What is tgrfef.exe?

tgrfef.exe is part of Betra lOeer and developed by Betra lOe Corporation according to the tgrfef.exe version information.

tgrfef.exe's description is "Betra lOetractor "

tgrfef.exe is usually located in the 'c:\users\%USERNAME%\appdata\local\temp\' folder.

Some of the anti-virus scanners at VirusTotal detected tgrfef.exe.

If you have additional information about the file, please share it with the FreeFixer users by posting a comment at the bottom of this page.

Vendor and version information [?]

The following is the available information on tgrfef.exe:

PropertyValue
Product nameBetra lOeer
Company nameBetra lOe Corporation
File descriptionBetra lOetractor
Internal nameBetra lOe
Original filenameBetra lOe .MUI
Legal copyrightBetra lOe Corporation. All rights reserved.
Product version11.00.9600.16428
File version11.00.9600.16428 (winblue_gdr.131013-1700)

Here's a screenshot of the file properties when displayed by Windows Explorer:

Product nameBetra lOeer
Company nameBetra lOe Corporation
File descriptionBetra lOetractor ..
Internal nameBetra lOe
Original filenameBetra lOe .MUI
Legal copyrightBetra lOe Corporation. All rights re..
Product version11.00.9600.16428
File version11.00.9600.16428 (winblue_gdr.131013..

Digital signatures [?]

tgrfef.exe is not signed.

VirusTotal report

10 of the 72 anti-virus programs at VirusTotal detected the tgrfef.exe file. That's a 14% detection rate.

ScannerDetection Name
AhnLab-V3 Malware/Win32.RL_Generic.R325449
APEX Malicious
eGambit PE.Heur.InvalidSig
Endgame malicious (high confidence)
Kaspersky UDS:DangerousObject.Multi.Generic
Microsoft Trojan:Win32/Wacatac.C!ml
SentinelOne DFI - Malicious PE
Trapmine malicious.high.ml.score
Webroot W32.Malware.Gen
ZoneAlarm UDS:DangerousObject.Multi.Generic
10 of the 72 anti-virus programs detected the tgrfef.exe file.

Sandbox Report

The following information was gathered by executing the file inside Cuckoo Sandbox.

Summary

Successfully executed process in sandbox.

Summary

{
    "file_deleted": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com",
        "C:\\Windows\\cer62B5.tmp"
    ],
    "guid": [
        "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
        "{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
        "{dcb00000-570f-4a9b-8d69-199fdba5723b}",
        "{d0074ffd-570f-4a9b-8d69-199fdba5723b}"
    ],
    "file_recreated": [
        "\\??\\nul"
    ],
    "regkey_written": [
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileTracingMask",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableFileTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileDirectory",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\MaxFileSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableConsoleTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\ConsoleTracingMask"
    ],
    "dll_loaded": [
        "C:\\Windows\\System32\\mswsock.dll",
        "API-MS-Win-Security-LSALookup-L1-1-0.dll",
        "DNSAPI.dll",
        "DHCPCSVC.DLL",
        "kernel32.dll",
        "UxTheme.dll",
        "dwmapi.dll",
        "ntdll.dll",
        "C:\\Windows\\system32\\napinsp.dll",
        "C:\\Windows\\system32\\advpack.dll",
        "C:\\Windows\\system32\\uxtheme.dll",
        "API-MS-WIN-Service-Management-L1-1-0.dll",
        "crypt32.dll",
        "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
        "API-MS-WIN-Service-winsvc-L1-1-0.dll",
        "advapi32.dll",
        "comctl32",
        "ole32.dll",
        "IMM32.dll",
        "crtdll.dll",
        "RASMAN.DLL",
        "rtutils.dll",
        "IPHLPAPI.DLL",
        "wininet.dll",
        "C:\\Windows\\system32\\crtdll.dll",
        "ADVAPI32.dll",
        "OLEAUT32.dll",
        "C:\\Windows\\system32\\pnrpnsp.dll",
        "SHELL32.dll",
        "C:\\Windows\\System32\\winrnr.dll",
        "API-MS-Win-Security-SDDL-L1-1-0.dll",
        "comctl32.dll",
        "feclient.dll",
        "Gdiplus.dll",
        "C:\\Windows\\system32\\advapi32.dll",
        "C:\\Windows\\SysWOW64\\oleaut32.dll",
        "shell32.dll",
        "rpcrt4.dll",
        "WS2_32.dll",
        "user32.dll",
        "wsock32.dll"
    ],
    "file_opened": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
        "C:\\",
        "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "C:\\Windows"
    ],
    "connects_host": [
        "195.206.106.163"
    ],
    "regkey_opened": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\smss_RASMANCS",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
        "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\AutoEnrollment",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\smss.com",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration",
        "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
        "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
        "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
        "HKEY_CURRENT_USER\\Control Panel\\Mouse",
        "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Advanced INF Setup",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
        "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
        "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
        "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor",
        "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
        "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
        "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}"
    ],
    "resolves_host": [
        "195.206.106.163",
        "wpad",
        "cuckpc"
    ],
    "file_written": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com"
    ],
    "regkey_deleted": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0"
    ],
    "connects_ip": [
        "195.206.106.163"
    ],
    "directory_removed": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\"
    ],
    "file_exists": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\cmd",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "C:\\Windows",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com"
    ],
    "file_created": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "C:\\Windows\\cer62B5.tmp",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\TMP4351$.TMP",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com"
    ],
    "mutex": [
        "IESQMMUTEX_0_208",
        "A9292B7B6-343A2EC6-084EABD0-2165C0E8-BF056ACB"
    ],
    "command_line": [
        "timeout  3",
        "certutil  -decode bolo.com treaz ",
        "cmd \/c  smss.com & type lsm.com >> smss.com & del lsm.com & certutil -decode bolo.com treaz & smss.com treaz & timeout 3",
        "smss.com  treaz ",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com treaz "
    ],
    "file_read": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com"
    ],
    "regkey_read": [
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\FileDirectory",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\EnableFileTracing",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\AutoEnrollment\\Debug",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
        "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\MaxFileSize",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\ConsoleTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\FileTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileTracingMask",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileDirectory",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\MaxFileSize",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableFileTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Advanced INF Setup\\AdvpackLogFile",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\EnableConsoleTracing",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category",
        "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableConsoleTracing",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category",
        "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder"
    ],
    "directory_enumerated": [
        "C:\\Users\\cuck\\AppData",
        "C:\\Python27\\Scripts\\certutil.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
        "C:\\Windows\\System32\\certutil.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\timeout.*",
        "C:\\Windows\\System32\\ras\\*.pbk",
        "C:\\Windows\\System32\\certutil.COM",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "C:\\Python27\\Scripts\\timeout.*",
        "C:\\Python27\\timeout.*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\*",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
        "C:\\Users",
        "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "C:\\Windows\\System32\\timeout.COM",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\certutil",
        "C:\\Python27\\timeout",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
        "C:\\Windows\\System32\\timeout.exe",
        "C:\\Users\\cuck",
        "C:\\Users\\cuck\\AppData\\Local",
        "C:\\Windows\\System32\\certutil.exe",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\timeout",
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\certutil.*",
        "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
        "C:\\Windows\\System32\\timeout.*",
        "C:\\Python27\\certutil",
        "C:\\Python27\\certutil.*",
        "C:\\Python27\\Scripts\\certutil",
        "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
        "C:\\Python27\\Scripts\\timeout"
    ],
    "directory_created": [
        "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP"
    ]
}

