Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Remcos"
- * MalScore: 10.0
- * File Name: "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f"
- * File Size: 3034960
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f"
- * MD5: "0613946fc944c1ee4ff99d995e6d2fbb"
- * SHA1: "2c54906adc36b9d48d80e987fabb00af5d315bcc"
- * SHA512: "a1ab854e432f8883ab83f125a74e8dd663026f6bf4d5e3b08b2b136b4b15f7fd65c1a31204a13dad9ddb6bb914b962c08a945a7a9ab0f5638246794710840738"
- * CRC32: "EA204EF6"
- * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcW:C2cPK8YwjE2cPK8T"
- * Process Execution:
- "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe",
- "remcos_agent_Protected.exe",
- "remcos_agent_Protected.exe",
- "wscript.exe",
- "cmd.exe",
- "remcos.exe",
- "remcos.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "schtasks.exe",
- "schtasks.exe",
- "AcroRd32.exe",
- "Eula.exe",
- "schtasks.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
- "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
- "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
- "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F",
- "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
- "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
- "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
- "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
- "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
- "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Eula.exe\" Adobe Acrobat Reader DC;786898;1033",
- "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
- "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
- "C:\\Windows\\SysWOW64\\svchost.exe"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "schtasks.exe, PID 1080"
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe, pid: 1592, offset: 0x00000000, length: 0x002e4f50"
- "self_read": "process: remcos_agent_Protected.exe, pid: 2084, offset: 0x00000000, length: 0x0011fe00"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000100, length: 0x00000018"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x000001f8, length: 0x000000a0"
- "self_read": "process: Eula.exe, pid: 3000, offset: 0x00012600, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018640, length: 0x00000012"
- "self_read": "process: remcos.exe, pid: 1552, offset: 0x00000000, length: 0x0011fe00"
- "self_read": "process: remcos.exe, pid: 1476, offset: 0x00000000, length: 0x0011fe00"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe -> schtasks"
- "Process": "remcos_agent_Protected.exe -> schtasks"
- "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
- "Process": "wscript.exe -> cmd"
- "Process": "remcos.exe -> schtasks"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
- "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://acroipm2.adobe.com/19/rdr/ENU/win/nooem/none/consumer/message.zip"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "remcos_agent_Protected.exe(2084) -> remcos_agent_Protected.exe(1156)"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExA": "Process: remcos.exe(1476)"
- "Description": "A process attempted to delay the analysis task by a long amount of time.",
- "Details":
- "Process": "remcos.exe tried to sleep 3071 seconds, actually delayed analysis time by 0 seconds"
- "Description": "A potential decoy document was displayed to the user",
- "Details":
- "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
- "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
- "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc minute /mo 1 /F"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
- "Description": "File has been identified by 46 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Trojan.GenericKD.41548276"
- "CAT-QuickHeal": "PUA.Presenoker.S5304897"
- "McAfee": "Trojan-AitInject.ak"
- "Malwarebytes": "Backdoor.Remcos.AutoIt"
- "K7AntiVirus": "Trojan ( 700000111 )"
- "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
- "K7GW": "Trojan ( 700000111 )"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Arcabit": "Trojan.Generic.D279F9F4"
- "Invincea": "heuristic"
- "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "ClamAV": "Win.Downloader.LokiBot-6962970-0"
- "Kaspersky": "Backdoor.Win32.Remcos.cxb"
- "BitDefender": "Trojan.GenericKD.41548276"
- "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
- "Avast": "Win32:Trojan-gen"
- "Ad-Aware": "Trojan.GenericKD.41548276"
- "Sophos": "Troj/AutoIt-CKU"
- "F-Secure": "Dropper.DR/AutoIt.Gen8"
- "DrWeb": "Trojan.Inject3.16009"
- "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
- "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
- "FireEye": "Generic.mg.0613946fc944c1ee"
- "Emsisoft": "Trojan.GenericKD.41548276 (B)"
- "Cyren": "W32/AutoIt.JD.gen!Eldorado"
- "Avira": "DR/AutoIt.Gen8"
- "MAX": "malware (ai score=84)"
- "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
- "Microsoft": "Trojan:Win32/Ditertag.A"
- "Endgame": "malicious (high confidence)"
- "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
- "GData": "Trojan.GenericKD.41548276"
- "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
- "Acronis": "suspicious"
- "ALYac": "Trojan.GenericKD.41548276"
- "Cylance": "Unsafe"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
- "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
- "Ikarus": "Trojan.Autoit"
- "Fortinet": "AutoIt/Injector.DWD!tr"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.fc944c"
- "Panda": "Trj/Genetic.gen"
- "Qihoo-360": "HEUR/QVM41.1.58A7.Malware.Gen"
- "Description": "Attempts to modify browser security settings",
- "Details":
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:7226f09afaf19cfb171fc66b021452f191d231e5b7947e4b031b05cb649808b7 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:ee24b851c935cda465162a6bea0efe2c1b4664d09806242c32eb996c751de866 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
- "percent_match": 99
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Clears web history",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
- * Started Service:
- * Mutexes:
- "bderepair",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "MDMAppInstaller",
- "Remcos_Mutex_Inj",
- "Remcos-S1KNPZ",
- "Global\\ARM Update Mutex",
- "Global\\Acro Update Mutex",
- "100184D2-BDC3-477a-B8D3-65548B67914C_952",
- "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_3036",
- "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
- "Local\\WininetStartupMutex",
- "Local\\ZonesCounterMutex",
- "Local\\_!MSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
- "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
- "Local\\!IETld!Mutex",
- "_!SHMSFTHISTORY!_",
- "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012019082120190822!",
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Mutex_RemWatchdog"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
- "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
- "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
- "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin",
- "\\??\\pipe\\com.adobe.reader.rna.user.DC.0",
- "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB",
- "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB-journal",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents",
- "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents-journal",
- "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages-journal",
- "C:\\Windows\\sysnative\\Tasks\\setx",
- "C:\\Windows\\sysnative\\Tasks\\WWAHost",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019082120190822\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
- * Deleted Files:
- "C:\\Windows\\Tasks\\setx.job",
- "C:\\Windows\\Tasks\\WWAHost.job",
- "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
- "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
- "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\aFS",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tDIText",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tFileName",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sFileAncestors",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDI",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDate",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVEntitlement",
- "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AcroRd32.exe",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\CredentialsV3",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\UsageMeasurement",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cIconCache",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\IPM",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Workflows",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Workflows\\cServices",
- "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\DC\\Privileged",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Privileged\\bOldRecentFilesMigrated",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\DynamicInfo",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePath",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePrefix",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheLimit",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheOptions",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheRepair",
- "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
- "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC\\OptIn",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFavoritesInitialSelection",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFeedsInitialSelection"
- * DNS Communications:
- "type": "A",
- "request": "daya4659.ddns.net",
- "answers":
- * Domains:
- "ip": "",
- "domain": "daya4659.ddns.net"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://acroipm2.adobe.com/19/rdr/ENU/win/nooem/none/consumer/message.zip",
- "user-agent": "IPM",
- "method": "GET",
- "host": "acroipm2.adobe.com",
- "version": "1.1",
- "path": "/19/rdr/ENU/win/nooem/none/consumer/message.zip",
- "data": "GET /19/rdr/ENU/win/nooem/none/consumer/message.zip HTTP/1.1\r\nAccept: */*\r\nIf-Modified-Since: Mon, 01 Jan 1970 00:00:00 GMT\r\nUser-Agent: IPM\r\nHost: acroipm2.adobe.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement