System32\\find.exe",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\PING",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\net",
                "C:\\Python27\\Scripts\\net",
                "C:\\Python27\\Scripts\\net.*",
                "C:\\Python27\\net",
                "C:\\Python27\\FIND.*",
                "C:\\Windows\\System32\\PING.EXE",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\net.*",
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtnewmd5",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "C:\\Windows\\System32\\net.COM",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Windows\\System32\\PING.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                "C:\\Python27\\PING",
                "C:\\Python27\\FIND",
                "C:\\Python27\\net.*",
                "C:\\Windows\\System32\\net.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\FIND",
                "C:\\Python27\\Scripts\\FIND",
                "C:\\Windows\\Sysnative\\cmd.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\PING.*"
            ]
        },
        "first_seen": 1568213587.2335,
        "ppid": 2816
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\PING.EXE",
        "process_name": "PING.EXE",
        "pid": 2292,
        "summary": {
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\DefaultTTL"
            ],
            "resolves_host": [
                "www.google.com"
            ]
        },
        "first_seen": 1568213588.7804,
        "ppid": 2384
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\find.exe",
        "process_name": "find.exe",
        "pid": 3000,
        "summary": {
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ]
        },
        "first_seen": 1568213588.2179,
        "ppid": 2384
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 2844,
        "summary": {
            "file_recreated": [
                "\\??\\NUL"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt"
            ],
            "command_line": [
                "REG  QUERY \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" \/v ProductName "
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Python27\\REG",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\REG.*",
                "C:\\Users\\cuck\\AppData",
                "C:\\Windows\\System32\\reg.COM",
                "C:\\Windows\\System32\\REG.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\REG",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Python27\\REG.*",
                "C:\\Users\\cuck",
                "C:\\Python27\\Scripts\\REG",
                "C:\\Python27\\Scripts\\REG.*",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Windows\\System32\\reg.exe"
            ]
        },
        "first_seen": 1568213587.8273,
        "ppid": 2384
    },
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin",
        "process_name": "2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin",
        "pid": 2816,
        "summary": {
            "file_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_tasks.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkurls.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_appinit.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\grep-2.5.4-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkfiles.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_processes.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_firefox.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersC.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\shortcut.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget-1.11.4-1-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxml.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed-4.2.1-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxpi.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_services.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_toolbars.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersM.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrext.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_urls.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffext.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersS.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\GNU utilities for Win32.url",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_services.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_tasks.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_values.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\clean_shortcut.vbs",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_bhos.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtcurrentmd5",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\null",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrstrg.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffplugin.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT"
            ],
            "directory_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp"
            ],
            "dll_loaded": [
                "SETUPAPI.dll",
                "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
                "kernel32",
                "C:\\Windows\\syswow64\\MSCTF.dll",
                "IMM32.dll",
                "kernel32.dll",
                "UxTheme.dll",
                "OLEAUT32.DLL",
                "C:\\Windows\\system32\\ole32.dll",
                "dwmapi.dll",
                "comctl32.dll",
                "C:\\Windows\\system32\\uxtheme.dll"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{8613E14C-D0C0-4161-AC0F-1DD2563286BC}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{C1EE01F2-B3B6-4A6A-9DDD-E988C088EC82}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F25E9F57-2FC8-4EB3-A41A-CCE5F08541E6}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{07EB03D6-B001-41DF-9192-BF9B841EE71F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{AE6BE008-07FB-400D-8BEB-337A64F7051F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{E429B25A-E5D3-4D1F-9BE3-0C608477E3A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\LayoutIcon\\0409\\0000041d",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{F89E9E58-BD2F-4008-9AC2-0F816C09F4EE}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{DCBD6FA8-032F-11D3-B5B1-00C04FC324A1}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{3697C5FA-60DD-4B56-92D4-74A569205C16}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{531FDEBF-9B4C-4A43-A2AA-960E8FCDC732}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{A028AE76-01B1-46C2-99C4-ACD9858AE02F}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\CTF\\DirectSwitchHotkeys",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{81D4E9C9-1D3B-41BC-9E6C-4B40BF79E35E}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{03B5835F-F03C-411B-9CE2-AA23E1171E36}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
                "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{78CB5B0E-26ED-4FCC-854C-77E8F3D1AA80}\\Category\\Category\\{534C48C1-0607-4098-A521-4FC899C73E90}"
            ],
            "command_line": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "\"C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat\" "
            ],
            "file_written": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_tasks.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkurls.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_appinit.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\grep-2.5.4-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkfiles.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_processes.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_firefox.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersC.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\shortcut.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget-1.11.4-1-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxml.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed-4.2.1-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxpi.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_services.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_toolbars.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersM.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrext.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_urls.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffext.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersS.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\GNU utilities for Win32.url",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_services.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_tasks.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_values.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\clean_shortcut.vbs",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_bhos.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtcurrentmd5",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrstrg.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffplugin.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_tasks.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkurls.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_appinit.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\grep-2.5.4-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_lnkfiles.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_processes.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_firefox.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersC.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\shortcut.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\wget-1.11.4-1-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxml.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed-4.2.1-GnuWin32.README",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffxpi.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_services.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_toolbars.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\temp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersM.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrext.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_urls.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffext.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_foldersS.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\GNU utilities for Win32.url",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_services.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_tasks.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\sed.txt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_values.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\clean_shortcut.vbs",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\wl_bhos.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\jrtcurrentmd5",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\null",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_chrstrg.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\bl_ffplugin.cfg",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT"
            ],
            "file_failed": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\NirCmd.chm"
            ],
            "guid": [
                "{ea1afb91-9e28-4b86-90e9-9e9f8a5eefaf}",
                "{56fdf344-fd6d-11d0-958a-006097c9a090}"
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\2000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5.bin"
            ],
            "regkey_read": [
                "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Language Hotkey",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\CTF\\EnableAnchorContext",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Generation",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Generation",
                "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Hotkey",
                "HKEY_CURRENT_USER\\Keyboard Layout\\Toggle\\Layout Hotkey",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\TIP\\{0000897b-83df-4b96-be07-0fb58b01c4a4}\\LanguageProfile\\0x00000000\\{0001bea3-ed56-483d-a2e2-aeae25577436}\\Enable",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b5-70f9-11e8-b07b-806e6f6e6963}\\Data",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\TurnOffSPIAnimations",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\CPC\\Volume\\{3f5cc1b6-70f9-11e8-b07b-806e6f6e6963}\\Data"
            ]
        },
        "first_seen": 1568213585.7969,
        "ppid": 2308
    }
]

Signatures

[
    {
        "markcount": 1,
        "families": [],
        "description": "Checks if process is being debugged by a debugger",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741515,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1568213585.8759,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 23
            }
        ],
        "references": [],
        "name": "checks_debugger"
    },
    {
        "markcount": 16,
        "families": [],
        "description": "Command line console output was observed",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "Checking for update\r\n",
                        "console_handle": "0x0000000f"
                    },
                    "time": 1568213588.6865,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1475
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "Unable to ping, skipping update check\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1567
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [         Junkware Removal Tool (JRT) by Malwarebytes          ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1674
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [                  Version 8.1.4 (07.09.2017)                  ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1686
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [         Information about this tool can be found at          ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1698
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [                     www.malwarebytes.com                     ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1710
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [           This software is free to download and use          ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1734
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [      Please save any unsaved work before proceeding as       ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1758
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [  the program will terminate most applications during cleanup ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1395,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1770
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [                       ** DISCLAIMER **                       ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1555,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1806
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [           This software is provided \"as is\" without          ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1555,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1830
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [        warranty of any kind. You may use this software       ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1555,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1842
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [                       at your own risk.                      ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1555,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1854
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [     Click the [X] in the top-right corner of this window     ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1555,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1878
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " [                if you wish to exit. Otherwise,               ]\r\n",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1555,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1890
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "Press any key to continue . . . ",
                        "console_handle": "0x00000007"
                    },
                    "time": 1568213591.1555,
                    "tid": 2584,
                    "flags": {}
                },
                "pid": 2384,
                "type": "call",
                "cid": 1926
            }
        ],
        "references": [],
        "name": "console_output"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GlobalMemoryStatusEx",
                    "return_value": 1,
                    "arguments": {},
                    "time": 1568213586.5789,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 462
            }
        ],
        "references": [],
        "name": "antivm_memory_available"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "The executable uses a known packer",
        "severity": 1,
        "marks": [
            {
                "category": "packer",
                "ioc": "Armadillo v1.71",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "peid_packer"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetDiskFreeSpaceExW",
                    "return_value": 1,
                    "arguments": {
                        "root_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt",
                        "free_bytes_available": 23512756224,
                        "total_number_of_free_bytes": 0,
                        "total_number_of_bytes": 0
                    },
                    "time": 1568213586.6099,
                    "tid": 1516,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 632
            }
        ],
        "references": [],
        "name": "antivm_disk_size"
    },
    {
        "markcount": 3,
        "families": [],
        "description": "Creates a suspicious process",
        "severity": 2,
        "marks": [
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName\" \/v ComputerName 2>NUL",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" \/v ProductName 2>NUL",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe  \/S \/D \/c\" ECHO Windows 7 Professional\"",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "suspicious_process"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Drops a binary and executes it",
        "severity": 2,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\get.bat",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "dropper"
    },
    {
        "markcount": 13,
        "families": [],
        "description": "Drops an executable to the user AppData folder",
        "severity": 2,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SORT_.DAT",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CUT.DAT",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libiconv2.dll",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\regex2.dll",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SED.DAT",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\GREP.DAT",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\SHORTCUT.DAT",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\pcre3.dll",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\CreateRestorePoint.exe",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\libintl3.dll",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\WGET.DAT",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\nfo\\nircmdc.exe",
                "type": "ioc",
                "description": null
            },
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\jrt\\NIRCMD.DAT",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "exe_appdata"
    },
    {
        "markcount": 6,
        "families": [],
        "description": "Uses Windows utilities for basic Windows functionality",
        "severity": 2,
        "marks": [
            {
                "category": "cmdline",
                "ioc": "net  session ",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "PING  -n 1 www.google.com ",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "REG  QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName\" \/v ComputerName ",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "REG  QUERY \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" \/v ProductName ",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ComputerName\\ActiveComputerName\" \/v ComputerName 2>NUL",
                "type": "ioc",
                "description": null
            },
            {
                "category": "cmdline",
                "ioc": "C:\\Windows\\system32\\cmd.exe \/c REG QUERY \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" \/v ProductName 2>NUL",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [
            "http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
        ],
        "name": "uses_windows_utilities"
    }
]

Yara

The Yara rules did not detect anything in the file.

Network

{
    "tls": [],
    "udp": [
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 546,
            "time": 3.1399009227753,
            "dport": 137,
            "sport": 137
        },
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 5874,
            "time": 9.2193388938904,
            "dport": 138,
            "sport": 138
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 7718,
            "time": 3.222806930542,
            "dport": 5355,
            "sport": 51001
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8046,
            "time": 1.0154709815979,
            "dport": 5355,
            "sport": 53595
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8374,
            "time": 3.3297328948975,
            "dport": 5355,
            "sport": 53848
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8702,
            "time": 1.5943448543549,
            "dport": 5355,
            "sport": 54255
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 9030,
            "time": -0.097868204116821,
            "dport": 5355,
            "sport": 55314
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 9358,
            "time": 1.5472378730774,
            "dport": 1900,
            "sport": 1900
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 28768,
            "time": 1.0365560054779,
            "dport": 3702,
            "sport": 49152
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 37152,
            "time": 3.2275488376617,
            "dport": 1900,
            "sport": 53598
        }
    ],
    "dns_servers": [],
    "http": [],
    "icmp": [],
    "smtp": [],
    "tcp": [],
    "smtp_ex": [],
    "mitm": [],
    "hosts": [],
    "pcap_sha256": "bba46ac0ad57be99278321f709ce95c318b5838c23f63ad58d4dc25778724032",
    "dns": [],
    "http_ex": [],
    "domains": [],
    "dead_hosts": [],
    "sorted_pcap_sha256": "d16b57e4833174530c7f0fce0234469084116e4957728680e0a1f9af34169f73",
    "irc": [],
    "https_ex": []
}

Screenshots

Screenshot from the sandboxScreenshot from the sandboxScreenshot from the sandbox

Hashes [?]

PropertyValue
MD5e40542c4cc75e658a4615bfefb308570
SHA2562000acf98ef0ac1a2d75c91586b5f30a2bc3ece6e92388b324614c93a0645cf5

Error Messages

These are some of the error messages that can appear related to jrt_8.1.4.exe:

jrt_8.1.4.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

jrt_8.1.4.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.

Junkware Removal Tool has stopped working.

End Program - jrt_8.1.4.exe. This program is not responding.

jrt_8.1.4.exe is not a valid Win32 application.

jrt_8.1.4.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.

What will you do with JRT_8.1.4.exe?

To help other users, please let us know what you will do with JRT_8.1.4.exe:



What did other users do?

The poll result listed below shows what users chose to do with JRT_8.1.4.exe. 100% have voted for removal. Based on votes from 1 user.

Votes
Keep0 %
0
Remove100 %
1

NOTE: Please do not use this poll as the only source of input to determine what you will do with JRT_8.1.4.exe. Only 1 user has voted so far so it does not offer a high degree of confidence.

Malware or legitimate?

If you feel that you need more information to determine if your should keep this file or remove it, please read this guide.

Please select the option that best describe your thoughts on the information provided on this web page


Free online surveys

And now some shameless self promotion ;)

A screenshot of FreeFixer's scan result.Hi, my name is Roger Karlsson. I've been running this website since 2006. I want to let you know about the FreeFixer program. FreeFixer is a freeware tool that analyzes your system and let you manually identify unwanted programs. Once you've identified some malware files, FreeFixer is pretty good at removing them. You can download FreeFixer here. It runs on Windows 2000/XP/2003/2008/2016/2019/Vista/7/8/8.1/10. Supports both 32- and 64-bit Windows.

If you have questions, feedback on FreeFixer or the freefixer.com website, need help analyzing FreeFixer's scan result or just want to say hello, please contact me. You can find my email address at the contact page.

Comments

Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

No comments posted yet.

Leave a reply