Dropped

[
    {
        "yara": [
            {
                "meta": {
                    "description": "Contains an embedded PE32 file",
                    "author": "nex"
                },
                "name": "embedded_pe",
                "offsets": {
                    "b": [
                        [
                            77,
                            0
                        ]
                    ]
                },
                "strings": [
                    "VGhpcyBwcm9ncmFt"
                ]
            },
            {
                "meta": {
                    "description": "A non-Windows executable contains win32 API functions names",
                    "author": "nex"
                },
                "name": "embedded_win_api",
                "offsets": {
                    "api6": [
                        [
                            773651,
                            6
                        ]
                    ],
                    "api7": [
                        [
                            779287,
                            5
                        ],
                        [
                            779539,
                            5
                        ]
                    ],
                    "api2": [
                        [
                            773389,
                            0
                        ]
                    ],
                    "api3": [
                        [
                            773373,
                            3
                        ]
                    ],
                    "api8": [
                        [
                            775117,
                            1
                        ]
                    ],
                    "api14": [
                        [
                            775117,
                            1
                        ]
                    ],
                    "api12": [
                        [
                            773603,
                            4
                        ]
                    ],
                    "api13": [
                        [
                            774151,
                            2
                        ]
                    ]
                },
                "strings": [
                    "R2V0UHJvY0FkZHJlc3M=",
                    "R2V0V2luZG93c0RpcmVjdG9yeQ==",
                    "R2V0VGVtcFBhdGg=",
                    "TG9hZExpYnJhcnlB",
                    "U2V0RmlsZVBvaW50ZXI=",
                    "U2hlbGxFeGVjdXRl",
                    "V3JpdGVGaWxl"
                ]
            },
            {
                "meta": {
                    "description": "Matched shellcode byte patterns",
                    "author": "nex"
                },
                "name": "shellcode",
                "offsets": {
                    "shell5": [
                        [
                            194335,
                            1
                        ],
                        [
                            194358,
                            1
                        ],
                        [
                            201884,
                            1
                        ]
                    ],
                    "shell6": [
                        [
                            16694,
                            2
                        ],
                        [
                            28478,
                            2
                        ],
                        [
                            29263,
                            2
                        ],
                        [
                            31455,
                            2
                        ],
                        [
                            36991,
                            2
                        ],
                        [
                            47983,
                            2
                        ],
                        [
                            60063,
                            2
                        ],
                        [
                            62239,
                            2
                        ],
                        [
                            65503,
                            2
                        ],
                        [
                            85698,
                            2
                        ],
                        [
                            85800,
                            2
                        ],
                        [
                            86290,
                            2
                        ],
                        [
                            115467,
                            2
                        ],
                        [
                            119079,
                            2
                        ],
                        [
                            164488,
                            2
                        ],
                        [
                            166047,
                            2
                        ],
                        [
                            169975,
                            2
                        ],
                        [
                            173468,
                            2
                        ],
                        [
                            177109,
                            2
                        ],
                        [
                            186377,
                            2
                        ],
                        [
                            216869,
                            2
                        ],
                        [
                            228798,
                            2
                        ],
                        [
                            233700,
                            2
                        ],
                        [
                            352631,
                            2
                        ],
                        [
                            358393,
                            2
                        ],
                        [
                            364826,
                            2
                        ],
                        [
                            365020,
                            2
                        ],
                        [
                            365494,
                            2
                        ],
                        [
                            365662,
                            2
                        ],
                        [
                            365964,
                            2
                        ],
                        [
                            366508,
                            2
                        ],
                        [
                            367159,
                            2
                        ],
                        [
                            367882,
                            2
                        ],
                        [
                            368644,
                            2
                        ],
                        [
                            368886,
                            2
                        ],
                        [
                            371609,
                            2
                        ],
                        [
                            377211,
                            2
                        ],
                        [
                            391431,
                            2
                        ],
                        [
                            394964,
                            2
                        ],
                        [
                            395279,
                            2
                        ],
                        [
                            395620,
                            2
                        ],
                        [
                            396107,
                            2
                        ],
                        [
                            405729,
                            2
                        ],
                        [
                            407396,
                            2
                        ],
                        [
                            407904,
                            2
                        ],
                        [
                            408551,
                            2
                        ],
                        [
                            409611,
                            2
                        ],
                        [
                            409879,
                            2
                        ],
                        [
                            411874,
                            2
                        ],
                        [
                            412801,
                            2
                        ],
                        [
                            423636,
                            2
                        ],
                        [
                            428739,
                            2
                        ],
                        [
                            429845,
                            2
                        ],
                        [
                            430320,
                            2
                        ],
                        [
                            430751,
                            2
                        ],
                        [
                            430941,
                            2
                        ],
                        [
                            436718,
                            2
                        ],
                        [
                            437343,
                            2
                        ],
                        [
                            443669,
                            2
                        ],
                        [
                            446163,
                            2
                        ],
                        [
                            446415,
                            2
                        ],
                        [
                            453079,
                            2
                        ],
                        [
                            453428,
                            2
                        ],
                        [
                            454197,
                            2
                        ],
                        [
                            466382,
                            2
                        ],
                        [
                            472244,
                            2
                        ],
                        [
                            483076,
                            2
                        ],
                        [
                            487316,
                            2
                        ],
                        [
                            488175,
                            2
                        ],
                        [
                            493359,
                            2
                        ],
                        [
                            494588,
                            2
                        ],
                        [
                            496198,
                            2
                        ],
                        [
                            497164,
                            2
                        ],
                        [
                            499407,
                            2
                        ],
                        [
                            502155,
                            2
                        ],
                        [
                            506639,
                            2
                        ],
                        [
                            510663,
                            2
                        ],
                        [
                            526849,
                            2
                        ],
                        [
                            555007,
                            2
                        ],
                        [
                            559717,
                            2
                        ],
                        [
                            579021,
                            2
                        ]
                    ],
                    "shell7": [
                        [
                            141028,
                            0
                        ],
                        [
                            152566,
                            0
                        ],
                        [
                            179252,
                            0
                        ],
                        [
                            476204,
                            0
                        ]
                    ]
                },
                "strings": [
                    "VYvs6A==",
                    "VYvsg8Q=",
                    "VYvsgew="
                ]
            }
        ],
        "sha1": "0828db56b556f3f0486a9de9d2c728216035e8e6",
        "name": "8861365fb619dbb9_lsm.com",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
        "type": "COM executable for DOS",
        "sha256": "8861365fb619dbb90da0027db93d041681c30deb93071ec588121a8f8ba08436",
        "urls": [
            "http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0",
            "http:\/\/crl.globalsign.com\/root-r3.crl0c",
            "http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
            "http:\/\/ocsp2.globalsign.com\/rootr306",
            "https:\/\/www.globalsign.com\/repository\/0",
            "http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
            "http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
            "http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
            "https:\/\/www.globalsign.com\/repository\/06",
            "http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
            "http:\/\/crl.globalsign.net\/root-r3.crl0",
            "https:\/\/www.autoitscript.com\/autoit3\/"
        ],
        "crc32": "D60E830B",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5253\/files\/8861365fb619dbb9_lsm.com",
        "ssdeep": null,
        "size": 893607,
        "sha512": "8c0154d80fb47ea5225816e95db0126d02950f0ec7909a68205ee67a0d1c4dbff971933ee5ba0307c24658ce52400e144cde720e514acf3024fbdb2505345cfe",
        "pids": [
            2816,
            2588
        ],
        "md5": "d86ab2aeeac2553c7857ece4492eda5d"
    },
    {
        "yara": [],
        "sha1": "ecd79a1d7ac84566abc02d7f29b33f5ead20fe48",
        "name": "6a1155df0a924758_bolo.com",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
        "type": "PEM certificate",
        "sha256": "6a1155df0a92475884e2fb99cfa43b4561b7b09a05c8bc694eb3f61586f7c3c9",
        "urls": [],
        "crc32": "A59283CB",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5253\/files\/6a1155df0a924758_bolo.com",
        "ssdeep": null,
        "size": 553586,
        "sha512": "f499f165afd2cb0e7b06987d06649aa1d324aadc069dd859eb550fcafdcf32cfdf493dcfbc6d54cc58f18636a1b3e868fa8aed42a16e1e1fb869f5e90f862fde",
        "pids": [
            2816
        ],
        "md5": "73c503454ad8d458867385f99562c245"
    },
    {
        "yara": [],
        "sha1": "ea4f4eec06233e0a8e6534e7937350b8ccff76ea",
        "name": "ba32a2c7f03fde4a_treaz",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
        "type": "ASCII text, with very long lines, with CRLF, CR, LF line terminators",
        "sha256": "ba32a2c7f03fde4a551d26af9558213d475e44593c3e8a3d34310216e738c24d",
        "urls": [],
        "crc32": "2A02F752",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5253\/files\/ba32a2c7f03fde4a_treaz",
        "ssdeep": null,
        "size": 402566,
        "sha512": "bdc443b6337fae13e18346172ad6f0239e1ada009bc3db33067219e647760c4e6d15700373d1ebea598a1b7a982d2c9b83f801ba1537d7f240524aea5e490d96",
        "pids": [
            1616,
            2816
        ],
        "md5": "4caae4c1aae3a7d9d154eaf5d286c001"
    },
    {
        "yara": [],
        "sha1": "da39a3ee5e6b4b0d3255bfef95601890afd80709",
        "name": "e3b0c44298fc1c14_cer62B5.tmp",
        "type": "empty",
        "sha256": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
        "urls": [],
        "crc32": "00000000",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5253\/files\/e3b0c44298fc1c14_cer62B5.tmp",
        "ssdeep": null,
        "size": 0,
        "sha512": "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e",
        "md5": "d41d8cd98f00b204e9800998ecf8427e"
    },
    {
        "yara": [],
        "sha1": "2a4062e10a5de813f5688221dbeb3f3ff33eb417",
        "name": "237d1bca6e056df5_smss.com",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "type": "PE32 executable (GUI) Intel 80386, for MS Windows",
        "sha256": "237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d",
        "urls": [
            "http:\/\/crl.globalsign.com\/gscodesignsha2g3.crl0",
            "http:\/\/crl.globalsign.com\/root-r3.crl0c",
            "http:\/\/secure.globalsign.com\/cacert\/gscodesignsha2g3ocsp.crt08",
            "http:\/\/ocsp2.globalsign.com\/rootr306",
            "https:\/\/www.globalsign.com\/repository\/0",
            "http:\/\/secure.globalsign.com\/cacert\/gstimestampingsha2g2.crt0",
            "http:\/\/crl.globalsign.com\/gs\/gstimestampingsha2g2.crl0",
            "http:\/\/ocsp2.globalsign.com\/gscodesignsha2g30V",
            "https:\/\/www.globalsign.com\/repository\/06",
            "http:\/\/ocsp2.globalsign.com\/gstimestampingsha2g20",
            "http:\/\/crl.globalsign.net\/root-r3.crl0",
            "https:\/\/www.autoitscript.com\/autoit3\/"
        ],
        "crc32": "76090EE7",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5253\/files\/237d1bca6e056df5_smss.com",
        "ssdeep": null,
        "size": 893608,
        "sha512": "195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c",
        "pids": [],
        "md5": "c56b5f0201a3b3de53e561fe76912bfd"
    },
    {
        "yara": [],
        "sha1": "7dadae8edb11b03106b426d427cb714c582fef4a",
        "name": "a53e5a11ea191867_dpdvs.com",
        "filepath": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com",
        "type": "data",
        "sha256": "a53e5a11ea191867fc4fb88df983d73a39d79736456c204b17b3e28ba9da321a",
        "urls": [],
        "crc32": "0BB4B37D",
        "path": "\/home\/hpuser\/.cuckoo\/storage\/analyses\/5253\/files\/a53e5a11ea191867_dpdvs.com",
        "ssdeep": null,
        "size": 114688,
        "sha512": "5cafd540bd1c71626314a8038317f231b9017020efb45248c74b24ff605c33041eb881308ca540fe74a9deab215e2ab7eabd193743cf23ba9d6f69a980f15692",
        "pids": [
            2816
        ],
        "md5": "5f8b0914cd1a21947f3b5c55c2eb59df"
    }
]

Generic

[
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\83f47e23b9393700f10b7daa7bf5e7da31df3082b938d37868876f7f14492410.bin",
        "process_name": "83f47e23b9393700f10b7daa7bf5e7da31df3082b938d37868876f7f14492410.bin",
        "pid": 2816,
        "summary": {
            "file_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\TMP4351$.TMP"
            ],
            "directory_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP"
            ],
            "dll_loaded": [
                "feclient.dll",
                "kernel32.dll",
                "C:\\Windows\\system32\\advapi32.dll",
                "API-MS-Win-Core-LocalRegistry-L1-1-0.dll",
                "C:\\Windows\\system32\\advpack.dll"
            ],
            "file_opened": [
                "C:\\Windows",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
                "C:\\",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLEAUT",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OLE\\Tracing",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Setup",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Advanced INF Setup"
            ],
            "file_written": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com"
            ],
            "regkey_deleted": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0"
            ],
            "file_deleted": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com"
            ],
            "directory_removed": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\cmd",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\dpdvs.com"
            ],
            "command_line": [
                "cmd \/c  smss.com & type lsm.com >> smss.com & del lsm.com & certutil -decode bolo.com treaz & smss.com treaz & timeout 3"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Setup\\SourcePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\DevicePath",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorUseSystemHeap",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\SESSION MANAGER\\PendingFileRenameOperations",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\OLE\\PageAllocatorSystemHeapIsPrivate",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Advanced INF Setup\\AdvpackLogFile"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\*"
            ],
            "regkey_written": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0"
            ]
        },
        "first_seen": 1581198785.75,
        "ppid": 2016
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\certutil.exe",
        "process_name": "certutil.exe",
        "pid": 1616,
        "summary": {
            "file_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
                "C:\\Windows\\cer62B5.tmp"
            ],
            "dll_loaded": [
                "dwmapi.dll",
                "C:\\Windows\\system32\\uxtheme.dll"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\AutoEnrollment",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration"
            ],
            "file_written": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz"
            ],
            "file_deleted": [
                "C:\\Windows\\cer62B5.tmp"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com",
                "C:\\Windows"
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\bolo.com"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Cryptography\\AutoEnrollment\\Debug",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname"
            ]
        },
        "first_seen": 1581198788.68725,
        "ppid": 2588
    },
    {
        "process_path": "C:\\Windows\\System32\\lsass.exe",
        "process_name": "lsass.exe",
        "pid": 476,
        "summary": {},
        "first_seen": 1581198785.34375,
        "ppid": 376
    },
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "process_name": "smss.com",
        "pid": 368,
        "summary": {
            "dll_loaded": [
                "SHELL32.dll",
                "kernel32.dll",
                "UxTheme.dll",
                "dwmapi.dll",
                "comctl32",
                "ole32.dll",
                "comctl32.dll",
                "IMM32.dll"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PropertyBag",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PropertyBag",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FolderDescriptions",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PropertyBag",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CTF\\Compatibility\\smss.com",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}",
                "HKEY_CURRENT_USER\\Control Panel\\Mouse",
                "HKEY_CURRENT_USER\\Software\\AutoIt v3\\AutoIt"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com"
            ],
            "command_line": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com treaz "
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalizedName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Category",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Name",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalRedirectOnly",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\FolderTypeID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResource",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\LocalRedirectOnly",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Description",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResourceType",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PreCreate",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\StreamResource",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Stream",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParentFolder",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\FolderTypeID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PreCreate",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Roamable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\StreamResourceType",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResourceType",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\PublishExpandedPath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\LocalizedName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Security",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\PublishExpandedPath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Icon",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\ParsingName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalRedirectOnly",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\RelativePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Description",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Stream",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InitFolderHandler",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParentFolder",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PreCreate",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParsingName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InfoTip",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\LocalizedName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Security",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\RelativePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Attributes",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\InfoTip",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Security",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Attributes",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\StreamResource",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Icon",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Roamable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Category",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\ParsingName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Description",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\ParentFolder",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\RelativePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\FolderTypeID",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InfoTip",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Icon",
                "HKEY_CURRENT_USER\\Control Panel\\Mouse\\SwapMouseButtons",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\Attributes",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\PublishExpandedPath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\InitFolderHandler",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ProgramFilesDir",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Category",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{D65231B0-B2F1-4857-A4CE-A8E7C6EA7D27}\\Roamable",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{F38BF404-1D43-42F2-9305-67DE0B28FC23}\\Stream",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\explorer\\FolderDescriptions\\{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\InitFolderHandler"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "C:\\Users\\cuck\\AppData",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\treaz",
                "C:\\Users\\cuck",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local"
            ]
        },
        "first_seen": 1581198788.906,
        "ppid": 2588
    },
    {
        "process_path": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
        "process_name": "smss.com",
        "pid": 2868,
        "summary": {
            "regkey_written": [
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileTracingMask",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileDirectory",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\MaxFileSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableConsoleTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\ConsoleTracingMask"
            ],
            "dll_loaded": [
                "C:\\Windows\\System32\\mswsock.dll",
                "API-MS-Win-Security-LSALookup-L1-1-0.dll",
                "DNSAPI.dll",
                "kernel32.dll",
                "crtdll.dll",
                "ntdll.dll",
                "C:\\Windows\\system32\\napinsp.dll",
                "API-MS-WIN-Service-Management-L1-1-0.dll",
                "crypt32.dll",
                "API-MS-WIN-Service-winsvc-L1-1-0.dll",
                "advapi32.dll",
                "ole32.dll",
                "API-MS-Win-Security-SDDL-L1-1-0.dll",
                "RASMAN.DLL",
                "rtutils.dll",
                "IPHLPAPI.DLL",
                "wininet.dll",
                "C:\\Windows\\system32\\crtdll.dll",
                "ADVAPI32.dll",
                "OLEAUT32.dll",
                "C:\\Windows\\system32\\pnrpnsp.dll",
                "DHCPCSVC.DLL",
                "C:\\Windows\\System32\\winrnr.dll",
                "Gdiplus.dll",
                "C:\\Windows\\SysWOW64\\oleaut32.dll",
                "shell32.dll",
                "rpcrt4.dll",
                "WS2_32.dll",
                "user32.dll",
                "wsock32.dll"
            ],
            "connects_host": [
                "195.206.106.163"
            ],
            "regkey_opened": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\TreatAs",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\DnsCache\\Parameters",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\DnsClient",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\Rpc",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Connections",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Tracing\\smss_RASMANCS",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\crypt32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
                "HKEY_CURRENT_USER\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\OleAut",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler32",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Rpc",
                "HKEY_CURRENT_USER\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\Progid",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocHandler",
                "HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\windows\\CurrentVersion\\Internet Settings\\Wpad",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",
                "HKEY_CURRENT_USER\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}",
                "HKEY_CURRENT_USER\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography",
                "HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\System\\DNSClient",
                "HKEY_CURRENT_USER\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}",
                "HKEY_CURRENT_USER\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}"
            ],
            "resolves_host": [
                "195.206.106.163",
                "wpad",
                "cuckpc"
            ],
            "connects_ip": [
                "195.206.106.163"
            ],
            "mutex": [
                "IESQMMUTEX_0_208",
                "A9292B7B6-343A2EC6-084EABD0-2165C0E8-BF056ACB"
            ],
            "guid": [
                "{a47979d2-c419-11d9-a5b4-001185ad2b89}",
                "{dcb00c01-570f-4a9b-8d69-199fdba5723b}",
                "{dcb00000-570f-4a9b-8d69-199fdba5723b}",
                "{d0074ffd-570f-4a9b-8d69-199fdba5723b}"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Rpc\\MaxRpcSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\FileDirectory",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{26656EAA-54EB-4E6F-8F85-4F0EF901A406}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\FileDirectory",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\ThreadingModel",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\S-1-5-21-699399860-4089948139-3198924279-1001\\ProfileImagePath",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\MaxFileSize",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\crypt32\\DebugHeapFlags",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\SystemSetupInProgress",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableFileTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\\ProgramData",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Hostname",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{BCD1DE7E-2DB1-418B-B047-4A74E101F8C1}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\Setup\\OOBEInProgress",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\ConsoleTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\ProductName",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\EnableConsoleTracing",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoProxyDetectType",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{2A1C9EB2-DF62-4154-B800-63278FCB8037}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{8A40A45D-055C-4B62-ABD7-6D613E2CEAEC}\\ProxyStubClsid32\\(Default)",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\services\\Tcpip\\Parameters\\Domain",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASAPI32\\FileTracingMask",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\DisableImprovedZoneCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\SQMClient\\Windows\\CEIPEnable",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\InprocServer32\\InprocServer32",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders\\AppData",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\ComputerName\\ActiveComputerName\\ComputerName",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections\\DefaultConnectionSettings",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\Interface\\{55272A00-42CB-11CE-8135-00AA004BB851}\\ProxyStubClsid32\\(Default)",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\MaxFileSize",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Security_HKLM_only",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Tracing\\smss_RASMANCS\\EnableConsoleTracing",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\Wow6432Node\\CLSID\\{B196B286-BAB4-101A-B69C-00AA00341D07}\\(Default)"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
                "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\rasphone.pbk",
                "C:\\Windows\\System32\\ras\\*.pbk",
                "C:\\ProgramData\\Microsoft\\Network\\Connections\\Pbk\\*.pbk",
                "C:\\Users\\cuck\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*.pbk"
            ]
        },
        "first_seen": 1581198848.18725,
        "ppid": 1576
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\timeout.exe",
        "process_name": "timeout.exe",
        "pid": 852,
        "summary": {
            "file_opened": [
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ]
        },
        "first_seen": 1581198789.5935,
        "ppid": 2588
    },
    {
        "process_path": "C:\\Windows\\SysWOW64\\cmd.exe",
        "process_name": "cmd.exe",
        "pid": 2588,
        "summary": {
            "file_created": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com"
            ],
            "file_recreated": [
                "\\??\\nul"
            ],
            "dll_loaded": [
                "kernel32.dll"
            ],
            "file_opened": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
                "C:\\",
                "C:\\Windows\\Globalization\\Sorting\\sortdefault.nls"
            ],
            "regkey_opened": [
                "HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\System",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor",
                "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Command Processor"
            ],
            "file_written": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com"
            ],
            "file_deleted": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com"
            ],
            "file_exists": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com"
            ],
            "command_line": [
                "timeout  3",
                "certutil  -decode bolo.com treaz ",
                "smss.com  treaz "
            ],
            "file_read": [
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com"
            ],
            "regkey_read": [
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\CompletionChar",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\EnableExtensions",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\CustomLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Locale\\00000409",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\Language Groups\\1",
                "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Nls\\ExtendedLocale\\en-US",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize\\DisableMetaFiles",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\PathCompletionChar",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\DisableUNCCheck",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\Windows Error Reporting\\WMR\\Disable",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DelayedExpansion",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\AutoRun",
                "HKEY_CURRENT_USER\\Software\\Microsoft\\Command Processor\\DefaultColor",
                "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Command Processor\\CompletionChar"
            ],
            "directory_enumerated": [
                "C:\\Users\\cuck\\AppData",
                "C:\\Python27\\Scripts\\certutil.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp",
                "C:\\Windows\\System32\\certutil.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\timeout.*",
                "C:\\Windows\\System32\\certutil.COM",
                "C:\\Python27\\Scripts\\timeout.*",
                "C:\\Python27\\timeout.*",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP",
                "C:\\Users",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "C:\\Windows\\System32\\timeout.COM",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\certutil",
                "C:\\Python27\\timeout",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\lsm.com",
                "C:\\Windows\\System32\\timeout.exe",
                "C:\\Users\\cuck",
                "C:\\Users\\cuck\\AppData\\Local",
                "C:\\Windows\\System32\\certutil.exe",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\timeout",
                "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\certutil.*",
                "C:\\Windows\\System32\\timeout.*",
                "C:\\Python27\\certutil",
                "C:\\Python27\\certutil.*",
                "C:\\Python27\\Scripts\\certutil",
                "C:\\Python27\\Scripts\\timeout"
            ]
        },
        "first_seen": 1581198785.984375,
        "ppid": 2816
    }
]

Signatures

[
    {
        "markcount": 3,
        "families": [],
        "description": "Queries for the computername",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameW",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1581198788.79625,
                    "tid": 816,
                    "flags": {}
                },
                "pid": 1616,
                "type": "call",
                "cid": 63
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameW",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1581198848.28025,
                    "tid": 2164,
                    "flags": {}
                },
                "pid": 2868,
                "type": "call",
                "cid": 142
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetComputerNameW",
                    "return_value": 1,
                    "arguments": {
                        "computer_name": "CUCKPC"
                    },
                    "time": 1581198848.28025,
                    "tid": 2164,
                    "flags": {}
                },
                "pid": 2868,
                "type": "call",
                "cid": 150
            }
        ],
        "references": [],
        "name": "antivm_queries_computername"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "Checks if process is being debugged by a debugger",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741686,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1581198788.78025,
                    "tid": 816,
                    "flags": {}
                },
                "pid": 1616,
                "type": "call",
                "cid": 44
            },
            {
                "call": {
                    "category": "system",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 5,
                    "nt_status": -1073741772,
                    "api": "IsDebuggerPresent",
                    "return_value": 0,
                    "arguments": {},
                    "time": 1581198788.985,
                    "tid": 2824,
                    "flags": {}
                },
                "pid": 368,
                "type": "call",
                "cid": 52
            }
        ],
        "references": [],
        "name": "checks_debugger"
    },
    {
        "markcount": 5,
        "families": [],
        "description": "Command line console output was observed",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "Input Length = 553586",
                        "console_handle": "0x0000000f"
                    },
                    "time": 1581198788.79625,
                    "tid": 816,
                    "flags": {}
                },
                "pid": 1616,
                "type": "call",
                "cid": 91
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "Output Length = 402566",
                        "console_handle": "0x0000000f"
                    },
                    "time": 1581198788.79625,
                    "tid": 816,
                    "flags": {}
                },
                "pid": 1616,
                "type": "call",
                "cid": 101
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "CertUtil: -decode command completed successfully.",
                        "console_handle": "0x0000000f"
                    },
                    "time": 1581198788.79625,
                    "tid": 816,
                    "flags": {}
                },
                "pid": 1616,
                "type": "call",
                "cid": 107
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": "\nWaiting for 3",
                        "console_handle": "0x0000000f"
                    },
                    "time": 1581198789.6715,
                    "tid": 2700,
                    "flags": {}
                },
                "pid": 852,
                "type": "call",
                "cid": 25
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "WriteConsoleW",
                    "return_value": 1,
                    "arguments": {
                        "buffer": " seconds, press a key to continue ...",
                        "console_handle": "0x0000000f"
                    },
                    "time": 1581198789.6715,
                    "tid": 2700,
                    "flags": {}
                },
                "pid": 852,
                "type": "call",
                "cid": 28
            }
        ],
        "references": [],
        "name": "console_output"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate)",
        "severity": 1,
        "marks": [
            {
                "category": "registry",
                "ioc": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "recon_fingerprint"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "This executable has a PDB path",
        "severity": 1,
        "marks": [
            {
                "category": "pdb_path",
                "ioc": "Z           ",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "has_pdb"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available",
        "severity": 1,
        "marks": [
            {
                "call": {
                    "category": "system",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GlobalMemoryStatusEx",
                    "return_value": 1,
                    "arguments": {},
                    "time": 1581198848.28025,
                    "tid": 2164,
                    "flags": {}
                },
                "pid": 2868,
                "type": "call",
                "cid": 119
            }
        ],
        "references": [],
        "name": "antivm_memory_available"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "The file contains an unknown PE resource name possibly indicative of a packer",
        "severity": 1,
        "marks": [
            {
                "category": "resource name",
                "ioc": "AVI",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "pe_unknown_resource_name"
    },
    {
        "markcount": 0,
        "families": [],
        "description": "One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.",
        "severity": 2,
        "marks": [],
        "references": [],
        "name": "dumped_buffer"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetDiskFreeSpaceW",
                    "return_value": 1,
                    "arguments": {
                        "root_path": "\\",
                        "sectors_per_cluster": 8,
                        "number_of_free_clusters": 5740850,
                        "total_number_of_clusters": 8362495,
                        "bytes_per_sector": 512
                    },
                    "time": 1581198785.828,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 65
            },
            {
                "call": {
                    "category": "misc",
                    "status": 1,
                    "stacktrace": [],
                    "api": "GetDiskFreeSpaceW",
                    "return_value": 1,
                    "arguments": {
                        "root_path": "\\",
                        "sectors_per_cluster": 8,
                        "number_of_free_clusters": 5740850,
                        "total_number_of_clusters": 8362495,
                        "bytes_per_sector": 512
                    },
                    "time": 1581198785.828,
                    "tid": 2420,
                    "flags": {}
                },
                "pid": 2816,
                "type": "call",
                "cid": 80
            }
        ],
        "references": [],
        "name": "antivm_disk_size"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Drops a binary and executes it",
        "severity": 2,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "dropper"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Drops an executable to the user AppData folder",
        "severity": 2,
        "marks": [
            {
                "category": "file",
                "ioc": "C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\smss.com",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "exe_appdata"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Checks adapter addresses which can be used to detect virtual network interfaces",
        "severity": 2,
        "marks": [
            {
                "call": {
                    "category": "network",
                    "status": 0,
                    "stacktrace": [],
                    "last_error": 0,
                    "nt_status": -1073741772,
                    "api": "GetAdaptersAddresses",
                    "return_value": 111,
                    "arguments": {
                        "flags": 0,
                        "family": 0
                    },
                    "time": 1581198848.34325,
                    "tid": 2988,
                    "flags": {}
                },
                "pid": 2868,
                "type": "call",
                "cid": 534
            }
        ],
        "references": [],
        "name": "antivm_network_adapters"
    },
    {
        "markcount": 2,
        "families": [],
        "description": "The binary likely contains encrypted or compressed data indicative of a packer",
        "severity": 2,
        "marks": [
            {
                "entropy": 7.961033409842802,
                "section": {
                    "size_of_data": "0x000b3600",
                    "virtual_address": "0x0000c000",
                    "entropy": 7.961033409842802,
                    "name": ".rsrc",
                    "virtual_size": "0x000b3427"
                },
                "type": "generic",
                "description": "A section with a high entropy has been found"
            },
            {
                "entropy": 0.9522229595222296,
                "type": "generic",
                "description": "Overall entropy of this PE file is high"
            }
        ],
        "references": [
            "http:\/\/www.forensickb.com\/2013\/03\/file-entropy-explained.html",
            "http:\/\/virii.es\/U\/Using%20Entropy%20Analysis%20to%20Find%20Encrypted%20and%20Packed%20Malware.pdf"
        ],
        "name": "packer_entropy"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Uses Windows utilities for basic Windows functionality",
        "severity": 2,
        "marks": [
            {
                "category": "cmdline",
                "ioc": "cmd \/c  smss.com & type lsm.com >> smss.com & del lsm.com & certutil -decode bolo.com treaz & smss.com treaz & timeout 3",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [
            "http:\/\/blog.jpcert.or.jp\/2016\/01\/windows-commands-abused-by-attackers.html"
        ],
        "name": "uses_windows_utilities"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "One or more of the buffers contains an embedded PE file",
        "severity": 3,
        "marks": [
            {
                "category": "buffer",
                "ioc": "Buffer with sha1: 175caf35febe19105a68fbc2d8dfcb14bc144475",
                "type": "ioc",
                "description": null
            }
        ],
        "references": [],
        "name": "dumped_buffer2"
    },
    {
        "markcount": 1,
        "families": [],
        "description": "Installs itself for autorun at Windows startup",
        "severity": 3,
        "marks": [
            {
                "type": "generic",
                "reg_key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\wextract_cleanup0",
                "reg_value": "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\cuck\\AppData\\Local\\Temp\\IXP000.TMP\\\""
            }
        ],
        "references": [],
        "name": "persistence_autorun"
    },
    {
        "markcount": 5,
        "families": [],
        "description": "Sets or modifies WPAD proxy autoconfiguration file for traffic interception",
        "severity": 3,
        "marks": [
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExA",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000310",
                        "value": 1,
                        "regkey_r": "WpadDecisionReason",
                        "reg_type": 4,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionReason"
                    },
                    "time": 1581198850.90525,
                    "tid": 2988,
                    "flags": {
                        "reg_type": "REG_DWORD"
                    }
                },
                "pid": 2868,
                "type": "call",
                "cid": 547
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExA",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000310",
                        "value": "\u00a0SI\u00ad\u00d2\u00de\u00d5\u0001",
                        "regkey_r": "WpadDecisionTime",
                        "reg_type": 3,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecisionTime"
                    },
                    "time": 1581198850.90525,
                    "tid": 2988,
                    "flags": {
                        "reg_type": "REG_BINARY"
                    }
                },
                "pid": 2868,
                "type": "call",
                "cid": 548
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExA",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000310",
                        "value": 3,
                        "regkey_r": "WpadDecision",
                        "reg_type": 4,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadDecision"
                    },
                    "time": 1581198850.90525,
                    "tid": 2988,
                    "flags": {
                        "reg_type": "REG_DWORD"
                    }
                },
                "pid": 2868,
                "type": "call",
                "cid": 549
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExW",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x00000310",
                        "value": "Unidentified network",
                        "regkey_r": "WpadNetworkName",
                        "reg_type": 1,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}\\WpadNetworkName"
                    },
                    "time": 1581198850.92125,
                    "tid": 2988,
                    "flags": {
                        "reg_type": "REG_SZ"
                    }
                },
                "pid": 2868,
                "type": "call",
                "cid": 550
            },
            {
                "call": {
                    "category": "registry",
                    "status": 1,
                    "stacktrace": [],
                    "api": "RegSetValueExW",
                    "return_value": 0,
                    "arguments": {
                        "key_handle": "0x0000030c",
                        "value": "{E34DF837-3A38-4E8C-83F4-ABF8AB3FB4A6}",
                        "regkey_r": "WpadLastNetwork",
                        "reg_type": 1,
                        "regkey": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Wpad\\WpadLastNetwork"
                    },
                    "time": 1581198850.93725,
                    "tid": 2988,
                    "flags": {
                        "reg_type": "REG_SZ"
                    }
                },
                "pid": 2868,
                "type": "call",
                "cid": 618
            }
        ],
        "references": [],
        "name": "modifies_proxy_wpad"
    }
]

Yara

The Yara rules did not detect anything in the file.

Network

{
    "tls": [],
    "udp": [
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 546,
            "time": 3.101240873336792,
            "dport": 137,
            "sport": 137
        },
        {
            "src": "192.168.56.101",
            "dst": "192.168.56.255",
            "offset": 5874,
            "time": 9.11009693145752,
            "dport": 138,
            "sport": 138
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 7718,
            "time": 3.110337018966675,
            "dport": 5355,
            "sport": 51001
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8046,
            "time": 1.0197858810424805,
            "dport": 5355,
            "sport": 53595
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8374,
            "time": 3.1143360137939453,
            "dport": 5355,
            "sport": 53848
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 8702,
            "time": 1.5182549953460693,
            "dport": 5355,
            "sport": 54255
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 9030,
            "time": -0.09867215156555176,
            "dport": 5355,
            "sport": 55314
        },
        {
            "src": "192.168.56.101",
            "dst": "224.0.0.252",
            "offset": 9358,
            "time": 64.5448579788208,
            "dport": 5355,
            "sport": 55880
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 9678,
            "time": 1.532796859741211,
            "dport": 1900,
            "sport": 1900
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 29088,
            "time": 1.04087495803833,
            "dport": 3702,
            "sport": 49152
        },
        {
            "src": "192.168.56.101",
            "dst": "239.255.255.250",
            "offset": 37472,
            "time": 3.1449849605560303,
            "dport": 1900,
            "sport": 53598
        }
    ],
    "dns_servers": [],
    "http": [],
    "icmp": [],
    "smtp": [],
    "tcp": [],
    "smtp_ex": [],
    "mitm": [],
    "hosts": [],
    "pcap_sha256": "65318e033d911f748f5edafbbdd89ed30a96f549092deafc4c2c05fd5e1e8a3c",
    "dns": [],
    "http_ex": [],
    "domains": [],
    "dead_hosts": [],
    "sorted_pcap_sha256": "627aac70ca38f5faf739232945a08af43a984b57bf366762f8ba9b0dc0005b56",
    "irc": [],
    "https_ex": []
}

Screenshots

Screenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandboxScreenshot from the sandbox

tgrfef.exe removal instructions

The instructions below shows how to remove tgrfef.exe with help from the FreeFixer removal tool. Basically, you install FreeFixer, scan your computer, check the tgrfef.exe file for removal, restart your computer and scan it again to verify that tgrfef.exe has been successfully removed. Here are the removal instructions in more detail:

  1. Download and install FreeFixer: http://www.freefixer.com/download.html
  2. Start FreeFixer and press the Start Scan button. The scan will finish in approximately five minutes.
    Screenshot of Start Scan button
  3. When the scan is finished, locate tgrfef.exe in the scan result and tick the checkbox next to the tgrfef.exe file. Do not check any other file for removal unless you are 100% sure you want to delete it. Tip: Press CTRL-F to open up FreeFixer's search dialog to quickly locate tgrfef.exe in the scan result.
    Red arrow point on the unwanted file
    c:\users\%USERNAME%\appdata\local\temp\tgrfef.exe
  4. Scroll down to the bottom of the scan result and press the Fix button. FreeFixer will now delete the tgrfef.exe file.
    Screenshot of Fix button
  5. Restart your computer.
  6. Start FreeFixer and scan your computer again. If tgrfef.exe still remains in the scan result, proceed with the next step. If tgrfef.exe is gone from the scan result you're done.
  7. If tgrfef.exe still remains in the scan result, check its checkbox again in the scan result and click Fix.
  8. Restart your computer.
  9. Start FreeFixer and scan your computer again. Verify that tgrfef.exe no longer appear in the scan result.
Please select the option that best describe your thoughts on the removal instructions given above








Free Questionnaires

Hashes [?]

PropertyValue
MD51b546e40c944053f961d2397bea28a96
SHA25683f47e23b9393700f10b7daa7bf5e7da31df3082b938d37868876f7f14492410

Error Messages

These are some of the error messages that can appear related to tgrfef.exe:

tgrfef.exe has encountered a problem and needs to close. We are sorry for the inconvenience.

tgrfef.exe - Application Error. The instruction at "0xXXXXXXXX" referenced memory at "0xXXXXXXXX". The memory could not be "read/written". Click on OK to terminate the program.

Betra lOetractor has stopped working.

End Program - tgrfef.exe. This program is not responding.

tgrfef.exe is not a valid Win32 application.

tgrfef.exe - Application Error. The application failed to initialize properly (0xXXXXXXXX). Click OK to terminate the application.

What will you do with tgrfef.exe?

To help other users, please let us know what you will do with tgrfef.exe:



What did other users do?

The poll result listed below shows what users chose to do with tgrfef.exe. 100% have voted for removal. Based on votes from 2 users.

Votes
Keep0 %
0
Remove100 %
2

NOTE: Please do not use this poll as the only source of input to determine what you will do with tgrfef.exe. Only 2 users has voted so far so it does not offer a high degree of confidence.

Comments

Please share with the other users what you think about this file. What does this file do? Is it legitimate or something that your computer is better without? Do you know how it was installed on your system? Did you install it yourself or did it come bundled with some other software? Is it running smoothly or do you get some error message? Any information that will help to document this file is welcome. Thank you for your contributions.

I'm reading all new comments so don't hesitate to post a question about the file. If I don't have the answer perhaps another user can help you.

No comments posted yet.

Leave a reply