SHARE
TWEET

remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f_2019-08-21_11_25.txt

paladin316 Aug 21st, 2019 90 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f"
  7. * File Size: 3034960
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f"
  10. * MD5: "0613946fc944c1ee4ff99d995e6d2fbb"
  11. * SHA1: "2c54906adc36b9d48d80e987fabb00af5d315bcc"
  12. * SHA512: "a1ab854e432f8883ab83f125a74e8dd663026f6bf4d5e3b08b2b136b4b15f7fd65c1a31204a13dad9ddb6bb914b962c08a945a7a9ab0f5638246794710840738"
  13. * CRC32: "EA204EF6"
  14. * SSDEEP: "49152:hh+ZkldoPK8Yad7cwj644Mh+ZkldoPK8YaLDNcW:C2cPK8YwjE2cPK8T"
  15.  
  16. * Process Execution:
  17.     "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe",
  18.     "remcos_agent_Protected.exe",
  19.     "remcos_agent_Protected.exe",
  20.     "wscript.exe",
  21.     "cmd.exe",
  22.     "remcos.exe",
  23.     "remcos.exe",
  24.     "svchost.exe",
  25.     "svchost.exe",
  26.     "svchost.exe",
  27.     "svchost.exe",
  28.     "svchost.exe",
  29.     "svchost.exe",
  30.     "svchost.exe",
  31.     "svchost.exe",
  32.     "svchost.exe",
  33.     "svchost.exe",
  34.     "svchost.exe",
  35.     "svchost.exe",
  36.     "svchost.exe",
  37.     "schtasks.exe",
  38.     "schtasks.exe",
  39.     "AcroRd32.exe",
  40.     "Eula.exe",
  41.     "schtasks.exe",
  42.     "svchost.exe"
  43.  
  44.  
  45. * Executed Commands:
  46.     "\"C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe\"",
  47.     "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe ",
  48.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  49.     "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf ",
  50.     "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F",
  51.     "schtasks /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F",
  52.     "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  53.     "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  54.     "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  55.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  56.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" --type=renderer  \"C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf\"",
  57.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe\" --backgroundcolor=16514043",
  58.     "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\Eula.exe\" Adobe Acrobat Reader DC;786898;1033",
  59.     "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  60.     "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  61.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  62.     "C:\\Windows\\SysWOW64\\svchost.exe"
  63.  
  64.  
  65. * Signatures Detected:
  66.    
  67.         "Description": "Creates RWX memory",
  68.         "Details":
  69.    
  70.    
  71.         "Description": "Possible date expiration check, exits too soon after checking local time",
  72.         "Details":
  73.            
  74.                 "process": "schtasks.exe, PID 1080"
  75.            
  76.        
  77.    
  78.    
  79.         "Description": "Detected script timer window indicative of sleep style evasion",
  80.         "Details":
  81.            
  82.                 "Window": "WSH-Timer"
  83.            
  84.        
  85.    
  86.    
  87.         "Description": "Reads data out of its own binary image",
  88.         "Details":
  89.            
  90.                 "self_read": "process: remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe, pid: 1592, offset: 0x00000000, length: 0x002e4f50"
  91.            
  92.            
  93.                 "self_read": "process: remcos_agent_Protected.exe, pid: 2084, offset: 0x00000000, length: 0x0011fe00"
  94.            
  95.            
  96.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000000, length: 0x00000040"
  97.            
  98.            
  99.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x00000100, length: 0x00000018"
  100.            
  101.            
  102.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x000001f8, length: 0x000000a0"
  103.            
  104.            
  105.                 "self_read": "process: Eula.exe, pid: 3000, offset: 0x00012600, length: 0x00000010"
  106.            
  107.            
  108.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x00000000, length: 0x00000040"
  109.            
  110.            
  111.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x000000f0, length: 0x00000018"
  112.            
  113.            
  114.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x000001e8, length: 0x00000078"
  115.            
  116.            
  117.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018000, length: 0x00000020"
  118.            
  119.            
  120.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018058, length: 0x00000018"
  121.            
  122.            
  123.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x000181a8, length: 0x00000018"
  124.            
  125.            
  126.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018470, length: 0x00000010"
  127.            
  128.            
  129.                 "self_read": "process: wscript.exe, pid: 1696, offset: 0x00018640, length: 0x00000012"
  130.            
  131.            
