Advertisement
paladin316

remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f_2019-08-21_11_25.txt

Aug 21st, 2019
1,435
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.72 KB | None | 0 0
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f"
  7. * File Size: 3034960
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f"
  10. * MD5: "0613946fc944c1ee4ff99d995e6d2fbb"
  11. * SHA1: "2c54906adc36b9d48d80e987fabb00af5d315bcc"
  12. * SHA512: "a1ab854e432f8883ab83f125a74e8dd663026f6bf4d5e3b08b2b136b4b15f7fd65c1a31204a13dad9ddb6bb914b962c08a945a7a9ab0f5638246794710840738"
  13. * CRC32: "EA204EF6"
  14. * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcW:C2cPK8YwjE2cPK8T"
  15.  
  16. * Process Execution:
  17. "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe",
  18. "remcos_agent_Protected.exe",
  19. "remcos_agent_Protected.exe",
  20. "wscript.exe",
  21. "cmd.exe",
  22. "remcos.exe",
  23. "remcos.exe",
  24. "svchost.exe",
  25. "svchost.exe",
  26. "svchost.exe",
  27. "svchost.exe",
  28. "svchost.exe",
  29. "svchost.exe",
  30. "svchost.exe",
  31. "svchost.exe",
  32. "svchost.exe",
  33. "svchost.exe",
  34. "svchost.exe",
  35. "svchost.exe",
  36. "svchost.exe",
  37. "schtasks.exe",
  38. "schtasks.exe",
  39. "AcroRd32.exe",
  40. "Eula.exe",
  41. "schtasks.exe",
  42. "svchost.exe"
  43.  
  44.  
  45. * Executed Commands:
  46. "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
  47. "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
  48. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  49. "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
  50. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
  51. "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
  52. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  53. "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  54. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  55. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  56. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  57. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
  58. "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Eula.exe\" Adobe Acrobat Reader DC;786898;1033",
  59. "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  60. "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  61. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  62. "C:\\Windows\\SysWOW64\\svchost.exe"
  63.  
  64.  
  65. * Signatures Detected:
  66.  
  67. "Description": "Creates RWX memory",
  68. "Details":
  69.  
  70.  
  71. "Description": "Possible date expiration check, exits too soon after checking local time",
  72. "Details":
  73.  
  74. "process": "schtasks.exe, PID 1080"
  75.  
  76.  
  77.  
  78.  
  79. "Description": "Detected script timer window indicative of sleep style evasion",
  80. "Details":
  81.  
  82. "Window": "WSH-Timer"
  83.  
  84.  
  85.  
  86.  
  87. "Description": "Reads data out of its own binary image",
  88. "Details":
  89.  
  90. "self_read": "process: remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe, pid: 1592, offset: 0x00000000, length: 0x002e4f50"
  91.  
  92.  
  93. "self_read": "process: remcos_agent_Protected.exe, pid: 2084, offset: 0x00000000, length: 0x0011fe00"
  94.  
  95.  
  96. "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000000, length: 0x00000040"
  97.  
  98.  
  99. "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000100, length: 0x00000018"
  100.  
  101.  
  102. "self_read": "process: Eula.exe, pid: 3000, offset: 0x000001f8, length: 0x000000a0"
  103.  
  104.  
  105. "self_read": "process: Eula.exe, pid: 3000, offset: 0x00012600, length: 0x00000010"
  106.  
  107.  
  108. "self_read": "process: wscript.exe, pid: 1696, offset: 0x00000000, length: 0x00000040"
  109.  
  110.  
  111. "self_read": "process: wscript.exe, pid: 1696, offset: 0x000000f0, length: 0x00000018"
  112.  
  113.  
  114. "self_read": "process: wscript.exe, pid: 1696, offset: 0x000001e8, length: 0x00000078"
  115.  
  116.  
  117. "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018000, length: 0x00000020"
  118.  
  119.  
  120. "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018058, length: 0x00000018"
  121.  
  122.  
  123. "self_read": "process: wscript.exe, pid: 1696, offset: 0x000181a8, length: 0x00000018"
  124.  
  125.  
  126. "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018470, length: 0x00000010"
  127.  
  128.  
  129. "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018640, length: 0x00000012"
  130.  
  131.  
  132. "self_read": "process: remcos.exe, pid: 1552, offset: 0x00000000, length: 0x0011fe00"
  133.  
  134.  
  135. "self_read": "process: remcos.exe, pid: 1476, offset: 0x00000000, length: 0x0011fe00"
  136.  
  137.  
  138.  
  139.  
  140. "Description": "A process created a hidden window",
  141. "Details":
  142.  
  143. "Process": "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe -> schtasks"
  144.  
  145.  
  146. "Process": "remcos_agent_Protected.exe -> schtasks"
  147.  
  148.  
  149. "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  150.  
  151.  
  152. "Process": "wscript.exe -> cmd"
  153.  
  154.  
  155. "Process": "remcos.exe -> schtasks"
  156.  
  157.  
  158.  
  159.  
  160. "Description": "Drops a binary and executes it",
  161. "Details":
  162.  
  163. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
  164.  
  165.  
  166. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  167.  
  168.  
  169.  
  170.  
  171. "Description": "Performs some HTTP requests",
  172. "Details":
  173.  
  174. "url": "http://acroipm2.adobe.com/19/rdr/ENU/win/nooem/none/consumer/message.zip"
  175.  
  176.  
  177.  
  178.  
  179. "Description": "Executed a process and injected code into it, probably while unpacking",
  180. "Details":
  181.  
  182. "Injection": "remcos_agent_Protected.exe(2084) -> remcos_agent_Protected.exe(1156)"
  183.  
  184.  
  185.  
  186.  
  187. "Description": "Sniffs keystrokes",
  188. "Details":
  189.  
  190. "SetWindowsHookExA": "Process: remcos.exe(1476)"
  191.  
  192.  
  193.  
  194.  
  195. "Description": "A process attempted to delay the analysis task by a long amount of time.",
  196. "Details":
  197.  
  198. "Process": "remcos.exe tried to sleep 3071 seconds, actually delayed analysis time by 0 seconds"
  199.  
  200.  
  201.  
  202.  
  203. "Description": "A potential decoy document was displayed to the user",
  204. "Details":
  205.  
  206. "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
  207.  
  208.  
  209. "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
  210.  
  211.  
  212.  
  213.  
  214. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  215. "Details":
  216.  
  217. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  218.  
  219.  
  220.  
  221.  
  222. "Description": "Installs itself for autorun at Windows startup",
  223. "Details":
  224.  
  225. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  226.  
  227.  
  228. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  229.  
  230.  
  231. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  232.  
  233.  
  234. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  235.  
  236.  
  237. "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F"
  238.  
  239.  
  240.  
  241.  
  242. "Description": "Creates a hidden or system file",
  243. "Details":
  244.  
  245. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  246.  
  247.  
  248. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  249.  
  250.  
  251. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  252.  
  253.  
  254. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  255.  
  256.  
  257.  
  258.  
  259. "Description": "File has been identified by 46 Antiviruses on VirusTotal as malicious",
  260. "Details":
  261.  
  262. "MicroWorld-eScan": "Trojan.GenericKD.41548276"
  263.  
  264.  
  265. "CAT-QuickHeal": "PUA.Presenoker.S5304897"
  266.  
  267.  
  268. "McAfee": "Trojan-AitInject.ak"
  269.  
  270.  
  271. "Malwarebytes": "Backdoor.Remcos.AutoIt"
  272.  
  273.  
  274. "K7AntiVirus": "Trojan ( 700000111 )"
  275.  
  276.  
  277. "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
  278.  
  279.  
  280. "K7GW": "Trojan ( 700000111 )"
  281.  
  282.  
  283. "CrowdStrike": "win/malicious_confidence_100% (W)"
  284.  
  285.  
  286. "Arcabit": "Trojan.Generic.D279F9F4"
  287.  
  288.  
  289. "Invincea": "heuristic"
  290.  
  291.  
  292. "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  293.  
  294.  
  295. "Symantec": "ML.Attribute.HighConfidence"
  296.  
  297.  
  298. "APEX": "Malicious"
  299.  
  300.  
  301. "ClamAV": "Win.Downloader.LokiBot-6962970-0"
  302.  
  303.  
  304. "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  305.  
  306.  
  307. "BitDefender": "Trojan.GenericKD.41548276"
  308.  
  309.  
  310. "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  311.  
  312.  
  313. "Avast": "Win32:Trojan-gen"
  314.  
  315.  
  316. "Ad-Aware": "Trojan.GenericKD.41548276"
  317.  
  318.  
  319. "Sophos": "Troj/AutoIt-CKU"
  320.  
  321.  
  322. "F-Secure": "Dropper.DR/AutoIt.Gen8"
  323.  
  324.  
  325. "DrWeb": "Trojan.Inject3.16009"
  326.  
  327.  
  328. "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  329.  
  330.  
  331. "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
  332.  
  333.  
  334. "FireEye": "Generic.mg.0613946fc944c1ee"
  335.  
  336.  
  337. "Emsisoft": "Trojan.GenericKD.41548276 (B)"
  338.  
  339.  
  340. "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  341.  
  342.  
  343. "Avira": "DR/AutoIt.Gen8"
  344.  
  345.  
  346. "MAX": "malware (ai score=84)"
  347.  
  348.  
  349. "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  350.  
  351.  
  352. "Microsoft": "Trojan:Win32/Ditertag.A"
  353.  
  354.  
  355. "Endgame": "malicious (high confidence)"
  356.  
  357.  
  358. "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  359.  
  360.  
  361. "GData": "Trojan.GenericKD.41548276"
  362.  
  363.  
  364. "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  365.  
  366.  
  367. "Acronis": "suspicious"
  368.  
  369.  
  370. "ALYac": "Trojan.GenericKD.41548276"
  371.  
  372.  
  373. "Cylance": "Unsafe"
  374.  
  375.  
  376. "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
  377.  
  378.  
  379. "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  380.  
  381.  
  382. "Ikarus": "Trojan.Autoit"
  383.  
  384.  
  385. "Fortinet": "AutoIt/Injector.DWD!tr"
  386.  
  387.  
  388. "AVG": "Win32:Trojan-gen"
  389.  
  390.  
  391. "Cybereason": "malicious.fc944c"
  392.  
  393.  
  394. "Panda": "Trj/Genetic.gen"
  395.  
  396.  
  397. "Qihoo-360": "HEUR/QVM41.1.58A7.Malware.Gen"
  398.  
  399.  
  400.  
  401.  
  402. "Description": "Attempts to modify browser security settings",
  403. "Details":
  404.  
  405.  
  406. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  407. "Details":
  408.  
  409. "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  410.  
  411.  
  412. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  413.  
  414.  
  415. "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:7226f09afaf19cfb171fc66b021452f191d231e5b7947e4b031b05cb649808b7 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  416.  
  417.  
  418. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:ee24b851c935cda465162a6bea0efe2c1b4664d09806242c32eb996c751de866 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  419.  
  420.  
  421.  
  422.  
  423. "Description": "Creates a slightly modified copy of itself",
  424. "Details":
  425.  
  426. "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
  427.  
  428.  
  429. "percent_match": 99
  430.  
  431.  
  432.  
  433.  
  434. "Description": "Anomalous binary characteristics",
  435. "Details":
  436.  
  437. "anomaly": "Actual checksum does not match that reported in PE header"
  438.  
  439.  
  440.  
  441.  
  442. "Description": "Clears web history",
  443. "Details":
  444.  
  445. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  446.  
  447.  
  448. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  449.  
  450.  
  451. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  452.  
  453.  
  454. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  455.  
  456.  
  457. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  458.  
  459.  
  460. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  461.  
  462.  
  463. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  464.  
  465.  
  466. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  467.  
  468.  
  469. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  470.  
  471.  
  472. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  473.  
  474.  
  475. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  476.  
  477.  
  478. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  479.  
  480.  
  481. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  482.  
  483.  
  484. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  485.  
  486.  
  487. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  488.  
  489.  
  490. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  491.  
  492.  
  493. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  494.  
  495.  
  496. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  497.  
  498.  
  499. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  500.  
  501.  
  502.  
  503.  
  504.  
  505. * Started Service:
  506.  
  507. * Mutexes:
  508. "bderepair",
  509. "Local\\ZoneAttributeCacheCounterMutex",
  510. "Local\\ZonesCacheCounterMutex",
  511. "Local\\ZonesLockedCacheCounterMutex",
  512. "MDMAppInstaller",
  513. "Remcos_Mutex_Inj",
  514. "Remcos-S1KNPZ",
  515. "Global\\ARM Update Mutex",
  516. "Global\\Acro Update Mutex",
  517. "100184D2-BDC3-477a-B8D3-65548B67914C_952",
  518. "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_3036",
  519. "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
  520. "Local\\WininetStartupMutex",
  521. "Local\\ZonesCounterMutex",
  522. "Local\\_!MSFTHISTORY!_",
  523. "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  524. "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  525. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  526. "Local\\!IETld!Mutex",
  527. "_!SHMSFTHISTORY!_",
  528. "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012019082120190822!",
  529. "CicLoadWinStaWinSta0",
  530. "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  531. "Mutex_RemWatchdog"
  532.  
  533.  
  534. * Modified Files:
  535. "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
  536. "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
  537. "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
  538. "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  539. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  540. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  541. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
  542. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
  543. "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
  544. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
  545. "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin",
  546. "\\??\\pipe\\com.adobe.reader.rna.user.DC.0",
  547. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB",
  548. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB-journal",
  549. "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents",
  550. "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents-journal",
  551. "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages-journal",
  552. "C:\\Windows\\sysnative\\Tasks\\setx",
  553. "C:\\Windows\\sysnative\\Tasks\\WWAHost",
  554. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  555. "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  556. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  557. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  558. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  559. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  560. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019082120190822\\index.dat",
  561. "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  562.  
  563.  
  564. * Deleted Files:
  565. "C:\\Windows\\Tasks\\setx.job",
  566. "C:\\Windows\\Tasks\\WWAHost.job",
  567. "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  568. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
  569. "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\",
  570. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  571. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  572. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  573. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  574. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  575. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  576. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  577. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  578. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  579. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  580. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  581. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  582. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  583. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  584. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  585. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  586. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  587. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  588. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  589. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  590. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  591. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  592. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  593.  
  594.  
  595. * Modified Registry Keys:
  596. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  597. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  598. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  599. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  600. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
  601. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
  602. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
  603. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
  604. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
  605. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
  606. "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
  607. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
  608. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
  609. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
  610. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
  611. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
  612. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
  613. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
  614. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
  615. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
  616. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
  617. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
  618. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
  619. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
  620. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
  621. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
  622. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
  623. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
  624. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
  625. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
  626. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
  627. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
  628. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
  629. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
  630. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1",
  631. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\aFS",
  632. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tDIText",
  633. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tFileName",
  634. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sFileAncestors",
  635. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDI",
  636. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDate",
  637. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVEntitlement",
  638. "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION",
  639. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AcroRd32.exe",
  640. "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\CredentialsV3",
  641. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\UsageMeasurement",
  642. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cIconCache",
  643. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\IPM",
  644. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Workflows",
  645. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Workflows\\cServices",
  646. "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\DC\\Privileged",
  647. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Privileged\\bOldRecentFilesMigrated",
  648. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
  649. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
  650. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  651. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  652. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers",
  653. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\DynamicInfo",
  654. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Path",
  655. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Hash",
  656. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
  657. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
  658. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Triggers",
  659. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\DynamicInfo",
  660. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822",
  661. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePath",
  662. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePrefix",
  663. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheLimit",
  664. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheOptions",
  665. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheRepair",
  666. "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  667. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  668. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  669. "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  670. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  671. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  672. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  673. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  674. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR"
  675.  
  676.  
  677. * Deleted Registry Keys:
  678. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  679. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  680. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  681. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  682. "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC\\OptIn",
  683. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  684. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  685. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
  686. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp",
  687. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFavoritesInitialSelection",
  688. "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFeedsInitialSelection"
  689.  
  690.  
  691. * DNS Communications:
  692.  
  693. "type": "A",
  694. "request": "daya4659.ddns.net",
  695. "answers":
  696.  
  697.  
  698.  
  699. * Domains:
  700.  
  701. "ip": "",
  702. "domain": "daya4659.ddns.net"
  703.  
  704.  
  705.  
  706. * Network Communication - ICMP:
  707.  
  708. * Network Communication - HTTP:
  709.  
  710. "count": 1,
  711. "body": "",
  712. "uri": "http://acroipm2.adobe.com/19/rdr/ENU/win/nooem/none/consumer/message.zip",
  713. "user-agent": "IPM",
  714. "method": "GET",
  715. "host": "acroipm2.adobe.com",
  716. "version": "1.1",
  717. "path": "/19/rdr/ENU/win/nooem/none/consumer/message.zip",
  718. "data": "GET /19/rdr/ENU/win/nooem/none/consumer/message.zip HTTP/1.1\r\nAccept: */*\r\nIf-Modified-Since: Mon, 01 Jan 1970 00:00:00 GMT\r\nUser-Agent: IPM\r\nHost: acroipm2.adobe.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  719. "port": 80
  720.  
  721.  
  722.  
  723. * Network Communication - SMTP:
  724.  
  725. * Network Communication - Hosts:
  726.  
  727. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement