SHARE
TWEET

remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9_2019-08-21_12_00.txt

paladin316 Aug 21st, 2019 81 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9"
  7. * File Size: 3034928
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9"
  10. * MD5: "d7a97204f3bf97f09e34218e2f380dd5"
  11. * SHA1: "1c29304455f3c6d203a648d587f49ed87b2c510e"
  12. * SHA512: "2b070a152e251b12015395eb109ee4e240a8ffb7da6d1c434a4102930ceef4520b49b8c27e5ab1f8cefd7440f9ede6ecf07e0581a12979831943f1a2a094dc6a"
  13. * CRC32: "D7ABEDDB"
  14. * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNc0:C2cPK8YwjE2cPK8N"
  15.  
  16. * Process Execution:
  17.     "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe",
  18.     "remcos_agent_Protected.exe",
  19.     "remcos_agent_Protected.exe",
  20.     "wscript.exe",
  21.     "cmd.exe",
  22.     "remcos.exe",
  23.     "remcos.exe",
  24.     "svchost.exe",
  25.     "svchost.exe",
  26.     "svchost.exe",
  27.     "svchost.exe",
  28.     "svchost.exe",
  29.     "svchost.exe",
  30.     "svchost.exe",
  31.     "svchost.exe",
  32.     "svchost.exe",
  33.     "svchost.exe",
  34.     "schtasks.exe",
  35.     "schtasks.exe",
  36.     "AcroRd32.exe",
  37.     "Eula.exe",
  38.     "schtasks.exe",
  39.     "svchost.exe"
  40.  
  41.  
  42. * Executed Commands:
  43.     "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
  44.     "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
  45.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  46.     "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
  47.     "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F",
  48.     "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F",
  49.     "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  50.     "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  51.     "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  52.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  53.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer  \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  54.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
  55.     "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  56.     "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  57.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  58.     "C:\\Windows\\SysWOW64\\svchost.exe"
  59.  
  60.  
  61. * Signatures Detected:
  62.    
  63.         "Description": "Creates RWX memory",
  64.         "Details":
  65.    
  66.    
  67.         "Description": "Possible date expiration check, exits too soon after checking local time",
  68.         "Details":
  69.            
  70.                 "process": "schtasks.exe, PID 1624"
  71.            
  72.        
  73.    
  74.    
  75.         "Description": "Detected script timer window indicative of sleep style evasion",
  76.         "Details":
  77.            
  78.                 "Window": "WSH-Timer"
  79.            
  80.        
  81.    
  82.    
  83.         "Description": "Reads data out of its own binary image",
  84.         "Details":
  85.            
  86.                 "self_read": "process: remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe, pid: 2232, offset: 0x00000000, length: 0x002e4f30"
  87.            
  88.            
  89.                 "self_read": "process: remcos_agent_Protected.exe, pid: 1840, offset: 0x00000000, length: 0x0011fe00"
  90.            
  91.            
  92.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000000, length: 0x00000040"
  93.            
  94.            
  95.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000100, length: 0x00000018"
  96.            
  97.            
  98.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x000001f8, length: 0x000000a0"
  99.            
  100.            
  101.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x00012600, length: 0x00000010"
  102.            
  103.            
  104.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x00000000, length: 0x00000040"
  105.            
  106.            
  107.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x000000f0, length: 0x00000018"
  108.            
  109.            
  110.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x000001e8, length: 0x00000078"
  111.            
  112.            
  113.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018000, length: 0x00000020"
  114.            
  115.            
  116.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018058, length: 0x00000018"
  117.            
  118.            
  119.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x000181a8, length: 0x00000018"
  120.            
  121.            
  122.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018470, length: 0x00000010"
  123.            
  124.            
  125.                 "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018640, length: 0x00000012"
  126.            
  127.            
  128.                 "self_read": "process: remcos.exe, pid: 676, offset: 0x00000000, length: 0x0011fe00"
  129.            
  130.            
  131.                 "self_read": "process: remcos.exe, pid: 2328, offset: 0x00000000, length: 0x0011fe00"
  132.            
  133.        
  134.    
  135.    
  136.         "Description": "A process created a hidden window",
  137.         "Details":
  138.            
  139.                 "Process": "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe -> schtasks"
  140.            
  141.            
  142.                 "Process": "remcos_agent_Protected.exe -> schtasks"
  143.            
  144.            
  145.                 "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  146.            
  147.            
  148.                 "Process": "wscript.exe -> cmd"
  149.            
  150.            
  151.                 "Process": "remcos.exe -> schtasks"
  152.            
  153.        
  154.    
  155.    
  156.         "Description": "Drops a binary and executes it",
  157.         "Details":
  158.            
  159.                 "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
  160.            
  161.            
  162.                 "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  163.            
  164.        
  165.    
  166.    
  167.         "Description": "Executed a process and injected code into it, probably while unpacking",
  168.         "Details":
  169.            
  170.                 "Injection": "remcos_agent_Protected.exe(1840) -> remcos_agent_Protected.exe(1156)"
  171.            
  172.        
  173.    
  174.    
  175.         "Description": "Sniffs keystrokes",
  176.         "Details":
  177.            
  178.                 "SetWindowsHookExA": "Process: remcos.exe(2328)"
  179.            
  180.        
  181.    
  182.    
  183.         "Description": "A process attempted to delay the analysis task by a long amount of time.",
  184.         "Details":
  185.            
  186.                 "Process": "remcos.exe tried to sleep 3169 seconds, actually delayed analysis time by 0 seconds"
  187.            
  188.        
  189.    
  190.    
  191.         "Description": "A potential decoy document was displayed to the user",
  192.         "Details":
  193.            
  194.                 "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
  195.            
  196.            
  197.                 "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
  198.            
  199.        
  200.    
  201.    
  202.         "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  203.         "Details":
  204.            
  205.                 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  206.            
  207.        
  208.    
  209.    
  210.         "Description": "Installs itself for autorun at Windows startup",
  211.         "Details":
  212.            
  213.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  214.            
  215.            
  216.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  217.            
  218.            
  219.                 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  220.            
  221.            
  222.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  223.            
  224.            
  225.                 "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F"
  226.            
  227.        
  228.    
  229.    
  230.         "Description": "Creates a hidden or system file",
  231.         "Details":
  232.            
  233.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  234.            
  235.            
  236.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  237.            
  238.            
  239.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  240.            
  241.        
  242.    
  243.    
  244.         "Description": "File has been identified by 50 Antiviruses on VirusTotal as malicious",
  245.         "Details":
  246.            
  247.                 "MicroWorld-eScan": "Trojan.GenericKD.41548276"
  248.            
  249.            
  250.                 "FireEye": "Generic.mg.d7a97204f3bf97f0"
  251.            
  252.            
  253.                 "CAT-QuickHeal": "PUA.Presenoker.S5304897"
  254.            
  255.            
  256.                 "ALYac": "Trojan.GenericKD.41548276"
  257.            
  258.            
  259.                 "Malwarebytes": "Backdoor.Remcos.AutoIt"
  260.            
  261.            
  262.                 "K7AntiVirus": "Trojan ( 700000111 )"
  263.            
  264.            
  265.                 "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
  266.            
  267.            
  268.                 "K7GW": "Trojan ( 700000111 )"
  269.            
  270.            
  271.                 "Cybereason": "malicious.4f3bf9"
  272.            
  273.            
  274.                 "Arcabit": "Trojan.Generic.D279F9F4"
  275.            
  276.            
  277.                 "Invincea": "heuristic"
  278.            
  279.            
  280.                 "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  281.            
  282.            
  283.                 "Symantec": "ML.Attribute.HighConfidence"
  284.            
  285.            
  286.                 "APEX": "Malicious"
  287.            
  288.            