  132.                 "self_read": "process: remcos.exe, pid: 1552, offset: 0x00000000, length: 0x0011fe00"
  133.            
  134.            
  135.                 "self_read": "process: remcos.exe, pid: 1476, offset: 0x00000000, length: 0x0011fe00"
  136.            
  137.        
  138.    
  139.    
  140.         "Description": "A process created a hidden window",
  141.         "Details":
  142.            
  143.                 "Process": "remcos_51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f.exe -> schtasks"
  144.            
  145.            
  146.                 "Process": "remcos_agent_Protected.exe -> schtasks"
  147.            
  148.            
  149.                 "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  150.            
  151.            
  152.                 "Process": "wscript.exe -> cmd"
  153.            
  154.            
  155.                 "Process": "remcos.exe -> schtasks"
  156.            
  157.        
  158.    
  159.    
  160.         "Description": "Drops a binary and executes it",
  161.         "Details":
  162.            
  163.                 "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe"
  164.            
  165.            
  166.                 "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  167.            
  168.        
  169.    
  170.    
  171.         "Description": "Performs some HTTP requests",
  172.         "Details":
  173.            
  174.                 "url": "http://acroipm2.adobe.com/19/rdr/ENU/win/nooem/none/consumer/message.zip"
  175.            
  176.        
  177.    
  178.    
  179.         "Description": "Executed a process and injected code into it, probably while unpacking",
  180.         "Details":
  181.            
  182.                 "Injection": "remcos_agent_Protected.exe(2084) -> remcos_agent_Protected.exe(1156)"
  183.            
  184.        
  185.    
  186.    
  187.         "Description": "Sniffs keystrokes",
  188.         "Details":
  189.            
  190.                 "SetWindowsHookExA": "Process: remcos.exe(1476)"
  191.            
  192.        
  193.    
  194.    
  195.         "Description": "A process attempted to delay the analysis task by a long amount of time.",
  196.         "Details":
  197.            
  198.                 "Process": "remcos.exe tried to sleep 3071 seconds, actually delayed analysis time by 0 seconds"
  199.            
  200.        
  201.    
  202.    
  203.         "Description": "A potential decoy document was displayed to the user",
  204.         "Details":
  205.            
  206.                 "disguised_executable": "The submitted file was an executable indicative of an attempt to get a user to run executable content disguised as a document"
  207.            
  208.            
  209.                 "Decoy Document": "\"c:\\program files (x86)\\adobe\\acrobat reader dc\\reader\\acrord32.exe\" \"c:\\users\\user\\appdata\\local\\temp\\medical-application-form.pdf\""
  210.            
  211.        
  212.    
  213.    
  214.         "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  215.         "Details":
  216.            
  217.                 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  218.            
  219.        
  220.    
  221.    
  222.         "Description": "Installs itself for autorun at Windows startup",
  223.         "Details":
  224.            
  225.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  226.            
  227.            
  228.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  229.            
  230.            
  231.                 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  232.            
  233.            
  234.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  235.            
  236.            
  237.                 "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn WWAHost /tr \"C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe\" /sc  minute /mo 1 /F"
  238.            
  239.        
  240.    
  241.    
  242.         "Description": "Creates a hidden or system file",
  243.         "Details":
  244.            
  245.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  246.            
  247.            
  248.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  249.            
  250.            
  251.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  252.            
  253.            
  254.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  255.            
  256.        
  257.    
  258.    
  259.         "Description": "File has been identified by 46 Antiviruses on VirusTotal as malicious",
  260.         "Details":
  261.            
  262.                 "MicroWorld-eScan": "Trojan.GenericKD.41548276"
  263.            
  264.            
  265.                 "CAT-QuickHeal": "PUA.Presenoker.S5304897"
  266.            
  267.            
  268.                 "McAfee": "Trojan-AitInject.ak"
  269.            
  270.            
  271.                 "Malwarebytes": "Backdoor.Remcos.AutoIt"
  272.            
  273.            
  274.                 "K7AntiVirus": "Trojan ( 700000111 )"
  275.            
  276.            
  277.                 "Alibaba": "Backdoor:Win32/Remcos.90bce6ee"
  278.            
  279.            
  280.                 "K7GW": "Trojan ( 700000111 )"
  281.            
  282.            
  283.                 "CrowdStrike": "win/malicious_confidence_100% (W)"
  284.            
  285.            
  286.                 "Arcabit": "Trojan.Generic.D279F9F4"
  287.            
  288.            
