Bouncer (previously Tuersteher Light)

Discussion in 'other anti-malware software' started by MrBrian, Jan 25, 2014.

Page 63 of 76
  1. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Hey guys, does bouncer still support XP SP3?
     
    Overkill, Sep 3, 2016
    #1551
  2. kakaka

    kakaka Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    84
    No, not supported.

    Manual says

    System Requirements
    Bouncer runs and protects the following versions of Microsoft Windows:
    Version 32-bit/64-bit
    Windows XP previous version of Bouncer
    Windows Vista previous version of Bouncer
    Windows 7 yes / yes
    Windows 8 yes / yes
    Windows 8.1 yes / yes
    Windows 10 yes / yes
     
    kakaka, Sep 3, 2016
    #1552
  3. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Thanks :(
     
    Last edited: Sep 3, 2016
    Overkill, Sep 3, 2016
    #1553
  4. guest

    guest Guest

    i looked in my "archive" and the latest version with support for XP is from April 2015:
    Code:
    Excubits Bouncer - Manual
Version 2.1.3 (April 2015)

Bouncer runs and protects the following versions of Microsoft Windows:
Version 32-bit/64-bit
Windows XP (SP3) yes / no
    Maybe for displaying the Parent Process in the Alert-dialog the execution (to a suspended state) is needed? Because if the file is not executed there is no Parent Process (and therefore can't be displayed in the dialog)
    And you mentioned above, SecureAPlus doesn't have to run these processes. If i look into the documentation, the alert-dialog shows much less information about a file, only if it's signed/not signed (+VirusTotal-result).
    Maybe because it's showing less information it doesn't need to execute it (like ERP) :doubt:
    I've seen that too. In Locked Down Mode (AG) i can't see Process Creations (via Process Hacker,...), but in Protected Mode i am able to see them (but only sometimes).
     
    guest, Sep 4, 2016
    #1554
  5. Overkill

    Overkill Registered Member

    Joined:
    Mar 16, 2012
    Posts:
    2,343
    Location:
    USA
    Thanks mood, but i've already installed something else on the xp box
     
    Overkill, Sep 4, 2016
    #1555
  6. themorpethian

    themorpethian Registered Member

    Joined:
    May 6, 2006
    Posts:
    35
    Been playing around with FIDES , just a simple one that seems to work.

    Code:
    [LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!*winword.exe>c:\users\*\documents\*
!*msaccess.exe>c:\users\*\documents\*
!*excel.exe>c:\users\*\documents\*
!*powerpnt.exe>c:\users\*\documents\*
!*PaintDotNet.exe>c:\users\*\pictures\*
!*winword.exe>c:\users\*\onedrive\documents\*
!*msaccess.exe>c:\users\*\onedrive\documents\*
!*excel.exe>c:\users\*\onedrive\documents\*
!*powerpnt.exe>c:\users\*\onedrive\documents\*
!*PaintDotNet.exe>c:\users\*\pictures\*
!*PaintDotNet.exe>c:\users\*\onedrive\pictures\*
!*notepad++.exe>c:\users\*\onedrive\documents\*
!*sumatrapdf.exe>c:\users\*\onedrive\documents\*
!*notepad++.exe>c:\users\*\documents\*
!*sumatrapdf.exe>c:\users\*\documents\*
[BLACKLISTMODIFY]
*>c:\users\*\documents\*
*>c:\users\*\pictures\*
*>c:\users\*\music\*
*>c:\users\*\onedrive\documents\*
*>c:\users\*\onedrive\pictures\*
*>c:\users\*\onedrive\music\*
[WHITELISTREAD]
*>*
[BLACKLISTREAD]

[EOF]
    The only problem are :
    1.) No right click in onedrive , you have set the default 'open with' programs.
    2.) You cannot use windows apps, probably because of the read permissions on them.

    I was using SOB but it wont work with Kaspersky Anti-Ransomeware Tool seemingly they use the same driver fltmgr.
    So my new setup is UMATRIX,WD,WF advanced ,SSRP,KART,FIDES.

    Had Bouncer on a while back but it kept throwing errors DISM , would gladly buy it (or can I just buy MEMprotect and FIDES)if there was given a definitve rulesset to work on. ie a
    simple SRP .

    Thanks Steve.
     
    themorpethian, Sep 8, 2016
    #1556
  7. 4Shizzle

    4Shizzle Registered Member

    Joined:
    May 27, 2015
    Posts:
    179
    Location:
    Europe
    @themorpethian Nice configuration :) Thanks for sharing this.

    You can try with this rules

    Code:
    C:\Users\XXX\AppData\Local\Temp\????????-????-????-????-????????????\Dism*
C:\Users\XXX\AppData\Local\Temp\????????-????-????-????-????????????\OSProvider.dll
C:\Users\XXX\AppData\Local\Temp\????????-????-????-????-????????????\LogProvider.dll
C:\Users\XXX\AppData\Local\Temp\????????-????-????-????-????????????\CbsProvider.dll
    for XXX set your users names or you can also use * for more generic.

    Using this rules works for me. Maybe anyone else here can give more stricter rules for DISM?
     
    4Shizzle, Sep 9, 2016
    #1557
  8. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I've got some working DISM rules as well to share, though mine are slightly less strict. But users can certainly modify to their preferences.

    Code:
    [WHITELIST]
#    DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe
!C:\Windows\Temp\????????-????-????-????-????????????\*.dll
[PARENTWHITELIST]
#    DISM
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Users\*\AppData\Local\Temp\????????-????-????-????-????????????\*.dll
!C:\Windows\Temp\????????-????-????-????-????????????\DismHost.exe>C:\Windows\*.dll
     
    WildByDesign, Sep 9, 2016
    #1558
  9. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,807
    Location:
    .
    I have doubts about FIDES protection or how it works in certain details. Maybe I have mistaken expectations, better look at the pic:

    protected drive.png
     
    Mr.X, Sep 21, 2016
    #1559
  10. guest

    guest Guest

    What are the rules for protecting the drive...
     
    guest, Sep 21, 2016
    #1560
  11. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @Mister X So in this case, Jottacloud is spawning the Explorer.exe process? Is that spawned Explorer.exe process having full rights to modify/delete/etc files within the protected folders?

    Also, if you use something like Process Explorer or Process Hacker, does it show Explorer.exe under the Jottacloud executable?

    This may be something where you would need Bouncer to add more control over the Jottacloud executable, particularly not allowing Jottacloud to be the parent process of certain executables. This is just my first thought, anyway. I have not yet had a chance to reproduce and test your scenario yet but I will dive into it later today for sure.
     
    WildByDesign, Sep 21, 2016
    #1561
  12. Windows_Security

    Windows_Security Guest

    @WildByDesign RE Pumpernickel

    No it is a Windows issue. I also turned my head around when I encountered something simular with an other program. This has something to do when a program use default file open dialogue boxes from Microsoft.
     
    Windows_Security, Sep 21, 2016
    #1562
  13. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,807
    Location:
    .
    Pumpernickel.ini:
    Code:
    [LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
[BLACKLISTMODIFY]
$!*SearchIndexer.exe>T:*
*>T:*
[WHITELISTREAD]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
*>T:*
[BLACKLISTREAD]
$!*explorer.exe>T:*
$!*wininit.exe>T:*
$!*svchost.exe>T:*
$!*SearchIndexer.exe>T:*
$!*360WangPan.exe>T:*
$!*Cloud.exe>T:*
$!*chrome.exe>T:*
$!*HDSentinel.exe>T:*
*>T:*
[EOF]

    Yes in order to include or set up folders to sync.

    I guess so cause I was able to delete a folder too. I couldn't see/modify files, Jottacloud client is looking for folders only. But I'm pretty sure it could be able to modify files too.

    I used Process Explorer and no it doesn't.

    Same "issue" for the other authorized program: SyncBackFree.

    If a piece of malware can subvert desktop clients for cloud/local backups to make use of this glitch or whatever it is... I'm in danger.
     
