paladin316

remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9_2019-08-21_12_00.txt

Aug 21st, 2019
183
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9"
  7. * File Size: 3034928
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9"
  10. * MD5: "d7a97204f3bf97f09e34218e2f380dd5"
  11. * SHA1: "1c29304455f3c6d203a648d587f49ed87b2c510e"
  12. * SHA512: "2b070a152e251b12015395eb109ee4e240a8ffb7da6d1c434a4102930ceef4520b49b8c27e5ab1f8cefd7440f9ede6ecf07e0581a12979831943f1a2a094dc6a"
  13. * CRC32: "D7ABEDDB"
  14. * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNc0:C2cPK8YwjE2cPK8N"
  15.  
  16. * Process Execution:
  17. "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe",
  18. "remcos_agent_Protected.exe",
  19. "remcos_agent_Protected.exe",
  20. "wscript.exe",
  21. "cmd.exe",
  22. "remcos.exe",
  23. "remcos.exe",
  24. "svchost.exe",
  25. "svchost.exe",
  26. "svchost.exe",
  27. "svchost.exe",
  28. "svchost.exe",
  29. "svchost.exe",
  30. "svchost.exe",
  31. "svchost.exe",
  32. "svchost.exe",
  33. "svchost.exe",
  34. "schtasks.exe",
  35. "schtasks.exe",
  36. "AcroRd32.exe",
  37. "Eula.exe",
  38. "schtasks.exe",
  39. "svchost.exe"
  40.  
  41.  
  42. * Executed Commands:
  43. "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
  44. "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
  45. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  46. "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
  47. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
  48. "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
  49. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  50. "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  51. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  52. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  53. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  54. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
  55. "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  56. "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  57. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  58. "C:\\Windows\\SysWOW64\\svchost.exe"
  59.  
  60.  
  61. * Signatures Detected:
  62.  
  63. "Description": "Creates RWX memory",
  64. "Details":
  65.  
  66.  
  67. "Description": "Possible date expiration check, exits too soon after checking local time",
  68. "Details":
  69.  
  70. "process": "schtasks.exe, PID 1624"
  71.  
  72.  
  73.  
  74.  
  75. "Description": "Detected script timer window indicative of sleep style evasion",
  76. "Details":
  77.  
  78. "Window": "WSH-Timer"
  79.  
  80.  
  81.  
  82.  
  83. "Description": "Reads data out of its own binary image",
  84. "Details":
  85.  
  86. "self_read": "process: remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe, pid: 2232, offset: 0x00000000, length: 0x002e4f30"
  87.  
  88.  
  89. "self_read": "process: remcos_agent_Protected.exe, pid: 1840, offset: 0x00000000, length: 0x0011fe00"
  90.  
  91.  
  92. "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000000, length: 0x00000040"
  93.  
  94.  
  95. "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000100, length: 0x00000018"
  96.  
  97.  
  98. "self_read": "process: Eula.exe, pid: 3000, offset: 0x000001f8, length: 0x000000a0"
  99.  
  100.  
  101. "self_read": "process: Eula.exe, pid: 3000, offset: 0x00012600, length: 0x00000010"
  102.  
  103.  
  104. "self_read": "process: wscript.exe, pid: 1040, offset: 0x00000000, length: 0x00000040"
  105.  
  106.  
  107. "self_read": "process: wscript.exe, pid: 1040, offset: 0x000000f0, length: 0x00000018"
  108.  
  109.  
  110. "self_read": "process: wscript.exe, pid: 1040, offset: 0x000001e8, length: 0x00000078"
  111.  
  112.  
  113. "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018000, length: 0x00000020"
  114.  
  115.  
  116. "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018058, length: 0x00000018"
  117.  
  118.  
  119. "self_read": "process: wscript.exe, pid: 1040, offset: 0x000181a8, length: 0x00000018"
  120.  
  121.  
  122. "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018470, length: 0x00000010"
  123.  
  124.  
  125. "self_read": "process: wscript.exe, pid: 1040, offset: 0x00018640, length: 0x00000012"
  126.  
  127.  
  128. "self_read": "process: remcos.exe, pid: 676, offset: 0x00000000, length: 0x0011fe00"
  129.  
  130.  
  131. "self_read": "process: remcos.exe, pid: 2328, offset: 0x00000000, length: 0x0011fe00"
  132.  
  133.  
  134.  
  135.  
  136. "Description": "A process created a hidden window",
  137. "Details":
  138.  
  139. "Process": "remcos_af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9.exe -> schtasks"
  140.  
  141.  
  142. "Process": "remcos_agent_Protected.exe -> schtasks"
  143.  
  144.  
  145. "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  146.  
  147.  
  148. "Process": "wscript.exe -> cmd"
  149.  
  150.  
  151. "Process": "remcos.exe -> schtasks"
  152.  
  153.  
  154.  
  155.  
  156. "Description": "Drops a binary and executes it",
  157. "Details":
  158.  
  159. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
  160.  
  161.  
  162. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  163.  
  164.  
  165.  
  166.  
  167. "Description": "Executed a process and injected code into it, probably while unpacking",
  168. "Details":
  169.  
  170. "Injection": "remcos_agent_Protected.exe(1840) -> remcos_agent_Protected.exe(1156)"
  171.  
  172.  
  173.  
  174.  
  175. "Description": "Sniffs keystrokes",
  176. "Details":
  177.  
  178. "SetWindowsHookExA": "Process: remcos.exe(2328)"
  179.  
  180.  
  181.  
  182.  
  183. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  184. "Details":
  185.  
  186. "Process": "remcos.exe tried to sleep 3169 seconds, actually delayed analysis time by 0 seconds"
  187.  
  188.  
  189.  
  190.  
  191. "Description": "A potential decoy document was displayed to the user",
  192. "Details":
  193.  
  194. "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
  195.  
  196.  
  197. "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
  198.  
  199.  
  200.  
  201.  
  202. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  203. "Details":
  204.  
  205. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  206.  
  207.  
  208.  
  209.  
  210. "Description": "Installs itself for autorun at Windows startup",
  211. "Details":
  212.  
  213. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  214.  
  215.  
  216. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  217.  
  218.  
  219. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  220.  
  221.  
  222. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  223.  
  224.  
  225. "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F"
  226.  
  227.  
  228.  
  229.  
  230. "Description": "Creates a hidden or system file",
  231. "Details":
  232.  
  233. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  234.  
  235.  
  236. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  237.  
  238.  
  239. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  240.  
  241.  
  242.  
  243.  
  244. "Description": "File has been identified by 50 Antiviruses on VirusTotal as malicious",
  245. "Details":
  246.  
  247. "MicroWorld-eScan": "Trojan.GenericKD.41548276"
  248.  
  249.  
  250. "FireEye": "Generic.mg.d7a97204f3bf97f0"
  251.  
  252.  
  253. "CAT-QuickHeal": "PUA.Presenoker.S5304897"
  254.  
  255.  
  256. "ALYac": "Trojan.GenericKD.41548276"
  257.  
  258.  
  259. "Malwarebytes": "Backdoor.Remcos.AutoIt"
  260.  
  261.  
  262. "K7AntiVirus": "Trojan ( 700000111 )"
  263.  
  264.  
  265. "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
  266.  
  267.  
  268. "K7GW": "Trojan ( 700000111 )"
  269.  
  270.  
  271. "Cybereason": "malicious.4f3bf9"
  272.  
  273.  
  274. "Arcabit": "Trojan.Generic.D279F9F4"
  275.  
  276.  
  277. "Invincea": "heuristic"
  278.  
  279.  
  280. "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  281.  
  282.  
  283. "Symantec": "ML.Attribute.HighConfidence"
  284.  
  285.  
  286. "APEX": "Malicious"
  287.  
  288.  
  289. "Avast": "Win32:Trojan-gen"
  290.  
  291.  
  292. "ClamAV": "Win.Downloader.LokiBot-6962970-0"
  293.  
  294.  
  295. "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  296.  
  297.  
  298. "BitDefender": "Trojan.GenericKD.41548276"
  299.  
  300.  
  301. "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  302.  
  303.  
  304. "Paloalto": "generic.ml"
  305.  
  306.  
  307. "AegisLab": "Trojan.Win32.Remcos.m!c"
  308.  
  309.  
  310. "Ad-Aware": "Trojan.GenericKD.41548276"
  311.  
  312.  
  313. "Emsisoft": "Trojan.GenericKD.41548276 (B)"
  314.  
  315.  
  316. "F-Secure": "Dropper.DR/AutoIt.Gen8"
  317.  
  318.  
  319. "DrWeb": "Trojan.Inject3.16009"
  320.  
  321.  
  322. "VIPRE": "Trojan.Win32.Generic!BT"
  323.  
  324.  
  325. "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  326.  
  327.  
  328. "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
  329.  
  330.  
  331. "Sophos": "Troj/AutoIt-CKU"
  332.  
  333.  
  334. "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  335.  
  336.  
  337. "Avira": "DR/AutoIt.Gen8"
  338.  
  339.  
  340. "MAX": "malware (ai score=84)"
  341.  
  342.  
  343. "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  344.  
  345.  
  346. "Microsoft": "VirTool:Win32/AutInject.CZ!bit"
  347.  
  348.  
  349. "Endgame": "malicious (high confidence)"
  350.  
  351.  
  352. "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  353.  
  354.  
  355. "GData": "Trojan.GenericKD.41548276"
  356.  
  357.  
  358. "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  359.  
  360.  
  361. "Acronis": "suspicious"
  362.  
  363.  
  364. "McAfee": "Trojan-AitInject.ak"
  365.  
  366.  
  367. "VBA32": "Backdoor.Remcos"
  368.  
  369.  
  370. "Cylance": "Unsafe"
  371.  
  372.  
  373. "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
  374.  
  375.  
  376. "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  377.  
  378.  
  379. "Ikarus": "Trojan.Autoit"
  380.  
  381.  
  382. "Fortinet": "AutoIt/Injector.DWD!tr"
  383.  
  384.  
  385. "AVG": "Win32:Trojan-gen"
  386.  
  387.  
  388. "Panda": "Trj/Genetic.gen"
  389.  
  390.  
  391. "CrowdStrike": "win/malicious_confidence_100% (W)"
  392.  
  393.  
  394. "Qihoo-360": "HEUR/QVM41.1.596F.Malware.Gen"
  395.  
  396.  
  397.  
  398.  
  399. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  400. "Details":
  401.  
  402. "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:af1e1b6c2dd28c39884a3f6e4cd72b51ee0bc789b85f5f1190adc6c8dfaf91a9, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  403.  
  404.  
  405. "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:f231122ca4d509f65294cb204399e9642a7ddf1df0204ae5a30fefcca5d65513 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  406.  
  407.  
  408. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:45b3e49b367f59f6bfa4370d4742a2bcc9d07a03c944308574fb93446c1d9baf , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  409.  
  410.  
  411. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  412.  
  413.  
  414.  
  415.  
  416. "Description": "Creates a slightly modified copy of itself",
  417. "Details":
  418.  
  419. "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
  420.  
  421.  
  422. "percent_match": 99
  423.  
  424.  
  425.  
  426.  
  427. "Description": "Anomalous binary characteristics",
  428. "Details":
  429.  
  430. "anomaly": "Actual checksum does not match that reported in PE header"
  431.  
  432.  
  433.  
  434.  
  435. "Description": "Clears web history",
  436. "Details":
  437.  
  438. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  439.  
  440.  
  441. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  442.  
  443.  
  444. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  445.  
  446.  
  447. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  448.  
  449.  
  450. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  451.  
  452.  
  453. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  454.  
  455.  
  456. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  457.  
  458.  
  459. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  460.  
  461.  
  462. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  463.  
  464.  
  465. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  466.  
  467.  
  468. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  469.  
  470.  
  471. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  472.  
  473.  
  474. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  475.  
  476.  
  477. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  478.  
  479.  
  480. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  481.  
  482.  
  483. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  484.  
  485.  
  486. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  487.  
  488.  
  489. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  490.  
  491.  
  492. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  493.  
  494.  
  495.  
  496.  
  497.  
  498. * Started Service:
  499.  
  500. * Mutexes:
  501. "bderepair",
  502. "Local\\ZoneAttributeCacheCounterMutex",
  503. "Local\\ZonesCacheCounterMutex",
  504. "Local\\ZonesLockedCacheCounterMutex",
  505. "MDMAppInstaller",
  506. "Remcos_Mutex_Inj",
  507. "Remcos-S1KNPZ",
  508. "Global\\ARM Update Mutex",
  509. "Global\\Acro Update Mutex",
  510. "100184D2-BDC3-477a-B8D3-65548B67914C_952",
  511. "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_608",
  512. "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
  513. "Local\\WininetStartupMutex",
  514. "Local\\ZonesCounterMutex",
  515. "Local\\_!MSFTHISTORY!_",
  516. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  517. "Mutex_RemWatchdog"
  518.  
  519.  
  520. * Modified Files:
  521. "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
  522. "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
  523. "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
  524. "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  525. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  526. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  527. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
  528. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
  529. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
  530. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
  531. "C:\\Windows\\sysnative\\Tasks\\setx",
  532. "C:\\Windows\\sysnative\\Tasks\\WWAHost",
  533. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  534. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  535. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  536. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  537. "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  538.  
  539.  
  540. * Deleted Files:
  541. "C:\\Windows\\Tasks\\setx.job",
  542. "C:\\Windows\\Tasks\\WWAHost.job",
  543. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  544. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  545. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  546. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  547. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  548. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  549. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  550. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  551. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  552. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  553. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  554. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  555. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  556. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  557. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  558. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  559. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  560. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  561. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  562. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  563. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  564. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  565. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  566. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  567.  
  568.  
  569. * Modified Registry Keys:
  570. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  571. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  572. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  573. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  574. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
  575. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
  576. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
  577. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
  578. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
  579. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
  580. "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
  581. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
  582. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
  583. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
  584. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
  585. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
  586. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
  587. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
  588. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
  589. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
  590. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
  591. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
  592. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
  593. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
  594. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
  595. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
  596. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
  597. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
  598. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
  599. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
  600. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
  601. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
  602. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
  603. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
  604. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Path",
  605. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Hash",
  606. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  607. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  608. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\Triggers",
  609. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\F346FACA-8D21-44D8-A55D-43DEFE5EF0B2\\DynamicInfo",
  610. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Path",
  611. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Hash",
  612. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
  613. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
  614. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\Triggers",
  615. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\6449ECB5-7288-4963-9407-8D7211468878\\DynamicInfo",
  616. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  617. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  618. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  619. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  620. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR"
  621.  
  622.  
  623. * Deleted Registry Keys:
  624. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  625. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  626. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  627. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  628. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  629. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  630. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
  631. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp"
  632.  
  633.  
  634. * DNS Communications:
  635.  
  636. "type": "A",
  637. "request": "daya4659.ddns.net",
  638. "answers":
  639.  
  640.  
  641.  
  642. * Domains:
  643.  
  644. "ip": "",
  645. "domain": "daya4659.ddns.net"
  646.  
  647.  
  648.  
  649. * Network Communication - ICMP:
  650.  
  651. * Network Communication - HTTP:
  652.  
  653. * Network Communication - SMTP:
  654.  
  655. * Network Communication - Hosts:
  656.  
  657. * Network Communication - IRC:
RAW Paste Data