  289.                 "Invincea": "heuristic"
  290.            
  291.            
  292.                 "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  293.            
  294.            
  295.                 "Symantec": "ML.Attribute.HighConfidence"
  296.            
  297.            
  298.                 "APEX": "Malicious"
  299.            
  300.            
  301.                 "ClamAV": "Win.Downloader.LokiBot-6962970-0"
  302.            
  303.            
  304.                 "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  305.            
  306.            
  307.                 "BitDefender": "Trojan.GenericKD.41548276"
  308.            
  309.            
  310.                 "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  311.            
  312.            
  313.                 "Avast": "Win32:Trojan-gen"
  314.            
  315.            
  316.                 "Ad-Aware": "Trojan.GenericKD.41548276"
  317.            
  318.            
  319.                 "Sophos": "Troj/AutoIt-CKU"
  320.            
  321.            
  322.                 "F-Secure": "Dropper.DR/AutoIt.Gen8"
  323.            
  324.            
  325.                 "DrWeb": "Trojan.Inject3.16009"
  326.            
  327.            
  328.                 "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  329.            
  330.            
  331.                 "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.vh"
  332.            
  333.            
  334.                 "FireEye": "Generic.mg.0613946fc944c1ee"
  335.            
  336.            
  337.                 "Emsisoft": "Trojan.GenericKD.41548276 (B)"
  338.            
  339.            
  340.                 "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  341.            
  342.            
  343.                 "Avira": "DR/AutoIt.Gen8"
  344.            
  345.            
  346.                 "MAX": "malware (ai score=84)"
  347.            
  348.            
  349.                 "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  350.            
  351.            
  352.                 "Microsoft": "Trojan:Win32/Ditertag.A"
  353.            
  354.            
  355.                 "Endgame": "malicious (high confidence)"
  356.            
  357.            
  358.                 "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  359.            
  360.            
  361.                 "GData": "Trojan.GenericKD.41548276"
  362.            
  363.            
  364.                 "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  365.            
  366.            
  367.                 "Acronis": "suspicious"
  368.            
  369.            
  370.                 "ALYac": "Trojan.GenericKD.41548276"
  371.            
  372.            
  373.                 "Cylance": "Unsafe"
  374.            
  375.            
  376.                 "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUR"
  377.            
  378.            
  379.                 "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  380.            
  381.            
  382.                 "Ikarus": "Trojan.Autoit"
  383.            
  384.            
  385.                 "Fortinet": "AutoIt/Injector.DWD!tr"
  386.            
  387.            
  388.                 "AVG": "Win32:Trojan-gen"
  389.            
  390.            
  391.                 "Cybereason": "malicious.fc944c"
  392.            
  393.            
  394.                 "Panda": "Trj/Genetic.gen"
  395.            
  396.            
  397.                 "Qihoo-360": "HEUR/QVM41.1.58A7.Malware.Gen"
  398.            
  399.        
  400.    
  401.    
  402.         "Description": "Attempts to modify browser security settings",
  403.         "Details":
  404.    
  405.    
  406.         "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  407.         "Details":
  408.            
  409.                 "target": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:51ed4e7036c9a160865c0beb337f7fd2e73542b94db2c8f254ffb6baeff2e70f, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  410.            
  411.            
  412.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe*C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  413.            
  414.            
  415.                 "dropped": "clamav:Win.Downloader.LokiBot-6962970-0, sha256:7226f09afaf19cfb171fc66b021452f191d231e5b7947e4b031b05cb649808b7 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  416.            
  417.            
  418.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:ee24b851c935cda465162a6bea0efe2c1b4664d09806242c32eb996c751de866 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  419.            
  420.        
  421.    
  422.    
  423.         "Description": "Creates a slightly modified copy of itself",
  424.         "Details":
  425.            
  426.                 "file": "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe"
  427.            
  428.            
  429.                 "percent_match": 99
  430.            
  431.        
  432.    
  433.    
  434.         "Description": "Anomalous binary characteristics",
  435.         "Details":
  436.            
  437.                 "anomaly": "Actual checksum does not match that reported in PE header"
  438.            
  439.        
  440.    
  441.    
  442.         "Description": "Clears web history",
  443.         "Details":
  444.            
  445.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  446.            
  447.            
  448.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  449.            
  450.            
  451.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  452.            
  453.            
  454.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  455.            
  456.            
  457.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  458.            
  459.            
  460.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  461.            
  462.            
  463.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  464.            
  465.            
  466.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  467.            
  468.            
  469.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  470.            
  471.            
  472.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  473.            
  474.            
  475.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  476.            
  477.            
  478.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  479.            
  480.            
  481.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  482.            
  483.            
  484.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  485.            
  486.            
  487.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  488.            
  489.            
  490.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  491.            
  492.            
  493.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  494.            
  495.            
  496.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  497.            
  498.            
  499.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  500.            
  501.        
  502.    
  503.  
  504.  
  505. * Started Service:
  506.  
  507. * Mutexes:
  508.     "bderepair",
  509.     "Local\\ZoneAttributeCacheCounterMutex",
  510.     "Local\\ZonesCacheCounterMutex",
  511.     "Local\\ZonesLockedCacheCounterMutex",
  512.     "MDMAppInstaller",
  513.     "Remcos_Mutex_Inj",
  514.     "Remcos-S1KNPZ",
  515.     "Global\\ARM Update Mutex",
  516.     "Global\\Acro Update Mutex",
  517.     "100184D2-BDC3-477a-B8D3-65548B67914C_952",
  518.     "Global\\100184D2-BDC3-477a-B8D3-65548B67914C_3036",
  519.     "com.adobe.acrobat.rna.RdrCefBrowserLock.DC",
  520.     "Local\\WininetStartupMutex",
  521.     "Local\\ZonesCounterMutex",
  522.     "Local\\_!MSFTHISTORY!_",
  523.     "Local\\c:!users!user!appdata!local!microsoft!windows!temporary internet files!content.ie5!",
  524.     "Local\\c:!users!user!appdata!roaming!microsoft!windows!cookies!",
  525.     "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!",
  526.     "Local\\!IETld!Mutex",
  527.     "_!SHMSFTHISTORY!_",
  528.     "Local\\c:!users!user!appdata!local!microsoft!windows!history!history.ie5!mshist012019082120190822!",
  529.     "CicLoadWinStaWinSta0",
  530.     "Local\\MSCTF.CtfMonitorInstMutexDefault1",
  531.     "Mutex_RemWatchdog"
  532.  
  533.  
  534. * Modified Files:
  535.     "C:\\Users\\user\\AppData\\Roaming\\remcos_agent_Protected.exe",
  536.     "C:\\Users\\user\\AppData\\Local\\Temp\\medical-application-form.pdf",
  537.     "C:\\Users\\user\\AppData\\Roaming\\RtDCpl64\\driverquery.exe",
  538.     "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  539.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  540.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  541.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wscRGB.icc",
  542.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\Profiles\\wsRGB.icc",
  543.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Color\\ACECache11.lst",
  544.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages",
  545.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\UserCache.bin",
  546.     "\\??\\pipe\\com.adobe.reader.rna.user.DC.0",
  547.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB",
  548.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\Reader\\DesktopNotification\\NotificationsDB\\notificationsDB-journal",
  549.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents",
  550.     "C:\\Users\\user\\AppData\\Local\\Adobe\\Acrobat\\DC\\SharedDataEvents-journal",
  551.     "C:\\Users\\user\\AppData\\LocalLow\\Adobe\\Acrobat\\DC\\ReaderMessages-journal",
  552.     "C:\\Windows\\sysnative\\Tasks\\setx",
  553.     "C:\\Windows\\sysnative\\Tasks\\WWAHost",
  554.     "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  555.     "C:\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb",
  556.     "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edb.chk",
  557.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat",
  558.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  559.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat",
  560.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019082120190822\\index.dat",
  561.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  562.  
  563.  
  564. * Deleted Files:
  565.     "C:\\Windows\\Tasks\\setx.job",
  566.     "C:\\Windows\\Tasks\\WWAHost.job",
  567.     "C:\\Windows\\SoftwareDistribution\\DataStore\\Logs\\edbtmp.log",
  568.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\index.dat",
  569.     "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012019052620190527\\",
  570.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  571.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  572.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  573.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  574.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  575.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  576.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  577.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  578.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  579.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  580.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  581.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  582.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  583.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  584.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  585.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  586.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  587.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  588.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  589.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  590.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  591.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  592.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  593.  
  594.  
  595. * Modified Registry Keys:
  596.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  597.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  598.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  599.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  600.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Acrobat\\DC\\DiskCabs",
  601.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC",
  602.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC",
  603.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\AcrobatDC",
  604.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC",
  605.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader 19_Acrobat19_Reader_19.10.20069",
  606.     "HKEY_LOCAL_MACHINE\\System\\Acrobatbrokerserverdispatchercpp789",
  607.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer",
  608.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Installer\\Migrated",
  609.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language",
  610.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\UseMUI",
  611.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\next",
  612.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Language\\current",
  613.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Originals",
  614.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\ExitSection",
  615.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com",
  616.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\Acrobat.com.v2",
  617.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector",
  618.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cv1",
  619.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral",
  620.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes",
  621.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cTaskPanes\\cBasicCommentPane",
  622.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FTEDialog",
  623.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\FlashDebug",
  624.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection",
  625.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\OnBoardingSection\\chomeView",
  626.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\SDI",
  627.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Selection",
  628.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window",
  629.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Window\\cAVUIPopupList",
  630.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1",
  631.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\aFS",
  632.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tDIText",
  633.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\tFileName",
  634.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sFileAncestors",
  635.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDI",
  636.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVGeneral\\cRecentFiles\\c1\\sDate",
  637.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVEntitlement",
  638.     "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION",
  639.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl\\FEATURE_BROWSER_EMULATION\\AcroRd32.exe",
  640.     "HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\DC\\CredentialsV3",
  641.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\UsageMeasurement",
  642.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AVConnector\\cIconCache",
  643.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\IPM",
  644.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Workflows",
  645.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Workflows\\cServices",
  646.     "HKEY_CURRENT_USER\\SOFTWARE\\Adobe\\Acrobat Reader\\DC\\Privileged",
  647.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\Privileged\\bOldRecentFilesMigrated",
  648.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Path",
  649.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Hash",
  650.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  651.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  652.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\Triggers",
  653.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\371C7AE0-E7B0-4535-8AD0-2D046DB26874\\DynamicInfo",
  654.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Path",
  655.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Hash",
  656.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Id",
  657.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\WWAHost\\Index",
  658.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\Triggers",
  659.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\48494C41-8658-49AA-8931-979B93D30063\\DynamicInfo",
  660.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822",
  661.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePath",
  662.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CachePrefix",
  663.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheLimit",
  664.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheOptions",
  665.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012019082120190822\\CacheRepair",
  666.     "HKEY_LOCAL_MACHINE\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  667.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  668.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer",
  669.     "HKEY_CURRENT_USER\\Software\\Adobe\\Acrobat Reader\\DC\\AdobeViewer\\EULA",
  670.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  671.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  672.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  673.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  674.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR"
  675.  
  676.  
  677. * Deleted Registry Keys:
  678.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  679.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  680.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  681.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  682.     "HKEY_CURRENT_USER\\Software\\Adobe\\CommonFiles\\Usage\\Reader DC\\OptIn",
  683.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  684.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  685.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job",
  686.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\WWAHost.job.fp",
  687.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFavoritesInitialSelection",
  688.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\AddToFeedsInitialSelection"
  689.  
  690.  
  691. * DNS Communications:
  692.    
  693.         "type": "A",
  694.         "request": "daya4659.ddns.net",
  695.         "answers":
  696.    
  697.  
  698.  
  699. * Domains:
  700.    
  701.         "ip": "",
  702.         "domain": "daya4659.ddns.net"
  703.    
  704.  
  705.  
  706. * Network Communication - ICMP:
  707.  
  708. * Network Communication - HTTP:
  709.    
  710.         "count": 1,
  711.         "body": "",
  712.         "uri": "http://acroipm2.adobe.com/19/rdr/ENU/win/nooem/none/consumer/message.zip",
  713.         "user-agent": "IPM",
  714.         "method": "GET",
  715.         "host": "acroipm2.adobe.com",
  716.         "version": "1.1",
  717.         "path": "/19/rdr/ENU/win/nooem/none/consumer/message.zip",
  718.         "data": "GET /19/rdr/ENU/win/nooem/none/consumer/message.zip HTTP/1.1\r\nAccept: */*\r\nIf-Modified-Since: Mon, 01 Jan 1970 00:00:00 GMT\r\nUser-Agent: IPM\r\nHost: acroipm2.adobe.com\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\n\r\n",
  719.         "port": 80
  720.    
  721.  
  722.  
  723. * Network Communication - SMTP:
  724.  
  725. * Network Communication - Hosts:
  726.  
  727. * Network Communication - IRC:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!
 
Top