  289.                 "Avast": "Win32:Trojan-gen"
  290.            
  291.            
  292.                 "ClamAV": "Win.Downloader.LokiBot-6962970-0"
  293.            
  294.            
  295.                 "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  296.            
  297.            
  298.                 "BitDefender": "Trojan.GenericKD.41548276"
  299.            
  300.            
  301.                 "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  302.            
  303.            
  304.                 "Paloalto": "generic.ml"
  305.            
  306.            
  307.                 "AegisLab": "Trojan.Win32.Remcos.m!c"
  308.            
  309.            
  310.                 "Ad-Aware": "Trojan.GenericKD.41548276"
  311.            
  312.            
  313.                 "Emsisoft": "Trojan.GenericKD.41548276 (B)"
  314.            
  315.            
  316.                 "F-Secure": "Dropper.DR/AutoIt.Gen8"
  317.            
  318.            
  319.                 "DrWeb": "Trojan.Inject3.16009"
  320.            
  321.            
  322.                 "VIPRE": "Trojan.Win32.Generic!BT"
  323.            
  324.            
  325.                 "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  326.            
  327.            
  328.                 "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
  329.            
  330.            
  331.                 "Sophos": "Troj/AutoIt-CKU"
  332.            
  333.            
  334.                 "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  335.            
  336.            
  337.                 "Avira": "DR/AutoIt.Gen8"
  338.            
  339.            
  340.                 "MAX": "malware (ai score=84)"
  341.            
  342.            
  343.                 "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  344.            
  345.            
  346.                 "Microsoft": "VirTool:Win32/AutInject.CZ!bit"
  347.            
  348.            
  349.                 "Endgame": "malicious (high confidence)"
  350.            
  351.            
  352.                 "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  353.            
  354.            
  355.                 "GData": "Trojan.GenericKD.41548276"
  356.            
  357.            
  358.                 "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  359.            
  360.            
  361.                 "Acronis": "suspicious"
  362.            
  363.            
  364.                 "McAfee": "Trojan-AitInject.ak"
  365.            
  366.            
  367.                 "VBA32": "Backdoor.Remcos"
  368.            
  369.            
  370.                 "Cylance": "Unsafe"
  371.            
  372.            
  373.                 "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
  374.            
  375.            
  376.                 "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  377.            
  378.            
  379.                 "Ikarus": "Trojan.Autoit"
  380.            
  381.            
  382.                 "Fortinet": "AutoIt/Injector.DWD!tr"
  383.            
  384.            
  385.                 "AVG": "Win32:Trojan-gen"
  386.            
  387.            
  388.                 "Panda": "Trj/Genetic.gen"
  389.            
  390.            
  391.                 "CrowdStrike": "win/malicious_confidence_100% (W)"
  392.            
  393.            
  394.                 "Qihoo-360": "HEUR/QVM41.1.596F.Malware.Gen"
  395.            
  396.        
  397.    
  398.    
  399.         "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  400.         "Details":
  401.            
  402.                 "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  403.            
  404.            
  405.                 "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:f231122ca4d509f65294cb204399e9642a7ddf1df0204ae5a30fefcca5d65513 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  406.            
  407.            
  408.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:45b3e49b367f59f6bfa4370d4742a2bcc9d07a03c944308574fb93446c1d9baf , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  409.            
  410.            
  411.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  412.            
  413.        
  414.    
  415.    
  416.         "Description": "Creates a slightly modified copy of itself",
  417.         "Details":
  418.            
  419.                 "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
  420.            
  421.            
  422.                 "percent_match": 99
  423.            
  424.        
  425.    
  426.    
  427.         "Description": "Anomalous binary characteristics",
  428.         "Details":
  429.            
  430.                 "anomaly": "Actual checksum does not match that reported in PE header"
  431.            
  432.        
  433.    
  434.    
  435.         "Description": "Clears web history",
  436.         "Details":
  437.            
  438.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  439.            
  440.            
  441.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  442.            
  443.            
  444.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  445.            
  446.            
  447.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  448.            
  449.            
  450.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  451.            
  452.            
  453.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  454.            
  455.            
  456.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  457.            
  458.            
  459.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  460.            
  461.            
  462.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  463.            
  464.            
  465.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  466.            
  467.            
  468.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  469.            
  470.            
  471.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  472.            
  473.            
  474.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  475.            
  476.            
  477.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  478.            
  479.            
  480.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  481.            
  482.            
  483.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  484.            
  485.            
  486.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  487.            
  488.            
  489.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  490.            
  491.            
  492.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  493.            
  494.        
  495.    
  496.  
  497.  
  498. * Started Service:
  499.  
  500. * Mutexes:
  501.     "bderepair",
  502.     "Local\\ZoneAttributeCacheCounterMutex",
  503.     "Local\\ZonesCacheCounterMutex",
  504.     "Local\\ZonesLockedCacheCounterMutex",
  505.     "MDMAppInstaller",
  506.     "Remcos_Mutex_Inj",
  507.     "Remcos-S1KNPZ",
  508.     "Global\\ARM Update Mutex",
  509.     "Global\\Acro Update Mutex",
  510.     "100184D2-BDC3-477a-B8D3-65548B67914C_952",
  511.     "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_608",
  512.     "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
  513.     "Local\\WininetStartupMutex",
  514.     "Local\\ZonesCounterMutex",
  515.     "Local\\_!MSFTHISTORY!_",
  516.     "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  517.     "Mutex_RemWatchdog"
  518.  
  519.  
  520. * Modified Files:
  521.     "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
  522.     "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
  523.     "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
  524.     "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  525.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  526.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  527.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
  528.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
  529.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
  530.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
  531.     "C:\\Windows\\sysnative\\Tasks\\setx",
  532.     "C:\\Windows\\sysnative\\Tasks\\WWAHost",
  533.     "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  534.     "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  535.     "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  536.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  537.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  538.  
  539.  
  540. * Deleted Files:
  541.     "C:\\Windows\\Tasks\\setx.job",
  542.     "C:\\Windows\\Tasks\\WWAHost.job",
  543.     "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  544.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  545.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  546.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  547.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  548.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  549.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  550.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  551.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  552.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  553.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  554.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  555.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  556.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  557.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  558.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  559.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  560.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  561.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  562.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  563.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  564.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  565.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  566.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  567.  
  568.  
  569. * Modified Registry Keys:
  570.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  571.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  572.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  573.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  574.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
  575.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
  576.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
  577.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
  578.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
  579.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
  580.     "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
  581.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
  582.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
  583.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
  584.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
  585.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
  586.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
  587.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
  588.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
  589.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
  590.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
  591.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
  592.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
  593.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
  594.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
  595.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
  596.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
  597.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
  598.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
  599.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
  600.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
  601.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
  602.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
  603.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
  604.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Path",
  605.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Hash",
  606.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  607.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  608.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Triggers",
  609.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\DynamicInfo",
  610.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Path",
  611.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Hash",
  612.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
  613.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
  614.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Triggers",
  615.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\DynamicInfo",
  616.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  617.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  618.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  619.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  620.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR"
  621.  
  622.  
  623. * Deleted Registry Keys:
  624.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  625.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  626.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  627.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  628.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  629.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  630.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
  631.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp"
  632.  
  633.  
  634. * DNS Communications:
  635.    
  636.         "type": "A",
  637.         "request": "daya4659.ddns.net",
  638.         "answers":
  639.    
  640.  
  641.  
  642. * Domains:
  643.    
  644.         "ip": "",
  645.         "domain": "daya4659.ddns.net"
  646.    
  647.  
  648.  
  649. * Network Communication - ICMP:
  650.  
  651. * Network Communication - HTTP:
  652.  
  653. * Network Communication - SMTP:
  654.  
  655. * Network Communication - Hosts:
  656.  
  657. * Network Communication - IRC:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top