Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Remcos"
- * MalScore: 10.0
- * File Name: "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9"
- * File Size: 3034928
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9"
- * MD5: "d7a97204f3bf97f09e34218e2f380dd5"
- * SHA1: "1c29304455f3c6d203a648d587f49ed87b2c510e"
- * SHA512: "2b070a152e251b12015395eb109ee4e240a8ffb7da6d1c434a4102930ceef4520b49b8c27e5ab1f8cefd7440f9ede6ecf07e0581a12979831943f1a2a094dc6a"
- * CRC32: "D7ABEDDB"
- * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNc0:C2cPK8YwjE2cPK8N"
- * Process Execution:
- "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe",
- "remcos_agent_Protected.exe",
- "remcos_agent_Protected.exe",
- "wscript.exe",
- "cmd.exe",
- "remcos.exe",
- "remcos.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "schtasks.exe",
- "schtasks.exe",
- "AcroRd32.exe",
- "Eula.exe",
- "schtasks.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
- "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
- "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
- "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
- "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
- "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
- "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
- "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
- "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
- "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
- "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
- "C:\\Windows\\SysWOW64\\svchost.exe"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "schtasks.exe, PID 1624"
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe, pid: 2232, offset: 0x00000000, length: 0x002e4f30"
- "self_read": "process: remcos_agent_Protected.exe, pid: 1840, offset: 0x00000000, length: 0x0011fe00"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000100, length: 0x00000018"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x000001f8, length: 0x000000a0"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x00012600, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018640, length: 0x00000012"
- "self_read": "process: remcos.exe, pid: 676, offset: 0x00000000, length: 0x0011fe00"
- "self_read": "process: remcos.exe, pid: 2328, offset: 0x00000000, length: 0x0011fe00"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe -> schtasks"
- "Process": "remcos_agent_Protected.exe -> schtasks"
- "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
- "Process": "wscript.exe -> cmd"
- "Process": "remcos.exe -> schtasks"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
- "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "remcos_agent_Protected.exe(1840) -> remcos_agent_Protected.exe(1156)"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExA": "Process: remcos.exe(2328)"
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "remcos.exe tried to sleep 3169 seconds, actually delayed analysis time by 0 seconds"
- "Description": "A potential decoy document was displayed to the user",
- "Details":
- "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
- "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
- "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
- "Description": "File has been identified by 50 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.41548276"
- "FireEye": "Generic.mg.d7a97204f3bf97f0"
- "CAT-QuickHeal": "PUA.Presenoker.S5304897"
- "ALYac": "Trojan.GenericKD.41548276"
- "Malwarebytes": "Backdoor.Remcos.AutoIt"
- "K7AntiVirus": "Trojan ( 700000111 )"
- "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
- "K7GW": "Trojan ( 700000111 )"
- "Cybereason": "malicious.4f3bf9"
- "Arcabit": "Trojan.Generic.D279F9F4"
- "Invincea": "heuristic"
- "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "ClamAV": "Win.Downloader.LokiBot-6962970-0"
- "Kaspersky": "Backdoor.Win32.Remcos.cxb"
- "BitDefender": "Trojan.GenericKD.41548276"
- "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
- "Paloalto": "generic.ml"
- "AegisLab": "Trojan.Win32.Remcos.m!c"
- "Ad-Aware": "Trojan.GenericKD.41548276"
- "Emsisoft": "Trojan.GenericKD.41548276 (B)"
- "F-Secure": "Dropper.DR/AutoIt.Gen8"
- "DrWeb": "Trojan.Inject3.16009"
- "VIPRE": "Trojan.Win32.Generic!BT"
- "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
- "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
- "Sophos": "Troj/AutoIt-CKU"
- "Cyren": "W32/AutoIt.JD.gen!Eldorado"
- "Avira": "DR/AutoIt.Gen8"
- "MAX": "malware (ai score=84)"
- "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
- "Microsoft": "VirTool:Win32/AutInject.CZ!bit"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
- "GData": "Trojan.GenericKD.41548276"
- "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
- "Acronis": "suspicious"
- "McAfee": "Trojan-AitInject.ak"
- "VBA32": "Backdoor.Remcos"
- "Cylance": "Unsafe"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
- "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
- "Ikarus": "Trojan.Autoit"
- "Fortinet": "AutoIt/Injector.DWD!tr"
- "AVG": "Win32:Trojan-gen"
- "Panda": "Trj/Genetic.gen"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Qihoo-360": "HEUR/QVM41.1.596F.Malware.Gen"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:f231122ca4d509f65294cb204399e9642a7ddf1df0204ae5a30fefcca5d65513 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:45b3e49b367f59f6bfa4370d4742a2bcc9d07a03c944308574fb93446c1d9baf , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
- "percent_match": 99
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Clears web history",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
- * Started Service:
- * Mutexes:
- "bderepair",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "MDMAppInstaller",
- "Remcos_Mutex_Inj",
- "Remcos-S1KNPZ",
- "Global\\ARM Update Mutex",
- "Global\\Acro Update Mutex",
- "100184D2-BDC3-477a-B8D3-65548B67914C_952",
- "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_608",
- "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
- "Local\\WininetStartupMutex",
- "Local\\ZonesCounterMutex",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Mutex_RemWatchdog"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
- "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
- "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
- "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
- "C:\\Windows\\sysnative\\Tasks\\setx",
- "C:\\Windows\\sysnative\\Tasks\\WWAHost",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
- * Deleted Files:
- "C:\\Windows\\Tasks\\setx.job",
- "C:\\Windows\\Tasks\\WWAHost.job",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
- "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\DynamicInfo",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp"
- * DNS Communications:
- "type": "A",
- "request": "daya4659.ddns.net",
- "answers":
- * Domains:
- "ip": "",
- "domain": "daya4659.ddns.net"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement