SHARE
TWEET

remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64_2019-08-21_11_25.txt

paladin316 Aug 21st, 2019 92 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64"
  7. * File Size: 3034912
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64"
  10. * MD5: "0c3755dfc856fff98807c041c0171115"
  11. * SHA1: "c488516a1d14ba4099d863396797c6a2e17b763f"
  12. * SHA512: "b9a49a8eb069e9b0cc818b953c6c495744feef4d74b88e433078808e3f1a4d39940c779e3cea93840642f072a446877b5e4749ebcb4ca23131926e2c880b1511"
  13. * CRC32: "E7FCF2F2"
  14. * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcY:C2cPK8YwjE2cPK8d"
  15.  
  16. * Process Execution:
  17.     "remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64.exe",
  18.     "remcos_agent_Protected.exe",
  19.     "remcos_agent_Protected.exe",
  20.     "wscript.exe",
  21.     "cmd.exe",
  22.     "remcos.exe",
  23.     "remcos.exe",
  24.     "svchost.exe",
  25.     "svchost.exe",
  26.     "svchost.exe",
  27.     "svchost.exe",
  28.     "svchost.exe",
  29.     "svchost.exe",
  30.     "svchost.exe",
  31.     "svchost.exe",
  32.     "svchost.exe",
  33.     "svchost.exe",
  34.     "svchost.exe",
  35.     "svchost.exe",
  36.     "svchost.exe",
  37.     "svchost.exe",
  38.     "svchost.exe",
  39.     "svchost.exe",
  40.     "svchost.exe",
  41.     "svchost.exe",
  42.     "svchost.exe",
  43.     "svchost.exe",
  44.     "svchost.exe",
  45.     "svchost.exe",
  46.     "svchost.exe",
  47.     "svchost.exe",
  48.     "svchost.exe",
  49.     "svchost.exe",
  50.     "svchost.exe",
  51.     "svchost.exe",
  52.     "svchost.exe",
  53.     "svchost.exe",
  54.     "svchost.exe",
  55.     "svchost.exe",
  56.     "svchost.exe",
  57.     "svchost.exe",
  58.     "svchost.exe",
  59.     "svchost.exe",
  60.     "svchost.exe",
  61.     "svchost.exe",
  62.     "svchost.exe",
  63.     "schtasks.exe",
  64.     "schtasks.exe",
  65.     "AcroRd32.exe",
  66.     "Eula.exe",
  67.     "schtasks.exe",
  68.     "svchost.exe",
  69.     "taskeng.exe",
  70.     "taskeng.exe",
  71.     "msoia.exe",
  72.     "msoia.exe",
  73.     "taskeng.exe",
  74.     "taskeng.exe",
  75.     "svchost.exe"
  76.  
  77.  
  78. * Executed Commands:
  79.     "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
  80.     "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
  81.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  82.     "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
  83.     "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F",
  84.     "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F",
  85.     "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  86.     "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  87.     "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  88.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  89.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer  \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  90.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
  91.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Eula.exe\" Adobe Acrobat Reader DC;1507816;1033",
  92.     "taskeng.exe 06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF S-1-5-18:NT AUTHORITY\\System:Service:",
  93.     "taskeng.exe 69E21F04-938C-46A8-B4AD-6FCB4F20E4CC S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  94.     "taskeng.exe E80BCF90-2770-40E3-A64D-3E6331A4BEE3 S-1-5-18:NT AUTHORITY\\System:Service:",
  95.     "taskeng.exe ADBB9E87-285F-47FB-9A76-77BB6D9513A9 S-1-5-18:NT AUTHORITY\\System:Service:",
  96.     "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  97.     "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  98.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  99.     "C:\\Windows\\SysWOW64\\svchost.exe",
  100.     "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
  101.     "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
  102.     "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
  103.  
  104.  
  105. * Signatures Detected:
  106.    
  107.         "Description": "Creates RWX memory",
  108.         "Details":
  109.    
  110.    
  111.         "Description": "Possible date expiration check, exits too soon after checking local time",
  112.         "Details":
  113.            
  114.                 "process": "schtasks.exe, PID 348"
  115.            
  116.        
  117.    
  118.    
  119.         "Description": "Detected script timer window indicative of sleep style evasion",
  120.         "Details":
  121.            
  122.                 "Window": "WSH-Timer"
  123.            
  124.        
  125.    
  126.    
  127.         "Description": "Expresses interest in specific running processes",
  128.         "Details":
  129.            
  130.                 "process": "RdrCEF.exe"
  131.            
  132.        
  133.    
  134.    
  135.         "Description": "Reads data out of its own binary image",
  136.         "Details":
  137.            
  138.                 "self_read": "process: remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64.exe, pid: 976, offset: 0x00000000, length: 0x002e4f20"
  139.            
  140.            
  141.                 "self_read": "process: remcos_agent_Protected.exe, pid: 1032, offset: 0x00000000, length: 0x0011fe00"
  142.            
  143.            
  144.                 "self_read": "process: Eula.exe, pid: 2712, offset: 0x00000000, length: 0x00000040"
  145.            
  146.            
  147.                 "self_read": "process: Eula.exe, pid: 2712, offset: 0x00000100, length: 0x00000018"
  148.            
  149.            
  150.                 "self_read": "process: Eula.exe, pid: 2712, offset: 0x000001f8, length: 0x000000a0"
  151.            
  152.            
  153.                 "self_read": "process: Eula.exe, pid: 2712, offset: 0x00012600, length: 0x00000010"
  154.            
  155.            
  156.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x00000000, length: 0x00000040"
  157.            
  158.            
  159.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x000000f0, length: 0x00000018"
  160.            
  161.            
  162.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x000001e8, length: 0x00000078"
  163.            
  164.            
  165.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018000, length: 0x00000020"
  166.            
  167.            
  168.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018058, length: 0x00000018"
  169.            
  170.            
  171.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x000181a8, length: 0x00000018"
  172.            
  173.            
  174.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018470, length: 0x00000010"
  175.            
  176.            
  177.                 "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018640, length: 0x00000012"
  178.            
  179.            
  180.                 "self_read": "process: remcos.exe, pid: 2936, offset: 0x00000000, length: 0x0011fe00"
  181.            
  182.            
  183.                 "self_read": "process: remcos.exe, pid: 2892, offset: 0x00000000, length: 0x0011fe00"
  184.            
  185.        
  186.    
  187.    
  188.         "Description": "A process created a hidden window",
  189.         "Details":
  190.            
  191.                 "Process": "remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64.exe -> schtasks"
  192.            
  193.            
  194.                 "Process": "remcos_agent_Protected.exe -> schtasks"
  195.            
  196.            
  197.                 "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  198.            
  199.            
  200.                 "Process": "wscript.exe -> cmd"
  201.            
  202.            
  203.                 "Process": "remcos.exe -> schtasks"
  204.            
  205.        
  206.    
  207.    
  208.         "Description": "Drops a binary and executes it",
  209.         "Details":
  210.            
  211.                 "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
  212.            
  213.            
  214.                 "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  215.            
  216.        
  217.    
  218.    
  219.         "Description": "Executed a process and injected code into it, probably while unpacking",
  220.         "Details":
  221.            
  222.                 "Injection": "remcos_agent_Protected.exe(1032) -> remcos_agent_Protected.exe(2140)"
  223.            
  224.        
  225.    
  226.    
  227.         "Description": "Sniffs keystrokes",
  228.         "Details":
  229.            
  230.                 "SetWindowsHookExA": "Process: remcos.exe(2892)"
  231.            
  232.        
  233.    
  234.    
  235.         "Description": "A process attempted to delay the analysis task by a long amount of time.",
  236.         "Details":
  237.            
  238.                 "Process": "taskeng.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
  239.            
  240.            
  241.                 "Process": "remcos.exe tried to sleep 3124 seconds, actually delayed analysis time by 0 seconds"
  242.            
  243.        
  244.    
  245.    
  246.         "Description": "A potential decoy document was displayed to the user",
  247.         "Details":
  248.            
  249.                 "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
  250.            
  251.            
  252.                 "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
  253.            
  254.        
  255.    
  256.    
  257.         "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  258.         "Details":
  259.            
  260.                 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  261.            
  262.        
  263.    
  264.    
  265.         "Description": "Installs itself for autorun at Windows startup",
  266.         "Details":
  267.            
  268.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  269.            
  270.            
  271.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  272.            
  273.            
  274.                 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  275.            
  276.            
  277.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  278.            
  279.            
  280.                 "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F"
  281.            
  282.        
  283.    
  284.    
  285.         "Description": "Creates a hidden or system file",
  286.         "Details":
  287.            
  288.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  289.            
  290.            
  291.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  292.            
  293.            
  294.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  295.            
  296.            
  297.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  298.            
  299.        
  300.    
  301.    
  302.         "Description": "File has been identified by 47 Antiviruses on VirusTotal as malicious",
  303.         "Details":
  304.            
  305.                 "MicroWorld-eScan": "Trojan.GenericKD.41548276"
  306.            
  307.            
  308.                 "CAT-QuickHeal": "PUA.Presenoker.S5304897"
  309.            
  310.            
  311.                 "McAfee": "Trojan-AitInject.ak"
  312.            
  313.            
  314.                 "Malwarebytes": "Backdoor.Remcos.AutoIt"
  315.            
  316.            
  317.                 "CrowdStrike": "win/malicious_confidence_100% (W)"
  318.            
  319.            
  320.                 "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
  321.            
  322.            
  323.                 "K7GW": "Trojan ( 700000111 )"
  324.            
  325.            
  326.                 "K7AntiVirus": "Trojan ( 700000111 )"
  327.            
  328.            
  329.                 "Arcabit": "Trojan.Generic.D279F9F4"
  330.            
  331.            
  332.                 "Invincea": "heuristic"
  333.            
  334.            
  335.                 "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  336.            
  337.            
  338.                 "Symantec": "ML.Attribute.HighConfidence"
  339.            
  340.            
  341.                 "APEX": "Malicious"
  342.            
  343.            
  344.                 "ClamAV": "Win.Downloader.LokiBot-6962970-0"
  345.            
  346.            
  347.                 "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  348.            
  349.            
  350.                 "BitDefender": "Trojan.GenericKD.41548276"
  351.            
  352.            
  353.                 "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  354.            
  355.            
  356.                 "Avast": "Win32:Trojan-gen"
  357.            
  358.            
  359.                 "Ad-Aware": "Trojan.GenericKD.41548276"
  360.            
  361.            
  362.                 "Sophos": "Troj/AutoIt-CKU"
  363.            
  364.            
  365.                 "F-Secure": "Dropper.DR/AutoIt.Gen8"
  366.            
  367.            
  368.                 "DrWeb": "Trojan.Inject3.16009"
  369.            
  370.            
  371.                 "VIPRE": "Trojan.Win32.Generic!BT"
  372.            
  373.            
  374.                 "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  375.            
  376.            
  377.                 "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
  378.            
  379.            
  380.                 "FireEye": "Generic.mg.0c3755dfc856fff9"
  381.            
  382.            
  383.                 "Emsisoft": "Trojan.GenericKD.41548276 (B)"
  384.            
  385.            
  386.                 "Ikarus": "Trojan.Autoit"
  387.            
  388.            
  389.                 "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  390.            
  391.            
  392.                 "Avira": "DR/AutoIt.Gen8"
  393.            
  394.            
  395.                 "MAX": "malware (ai score=81)"
  396.            
  397.            
  398.                 "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  399.            
  400.            
  401.                 "Microsoft": "Trojan:Win32/Ditertag.A"
  402.            
  403.            
  404.                 "Endgame": "malicious (high confidence)"
  405.            
  406.            
  407.                 "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  408.            
  409.            
  410.                 "GData": "Trojan.GenericKD.41548276"
  411.            
  412.            
  413.                 "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  414.            
  415.            
  416.                 "Acronis": "suspicious"
  417.            
  418.            
  419.                 "ALYac": "Trojan.GenericKD.41548276"
  420.            
  421.            
  422.                 "Cylance": "Unsafe"
  423.            
  424.            
  425.                 "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
  426.            
  427.            
  428.                 "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  429.            
  430.            
  431.                 "Fortinet": "AutoIt/Injector.DWD!tr"
  432.            
  433.            
  434.                 "AVG": "Win32:Trojan-gen"
  435.            
  436.            
  437.                 "Cybereason": "malicious.fc856f"
  438.            
  439.            
  440.                 "Panda": "Trj/Genetic.gen"
  441.            
  442.            
  443.                 "Qihoo-360": "HEUR/QVM41.1.58A7.Malware.Gen"
  444.            
  445.        
  446.    
  447.    
  448.         "Description": "Attempts to modify browser security settings",
  449.         "Details":
  450.    
  451.    
  452.         "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  453.         "Details":
  454.            
  455.                 "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  456.            
  457.            
  458.                 "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:99e409f24aefe3413c43eed73890bdc6c74a2df18e77521b9695200be50e4af1 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  459.            
  460.            
  461.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:472ce643d1faee0ead973e9b2815a89146e9b3828f1831bc47fc34e4357925d8 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  462.            
  463.            
  464.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  465.            
  466.        
  467.    
  468.    
  469.         "Description": "Creates a slightly modified copy of itself",
  470.         "Details":
  471.            
  472.                 "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
  473.            
  474.            
  475.                 "percent_match": 99
  476.            
  477.        
  478.    
  479.    
  480.         "Description": "Anomalous binary characteristics",
  481.         "Details":
  482.            
  483.                 "anomaly": "Actual checksum does not match that reported in PE header"
  484.            
  485.        
  486.    
  487.    
  488.         "Description": "Clears web history",
  489.         "Details":
  490.            
  491.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  492.            
  493.            
  494.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  495.            
  496.            
  497.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  498.            
  499.            
  500.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  501.            
  502.            
  503.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  504.            
  505.            
  506.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  507.            
  508.            
  509.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  510.            
  511.            
  512.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  513.            
  514.            
  515.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  516.            
  517.            
  518.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  519.            
  520.            
  521.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  522.            
  523.            
  524.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  525.            
  526.            
  527.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  528.            
  529.            
  530.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  531.            
  532.            
  533.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  534.            
  535.            
  536.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  537.            
  538.            
  539.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  540.            
  541.            
  542.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  543.            
  544.            
  545.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  546.            
  547.        
  548.    
  549.  
  550.  
  551. * Started Service:
  552.  
  553. * Mutexes:
  554.     "bderepair",
  555.     "Local\\ZoneAttributeCacheCounterMutex",
  556.     "Local\\ZonesCacheCounterMutex",
  557.     "Local\\ZonesLockedCacheCounterMutex",
  558.     "MDMAppInstaller",
  559.     "Remcos_Mutex_Inj",
  560.     "Remcos-S1KNPZ",
  561.     "Global\\ARM Update Mutex",
  562.     "Global\\Acro Update Mutex",
  563.     "100184D2-BDC3-477a-B8D3-65548B67914C_2480",
  564.     "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_936",
  565.     "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
  566.     "Local\\WininetStartupMutex",
  567.     "Local\\ZonesCounterMutex",
  568.     "Local\\_!MSFTHISTORY!_",
  569.     "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  570.     "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  571.     "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  572.     "Local\\!IETld!Mutex",
  573.     "_!SHMSFTHISTORY!_",
  574.     "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012019082120190822!",
  575.     "CicLoadWinStaWinSta0",
  576.     "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  577.     "Mutex_RemWatchdog"
  578.  
  579.  
  580. * Modified Files:
  581.     "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
  582.     "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
  583.     "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
  584.     "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  585.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  586.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  587.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
  588.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
  589.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
  590.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
  591.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin",
  592.     "\\??\\pipe\\com.adobe.reader.rna.user.DC.0",
  593.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB",
  594.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB-journal",
  595.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents",
  596.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents-journal",
  597.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages-journal",
  598.     "C:\\Windows\\sysnative\\Tasks\\setx",
  599.     "C:\\Windows\\sysnative\\Tasks\\WWAHost",
  600.     "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  601.     "\\Device\\LanmanDatagramReceiver",
  602.     "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  603.     "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  604.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  605.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  606.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  607.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019082120190822\\index.dat",
  608.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  609.  
  610.  
  611. * Deleted Files:
  612.     "C:\\Windows\\Tasks\\setx.job",
  613.     "C:\\Windows\\Tasks\\WWAHost.job",
  614.     "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  615.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
  616.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\",
  617.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  618.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  619.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  620.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  621.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  622.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  623.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  624.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  625.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  626.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  627.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  628.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  629.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  630.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  631.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  632.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  633.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  634.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  635.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  636.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  637.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  638.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  639.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  640.  
  641.  
  642. * Modified Registry Keys:
  643.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  644.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  645.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  646.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  647.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
  648.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
  649.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
  650.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
  651.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
  652.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
  653.     "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
  654.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
  655.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
  656.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
  657.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
  658.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
  659.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
  660.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
  661.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
  662.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
  663.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
  664.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
  665.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
  666.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
  667.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
  668.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
  669.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
  670.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
  671.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
  672.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
  673.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
  674.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
  675.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
  676.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
  677.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1",
  678.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\aFS",
  679.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tDIText",
  680.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tFileName",
  681.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sFileAncestors",
  682.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDI",
  683.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDate",
  684.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVEntitlement",
  685.     "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION",
  686.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AcroRd32.exe",
  687.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\CredentialsV3",
  688.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\UsageMeasurement",
  689.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\IPM",
  690.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\Path",
  691.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\Hash",
  692.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  693.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  694.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\Triggers",
  695.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\DynamicInfo",
  696.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Path",
  697.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Hash",
  698.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
  699.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
  700.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Triggers",
  701.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\DynamicInfo",
  702.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
  703.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF",
  704.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
  705.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\69E21F04-938C-46A8-B4AD-6FCB4F20E4CC",
  706.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
  707.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E80BCF90-2770-40E3-A64D-3E6331A4BEE3",
  708.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADBB9E87-285F-47FB-9A76-77BB6D9513A9",
  709.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822",
  710.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePath",
  711.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePrefix",
  712.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheLimit",
  713.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheOptions",
  714.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheRepair",
  715.     "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  716.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  717.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  718.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  719.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  720.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  721.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  722.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  723.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR",
  724.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF\\data",
  725.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\69E21F04-938C-46A8-B4AD-6FCB4F20E4CC\\data",
  726.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E80BCF90-2770-40E3-A64D-3E6331A4BEE3\\data",
  727.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADBB9E87-285F-47FB-9A76-77BB6D9513A9\\data"
  728.  
  729.  
  730. * Deleted Registry Keys:
  731.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  732.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  733.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  734.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  735.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC\\OptIn",
  736.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  737.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  738.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
  739.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp",
  740.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFavoritesInitialSelection",
  741.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFeedsInitialSelection"
  742.  
  743.  
  744. * DNS Communications:
  745.    
  746.         "type": "A",
  747.         "request": "daya4659.ddns.net",
  748.         "answers":
  749.    
  750.  
  751.  
  752. * Domains:
  753.    
  754.         "ip": "",
  755.         "domain": "daya4659.ddns.net"
  756.    
  757.  
  758.  
  759. * Network Communication - ICMP:
  760.  
  761. * Network Communication - HTTP:
  762.  
  763. * Network Communication - SMTP:
  764.  
  765. * Network Communication - Hosts:
  766.  
  767. * Network Communication - IRC:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top