API tools faq
paste
Advertisement
paladin316

remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64_2019-08-21_11_25.txt

paladin316
Aug 21st, 2019
1,355
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 34.74 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64"
  7. * File Size: 3034912
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64"
  10. * MD5: "0c3755dfc856fff98807c041c0171115"
  11. * SHA1: "c488516a1d14ba4099d863396797c6a2e17b763f"
  12. * SHA512: "b9a49a8eb069e9b0cc818b953c6c495744feef4d74b88e433078808e3f1a4d39940c779e3cea93840642f072a446877b5e4749ebcb4ca23131926e2c880b1511"
  13. * CRC32: "E7FCF2F2"
  14. * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcY:C2cPK8YwjE2cPK8d"
  15.  
  16. * Process Execution:
  17. "remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64.exe",
  18. "remcos_agent_Protected.exe",
  19. "remcos_agent_Protected.exe",
  20. "wscript.exe",
  21. "cmd.exe",
  22. "remcos.exe",
  23. "remcos.exe",
  24. "svchost.exe",
  25. "svchost.exe",
  26. "svchost.exe",
  27. "svchost.exe",
  28. "svchost.exe",
  29. "svchost.exe",
  30. "svchost.exe",
  31. "svchost.exe",
  32. "svchost.exe",
  33. "svchost.exe",
  34. "svchost.exe",
  35. "svchost.exe",
  36. "svchost.exe",
  37. "svchost.exe",
  38. "svchost.exe",
  39. "svchost.exe",
  40. "svchost.exe",
  41. "svchost.exe",
  42. "svchost.exe",
  43. "svchost.exe",
  44. "svchost.exe",
  45. "svchost.exe",
  46. "svchost.exe",
  47. "svchost.exe",
  48. "svchost.exe",
  49. "svchost.exe",
  50. "svchost.exe",
  51. "svchost.exe",
  52. "svchost.exe",
  53. "svchost.exe",
  54. "svchost.exe",
  55. "svchost.exe",
  56. "svchost.exe",
  57. "svchost.exe",
  58. "svchost.exe",
  59. "svchost.exe",
  60. "svchost.exe",
  61. "svchost.exe",
  62. "svchost.exe",
  63. "schtasks.exe",
  64. "schtasks.exe",
  65. "AcroRd32.exe",
  66. "Eula.exe",
  67. "schtasks.exe",
  68. "svchost.exe",
  69. "taskeng.exe",
  70. "taskeng.exe",
  71. "msoia.exe",
  72. "msoia.exe",
  73. "taskeng.exe",
  74. "taskeng.exe",
  75. "svchost.exe"
  76.  
  77.  
  78. * Executed Commands:
  79. "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
  80. "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
  81. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  82. "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
  83. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
  84. "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
  85. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  86. "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  87. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  88. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  89. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  90. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
  91. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Eula.exe\" Adobe Acrobat Reader DC;1507816;1033",
  92. "taskeng.exe 06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF S-1-5-18:NT AUTHORITY\\System:Service:",
  93. "taskeng.exe 69E21F04-938C-46A8-B4AD-6FCB4F20E4CC S-1-5-21-0000000000-0000000000-0000000000-1000:Host\\user:Interactive:1",
  94. "taskeng.exe E80BCF90-2770-40E3-A64D-3E6331A4BEE3 S-1-5-18:NT AUTHORITY\\System:Service:",
  95. "taskeng.exe ADBB9E87-285F-47FB-9A76-77BB6D9513A9 S-1-5-18:NT AUTHORITY\\System:Service:",
  96. "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  97. "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  98. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  99. "C:\\Windows\\SysWOW64\\svchost.exe",
  100. "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Office15\\OLicenseHeartbeat.exe\"",
  101. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload mininterval:2880",
  102. "\"C:\\Program Files\\Microsoft Office\\Office15\\msoia.exe\" scan upload"
  103.  
  104.  
  105. * Signatures Detected:
  106.  
  107. "Description": "Creates RWX memory",
  108. "Details":
  109.  
  110.  
  111. "Description": "Possible date expiration check, exits too soon after checking local time",
  112. "Details":
  113.  
  114. "process": "schtasks.exe, PID 348"
  115.  
  116.  
  117.  
  118.  
  119. "Description": "Detected script timer window indicative of sleep style evasion",
  120. "Details":
  121.  
  122. "Window": "WSH-Timer"
  123.  
  124.  
  125.  
  126.  
  127. "Description": "Expresses interest in specific running processes",
  128. "Details":
  129.  
  130. "process": "RdrCEF.exe"
  131.  
  132.  
  133.  
  134.  
  135. "Description": "Reads data out of its own binary image",
  136. "Details":
  137.  
  138. "self_read": "process: remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64.exe, pid: 976, offset: 0x00000000, length: 0x002e4f20"
  139.  
  140.  
  141. "self_read": "process: remcos_agent_Protected.exe, pid: 1032, offset: 0x00000000, length: 0x0011fe00"
  142.  
  143.  
  144. "self_read": "process: Eula.exe, pid: 2712, offset: 0x00000000, length: 0x00000040"
  145.  
  146.  
  147. "self_read": "process: Eula.exe, pid: 2712, offset: 0x00000100, length: 0x00000018"
  148.  
  149.  
  150. "self_read": "process: Eula.exe, pid: 2712, offset: 0x000001f8, length: 0x000000a0"
  151.  
  152.  
  153. "self_read": "process: Eula.exe, pid: 2712, offset: 0x00012600, length: 0x00000010"
  154.  
  155.  
  156. "self_read": "process: wscript.exe, pid: 2772, offset: 0x00000000, length: 0x00000040"
  157.  
  158.  
  159. "self_read": "process: wscript.exe, pid: 2772, offset: 0x000000f0, length: 0x00000018"
  160.  
  161.  
  162. "self_read": "process: wscript.exe, pid: 2772, offset: 0x000001e8, length: 0x00000078"
  163.  
  164.  
  165. "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018000, length: 0x00000020"
  166.  
  167.  
  168. "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018058, length: 0x00000018"
  169.  
  170.  
  171. "self_read": "process: wscript.exe, pid: 2772, offset: 0x000181a8, length: 0x00000018"
  172.  
  173.  
  174. "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018470, length: 0x00000010"
  175.  
  176.  
  177. "self_read": "process: wscript.exe, pid: 2772, offset: 0x00018640, length: 0x00000012"
  178.  
  179.  
  180. "self_read": "process: remcos.exe, pid: 2936, offset: 0x00000000, length: 0x0011fe00"
  181.  
  182.  
  183. "self_read": "process: remcos.exe, pid: 2892, offset: 0x00000000, length: 0x0011fe00"
  184.  
  185.  
  186.  
  187.  
  188. "Description": "A process created a hidden window",
  189. "Details":
  190.  
  191. "Process": "remcos_3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64.exe -> schtasks"
  192.  
  193.  
  194. "Process": "remcos_agent_Protected.exe -> schtasks"
  195.  
  196.  
  197. "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  198.  
  199.  
  200. "Process": "wscript.exe -> cmd"
  201.  
  202.  
  203. "Process": "remcos.exe -> schtasks"
  204.  
  205.  
  206.  
  207.  
  208. "Description": "Drops a binary and executes it",
  209. "Details":
  210.  
  211. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
  212.  
  213.  
  214. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  215.  
  216.  
  217.  
  218.  
  219. "Description": "Executed a process and injected code into it, probably while unpacking",
  220. "Details":
  221.  
  222. "Injection": "remcos_agent_Protected.exe(1032) -> remcos_agent_Protected.exe(2140)"
  223.  
  224.  
  225.  
  226.  
  227. "Description": "Sniffs keystrokes",
  228. "Details":
  229.  
  230. "SetWindowsHookExA": "Process: remcos.exe(2892)"
  231.  
  232.  
  233.  
  234.  
  235. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  236. "Details":
  237.  
  238. "Process": "taskeng.exe tried to sleep 480 seconds, actually delayed analysis time by 0 seconds"
  239.  
  240.  
  241. "Process": "remcos.exe tried to sleep 3124 seconds, actually delayed analysis time by 0 seconds"
  242.  
  243.  
  244.  
  245.  
  246. "Description": "A potential decoy document was displayed to the user",
  247. "Details":
  248.  
  249. "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
  250.  
  251.  
  252. "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
  253.  
  254.  
  255.  
  256.  
  257. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  258. "Details":
  259.  
  260. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  261.  
  262.  
  263.  
  264.  
  265. "Description": "Installs itself for autorun at Windows startup",
  266. "Details":
  267.  
  268. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  269.  
  270.  
  271. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  272.  
  273.  
  274. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  275.  
  276.  
  277. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  278.  
  279.  
  280. "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F"
  281.  
  282.  
  283.  
  284.  
  285. "Description": "Creates a hidden or system file",
  286. "Details":
  287.  
  288. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  289.  
  290.  
  291. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  292.  
  293.  
  294. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  295.  
  296.  
  297. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  298.  
  299.  
  300.  
  301.  
  302. "Description": "File has been identified by 47 Antiviruses on VirusTotal as malicious",
  303. "Details":
  304.  
  305. "MicroWorld-eScan": "Trojan.GenericKD.41548276"
  306.  
  307.  
  308. "CAT-QuickHeal": "PUA.Presenoker.S5304897"
  309.  
  310.  
  311. "McAfee": "Trojan-AitInject.ak"
  312.  
  313.  
  314. "Malwarebytes": "Backdoor.Remcos.AutoIt"
  315.  
  316.  
  317. "CrowdStrike": "win/malicious_confidence_100% (W)"
  318.  
  319.  
  320. "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
  321.  
  322.  
  323. "K7GW": "Trojan ( 700000111 )"
  324.  
  325.  
  326. "K7AntiVirus": "Trojan ( 700000111 )"
  327.  
  328.  
  329. "Arcabit": "Trojan.Generic.D279F9F4"
  330.  
  331.  
  332. "Invincea": "heuristic"
  333.  
  334.  
  335. "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  336.  
  337.  
  338. "Symantec": "ML.Attribute.HighConfidence"
  339.  
  340.  
  341. "APEX": "Malicious"
  342.  
  343.  
  344. "ClamAV": "Win.Downloader.LokiBot-6962970-0"
  345.  
  346.  
  347. "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  348.  
  349.  
  350. "BitDefender": "Trojan.GenericKD.41548276"
  351.  
  352.  
  353. "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  354.  
  355.  
  356. "Avast": "Win32:Trojan-gen"
  357.  
  358.  
  359. "Ad-Aware": "Trojan.GenericKD.41548276"
  360.  
  361.  
  362. "Sophos": "Troj/AutoIt-CKU"
  363.  
  364.  
  365. "F-Secure": "Dropper.DR/AutoIt.Gen8"
  366.  
  367.  
  368. "DrWeb": "Trojan.Inject3.16009"
  369.  
  370.  
  371. "VIPRE": "Trojan.Win32.Generic!BT"
  372.  
  373.  
  374. "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  375.  
  376.  
  377. "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
  378.  
  379.  
  380. "FireEye": "Generic.mg.0c3755dfc856fff9"
  381.  
  382.  
  383. "Emsisoft": "Trojan.GenericKD.41548276 (B)"
  384.  
  385.  
  386. "Ikarus": "Trojan.Autoit"
  387.  
  388.  
  389. "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  390.  
  391.  
  392. "Avira": "DR/AutoIt.Gen8"
  393.  
  394.  
  395. "MAX": "malware (ai score=81)"
  396.  
  397.  
  398. "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  399.  
  400.  
  401. "Microsoft": "Trojan:Win32/Ditertag.A"
  402.  
  403.  
  404. "Endgame": "malicious (high confidence)"
  405.  
  406.  
  407. "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  408.  
  409.  
  410. "GData": "Trojan.GenericKD.41548276"
  411.  
  412.  
  413. "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  414.  
  415.  
  416. "Acronis": "suspicious"
  417.  
  418.  
  419. "ALYac": "Trojan.GenericKD.41548276"
  420.  
  421.  
  422. "Cylance": "Unsafe"
  423.  
  424.  
  425. "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
  426.  
  427.  
  428. "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  429.  
  430.  
  431. "Fortinet": "AutoIt/Injector.DWD!tr"
  432.  
  433.  
  434. "AVG": "Win32:Trojan-gen"
  435.  
  436.  
  437. "Cybereason": "malicious.fc856f"
  438.  
  439.  
  440. "Panda": "Trj/Genetic.gen"
  441.  
  442.  
  443. "Qihoo-360": "HEUR/QVM41.1.58A7.Malware.Gen"
  444.  
  445.  
  446.  
  447.  
  448. "Description": "Attempts to modify browser security settings",
  449. "Details":
  450.  
  451.  
  452. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  453. "Details":
  454.  
  455. "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:3eb89add7bf6001fdd50b141228810010fd3c0b94380e27db59894e1b8954c64, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  456.  
  457.  
  458. "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:99e409f24aefe3413c43eed73890bdc6c74a2df18e77521b9695200be50e4af1 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  459.  
  460.  
  461. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:472ce643d1faee0ead973e9b2815a89146e9b3828f1831bc47fc34e4357925d8 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  462.  
  463.  
  464. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  465.  
  466.  
  467.  
  468.  
  469. "Description": "Creates a slightly modified copy of itself",
  470. "Details":
  471.  
  472. "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
  473.  
  474.  
  475. "percent_match": 99
  476.  
  477.  
  478.  
  479.  
  480. "Description": "Anomalous binary characteristics",
  481. "Details":
  482.  
  483. "anomaly": "Actual checksum does not match that reported in PE header"
  484.  
  485.  
  486.  
  487.  
  488. "Description": "Clears web history",
  489. "Details":
  490.  
  491. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  492.  
  493.  
  494. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  495.  
  496.  
  497. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  498.  
  499.  
  500. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  501.  
  502.  
  503. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  504.  
  505.  
  506. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  507.  
  508.  
  509. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  510.  
  511.  
  512. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  513.  
  514.  
  515. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  516.  
  517.  
  518. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  519.  
  520.  
  521. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  522.  
  523.  
  524. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  525.  
  526.  
  527. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  528.  
  529.  
  530. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  531.  
  532.  
  533. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  534.  
  535.  
  536. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  537.  
  538.  
  539. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  540.  
  541.  
  542. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  543.  
  544.  
  545. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  546.  
  547.  
  548.  
  549.  
  550.  
  551. * Started Service:
  552.  
  553. * Mutexes:
  554. "bderepair",
  555. "Local\\ZoneAttributeCacheCounterMutex",
  556. "Local\\ZonesCacheCounterMutex",
  557. "Local\\ZonesLockedCacheCounterMutex",
  558. "MDMAppInstaller",
  559. "Remcos_Mutex_Inj",
  560. "Remcos-S1KNPZ",
  561. "Global\\ARM Update Mutex",
  562. "Global\\Acro Update Mutex",
  563. "100184D2-BDC3-477a-B8D3-65548B67914C_2480",
  564. "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_936",
  565. "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
  566. "Local\\WininetStartupMutex",
  567. "Local\\ZonesCounterMutex",
  568. "Local\\_!MSFTHISTORY!_",
  569. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  570. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  571. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  572. "Local\\!IETld!Mutex",
  573. "_!SHMSFTHISTORY!_",
  574. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012019082120190822!",
  575. "CicLoadWinStaWinSta0",
  576. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  577. "Mutex_RemWatchdog"
  578.  
  579.  
  580. * Modified Files:
  581. "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
  582. "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
  583. "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
  584. "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  585. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  586. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  587. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
  588. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
  589. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
  590. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
  591. "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin",
  592. "\\??\\pipe\\com.adobe.reader.rna.user.DC.0",
  593. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB",
  594. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB-journal",
  595. "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents",
  596. "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents-journal",
  597. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages-journal",
  598. "C:\\Windows\\sysnative\\Tasks\\setx",
  599. "C:\\Windows\\sysnative\\Tasks\\WWAHost",
  600. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  601. "\\Device\\LanmanDatagramReceiver",
  602. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  603. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  604. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  605. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  606. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  607. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019082120190822\\index.dat",
  608. "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  609.  
  610.  
  611. * Deleted Files:
  612. "C:\\Windows\\Tasks\\setx.job",
  613. "C:\\Windows\\Tasks\\WWAHost.job",
  614. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  615. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
  616. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\",
  617. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  618. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  619. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  620. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  621. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  622. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  623. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  624. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  625. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  626. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  627. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  628. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  629. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  630. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  631. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  632. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  633. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  634. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  635. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  636. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  637. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  638. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  639. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  640.  
  641.  
  642. * Modified Registry Keys:
  643. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  644. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  645. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  646. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  647. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
  648. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
  649. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
  650. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
  651. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
  652. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
  653. "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
  654. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
  655. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
  656. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
  657. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
  658. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
  659. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
  660. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
  661. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
  662. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
  663. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
  664. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
  665. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
  666. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
  667. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
  668. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
  669. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
  670. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
  671. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
  672. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
  673. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
  674. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
  675. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
  676. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
  677. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1",
  678. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\aFS",
  679. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tDIText",
  680. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tFileName",
  681. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sFileAncestors",
  682. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDI",
  683. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDate",
  684. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVEntitlement",
  685. "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION",
  686. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AcroRd32.exe",
  687. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\CredentialsV3",
  688. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\UsageMeasurement",
  689. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\IPM",
  690. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\Path",
  691. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\Hash",
  692. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  693. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  694. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\Triggers",
  695. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B926EF10-D13E-4D81-821D-60510153030F\\DynamicInfo",
  696. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Path",
  697. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Hash",
  698. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
  699. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
  700. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\Triggers",
  701. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\A027D22A-0941-4A3D-8BCD-DE460257E5C4\\DynamicInfo",
  702. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\ED0D73D7-BC97-46E2-AC55-FD6EB3F72C05\\DynamicInfo",
  703. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF",
  704. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\B17E070E-57E3-43F6-96F5-A9A9C921DEBF\\DynamicInfo",
  705. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\69E21F04-938C-46A8-B4AD-6FCB4F20E4CC",
  706. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\DF000DCA-3FA2-48A6-9E59-C0606F9F8D73\\DynamicInfo",
  707. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E80BCF90-2770-40E3-A64D-3E6331A4BEE3",
  708. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADBB9E87-285F-47FB-9A76-77BB6D9513A9",
  709. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822",
  710. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePath",
  711. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePrefix",
  712. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheLimit",
  713. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheOptions",
  714. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheRepair",
  715. "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  716. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  717. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  718. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  719. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  720. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  721. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  722. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  723. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR",
  724. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\06027CFB-0B68-4E4C-BEA4-8559A6F9E1BF\\data",
  725. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\69E21F04-938C-46A8-B4AD-6FCB4F20E4CC\\data",
  726. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\E80BCF90-2770-40E3-A64D-3E6331A4BEE3\\data",
  727. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\Handshake\\ADBB9E87-285F-47FB-9A76-77BB6D9513A9\\data"
  728.  
  729.  
  730. * Deleted Registry Keys:
  731. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  732. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  733. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  734. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  735. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC\\OptIn",
  736. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  737. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  738. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
  739. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp",
  740. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFavoritesInitialSelection",
  741. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFeedsInitialSelection"
  742.  
  743.  
  744. * DNS Communications:
  745.  
  746. "type": "A",
  747. "request": "daya4659.ddns.net",
  748. "answers":
  749.  
  750.  
  751.  
  752. * Domains:
  753.  
  754. "ip": "",
  755. "domain": "daya4659.ddns.net"
  756.  
  757.  
  758.  
  759. * Network Communication - ICMP:
  760.  
  761. * Network Communication - HTTP:
  762.  
  763. * Network Communication - SMTP:
  764.  
  765. * Network Communication - Hosts:
  766.  
  767. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!