    Mr.X, Sep 21, 2016
    #1563
  14. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    you have this in your modify section
    Code:
    [WHITELISTMODIFY]
!C:\Program Files\Jotta\jotta.exe>T:*
[BLACKLISTMODIFY]
*>T:*
    ! sign will overwrite your black list *>T:*
    and also you have no rule in BLACKLISTMODIFY to prevent modify file on other drives file folder
    meaning jotta.exe are able to create delete file example on your C: drive
    and on your read section you have this code

    Code:
    [WHITELISTREAD]
!C:\Program Files\Jotta\jotta.exe>T:*
*>T:*
[BLACKLISTREAD]
$!*explorer.exe>T:*
*>T:*
[EOF]
    if you are able directly see content of T:* wiith explorer.exe then there is a problem otherwise not or jotta.exe run explorer.exe
    then you see the content so again there is a problem here

    also remove this from *>T:* WHITELISTREAD section you have it in black list section too!
    if you dont want jotta.exe read T:* or other drive simply create rule for it in blacklist
    example move !C:\Program Files\Jotta\jotta.exe>T:* to blacklist
    then see it is still able to read or not
     
    co22, Sep 21, 2016
    #1564
  15. guest

    guest Guest

    I'm wondering now, why explorer.exe is able to access T:\ ?
    I did a test myself with a simplified version:
    Code:
    [WHITELISTREAD]
!C:\Program Files (x86)\*>T:*
!C:\Program Files\*>T:*
[BLACKLISTREAD]
!*explorer.exe>T:*
*>T:*
    a) Only executables from "Program Files" can access T:\ = Priority Whitelist
    b) Explorer.exe = Priority Blacklist (Highest priority)
    c) All other executables = Blacklist
    Result => Explorer.exe can't access T:\
    Then it must be a file-dialog from the program itself.
    And because the program is in the whitelist = Access allowed and files can be seen.

    But IF explorer.exe is being launched it should always be blocked from accessing T:\ (according to the Priority Blacklist)
     
    guest, Sep 21, 2016
    #1565
  16. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,807
    Location:
    .
    Very unskilled for coding guy here lol
    Could you redo my Pumpernickel.ini please? Just to make a lil test.

    I tend to agree with you. But doesn't this file-dialog function makes use of explorer.exe?
    You seem to say so, implicitly.
     
    Mr.X, Sep 21, 2016
    #1566
  17. guest

    guest Guest

    IF your program is executing explorer.exe and (explorer.exe) wants to read your files, it can't do that because it's blacklisted (priority blacklist).
    But you can see files, this means it's a "normal file-open dialog" from your whitelisted program.

    Do another test:
    Open your browser, press Ctrl+O "open", navigate to T:\ = you see that access to T:\ is blocked.
    It's the same file dialog (which you can see with jotta.exe too) but FIDES blocked access to your files (browser is not whitelisted)
    How should FIDES know that malware manipulated your client?
    FIDES can only block/allow executables according to your black/whitelist.
    If it sees access from jotta.exe it simply allows it.
    If a process injected into jotta.exe and jotta.exe wants to read your files = access allowed.

    Additional security layers are needed to protect your (whitelisted) executables from being modified.

    In short:
    a whitelisted program calls a "file-open dialog" = files can be seen
    malware injected into a whitelisted program + "file-open dialog" = files can be seen from malware (through your whitelisted program)
    a blacklisted program calls a "file-open dialog" = no access to your files
     
    guest, Sep 21, 2016
    #1567
  18. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    i try to run this app with my config enabled it even wont launch
    then after disable pumpernickel launched then its need access internet connection to show main window after allow internet
    then it is need registerion so i dont tested this program anymore
    here try this config and see if it can read &write D:*

    Code:
    [LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
[BLACKLISTMODIFY]
$!*SearchIndexer.exe>T:*
$!jotta.exe>D:*
*>T:*
[WHITELISTREAD]
!C:\Program Files (x86)\2BrightSparks\SyncBackFree\SyncBackFree.exe>T:*
!C:\Program Files\Jotta\jotta.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe>T:*
!C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe>T:*
[BLACKLISTREAD]
$!jotta.exe>D:*
$!*explorer.exe>T:*
$!*wininit.exe>T:*
$!*svchost.exe>T:*
$!*SearchIndexer.exe>T:*
$!*360WangPan.exe>T:*
$!*Cloud.exe>T:*
$!*chrome.exe>T:*
$!*HDSentinel.exe>T:*
*>T:*
[EOF]
    or clear your logs in Pumpernickel.log
    and then use bellow config then run program and find out which log related to jotta.exe
    then create rule for it
    i added some of it
    Code:
    [#LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files\Jotta\jotta.exe>C:\Users\*\AppData\Local\Temp\qtsingleapp-jottae-6ce0-1-lockfile
!C:\Windows\explorer.exe>C:\ProgramData\Jotta\JShellExt.log
[BLACKLISTMODIFY]
*>*
[WHITELISTREAD]
!C:\Program Files\Jotta\jotta.exe>C:\Users*
[BLACKLISTREAD]
*>*
[EOF]
     
    co22, Sep 21, 2016
    #1568
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,807
    Location:
    .
    Yes, I did and it was blocked. As expected.

    Do you think AppGuard which actually is running in my security setup will work? I mean to add jottacloud.exe and syncbackfree.exe as Guarded apps ?

    I always believed file-open dialog was an explorer.exe instance triggered by the main program. Good to know I was wrong.
     
    Mr.X, Sep 21, 2016
    #1569
  20. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,807
    Location:
    .
    Trying this right away. I'll come back to report...

    Edit:
    Wow! Found 250 lines! lol
    Code:
    *** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\FWPUCLNT.DLL
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\FWPUCLNT.DLL
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\FWPUCLNT.DLL
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\FWPUCLNT.DLL
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\msftedit.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\msftedit.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop\desktop.ini
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop\Dropbox\desktop.ini
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop\TECHY\desktop.ini
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\desktop.ini
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads\desktop.ini
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmCE18.tmp
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Program Files\Jotta\icon.ico
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Program Files\Jotta\icon.ico
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmCE18.tmp
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
*** excubits.com beta ***: 2016/09/21_18:14 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > T:\
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > T:\TECHY\desktop.ini
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > T:\TECHY
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > T:\TECHY\LIBROS DERECHO
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\ProgramData\Jotta\JShellExt.log
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\ProgramData\Jotta\JShellExt.log
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\ProgramData\Jotta\JShellExt.log
*** excubits.com beta ***: 2016/09/21_18:14 > R: C:\Windows\explorer.exe > C:\ProgramData\Jotta\JShellExt.log
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\msftedit.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\msftedit.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmCE18.tmp
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Program Files\Jotta\icon.ico
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Program Files\Jotta\icon.ico
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\imageres.dll
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\ThumbCacheToDelete\thmCE18.tmp
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db
*** excubits.com beta ***: 2016/09/21_18:15 > W: C:\Program Files\Jotta\jotta.exe > C:\Users\MrX\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\wpdshext.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17415_none_6240486fecbd8abb
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\EhStorShell.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Desktop
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\Resources\Themes\aero\Shell\NormalColor\shellstyle.dll
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents\Downloads
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > D:\Documents
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Program Files\Jotta\jotta.exe > C:\
*** excubits.com beta ***: 2016/09/21_18:15 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files\Jotta\jotta.exe > T:\
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files\Jotta\jotta.exe > T:\TECHY\desktop.ini
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files\Jotta\jotta.exe > T:\TECHY
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files\Jotta\jotta.exe > C:\Windows\System32\shell32.dll
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Users\MrX\AppData\Local\Temp\jottacloud
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Users\MrX\AppData\Local\Temp\jottacloud
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Users\MrX\AppData\Roaming\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Users\MrX\AppData\Roaming\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\vss\jVSS.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\vss\jVSS.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\vss\jVSS.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Users\MrX\AppData\Local\Temp\jottacloud
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Users\MrX\AppData\Local\Temp\jottacloud
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Users\MrX\AppData\Roaming\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Users\MrX\AppData\Roaming\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Users\MrX\AppData\Local\Temp\jottacloud
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Users\MrX\AppData\Roaming\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Windows\explorer.exe > C:\Users\MrX\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\Jottacloud.lnk
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardGUI.exe > C:\Program Files\Jotta\jotta.exe
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Users\MrX\AppData\Local\Temp\jottacloud
*** excubits.com beta ***: 2016/09/21_18:16 > R: C:\Program Files (x86)\Blue Ridge Networks\AppGuard\AppGuardAgent.exe > C:\Users\MrX\AppData\Roaming\Jotta
     
    Last edited: Sep 21, 2016
    Mr.X, Sep 21, 2016
    #1570
  21. co22

    co22 Registered Member

    Joined:
    Nov 22, 2011
    Posts:
    411
    Location:
    router
    ok
    after removing duplicate line it was 40 line then removed more with path rule

    just attention don't test it in LETHAL mode it maybe crash pc while it running it or after restart so first test it in #LETHAL both when you running it and after restart to see other important logs
    you may have to make shorter rule to work in demo
    in bellow jotta.exe wont able to read any path except white list
    and jotta.exe are not able to write any path except white list



    Code:
    [#LETHAL]
[LOGGING]
[WHITELISTMODIFY]
!C:\Program Files\Jotta\jotta.exe>C:\Users\*\AppData\Local\Temp\qtsingleapp-jottae-6ce0-1-lockfile
!C:\Program Files\Jotta\jotta.exe>C:\Users*
!C:\Program Files\Jotta\jotta.exe>D:*
!C:\Program Files\Jotta\jotta.exe>T:*
!C:\Windows\explorer.exe>C:\ProgramData\Jotta\JShellExt.log
!C:\Windows\explorer.exe>C:\ProgramData\Jotta\JShellExt.log
!C:\Program Files*>C:\Users\*\AppData*
!C:\Program Files*>C:\Program Files*
!C:\Program Files*>C:\ProgramData*
!C:\Program Files*>C:\PROGRA~1*
!C:\Program Files*>C:\Windows*
!C:\Windows*>C:\Program Files*
!C:\Windows*>C:\ProgramData
!C:\Windows*>C:\PROGRA~1
!C:\Windows*>C:\Windows*
!Notepad2.exe>*.log
!Notepad2.exe>*.txt
!Notepad2.exe>*.ini
!explorer.exe>C:\$Recycle.Bin*
!explorer.exe>C:\ProgramData\Microsoft\Windows\Caches*
!explorer.exe>C:\Users*
!TrustedInstaller.exe>*Device\HarddiskVolumeShadowCopy*
!TrustedInstaller.exe>C:\System Volume Information\SPP*
!autochk.exe>*
!lsass.exe>*
!services.exe>*
!smss.exe>*
!C:\Windows*>C:\Users*
!VSSVC.exe>*
!WerFault.exe>*
!wininit.exe>*
[BLACKLISTMODIFY]
*>*
[WHITELISTREAD]
!*AppGuardAgent.exe>*
!*jotta.exe>C:*
!C:\Program Files\Jotta\jotta.exe>D:*
!C:\Program Files\Jotta\jotta.exe>T:*
!explorer.exe>*JShellExt.log
!explorer.exe>*Jottacloud.lnk
!C:\Program Files\Jotta\jotta.exe>C:\Users*
!C:\Program Files*>C:\Program Files*
!C:\Program Files*>C:\ProgramData*
!C:\Program Files*>C:\PROGRA~1*
!C:\Program Files*>C:\Windows*
!C:\Windows*>C:\Program Files*
!C:\Windows*>C:\ProgramData
!C:\Windows*>C:\PROGRA~1
!C:\Windows*>C:\Windows*
!explorer.exe>?:*
!TrustedInstaller.exe>*
!autochk.exe>*
!cmd.exe>C:\Users\*\Desktop*
!consent.exe>C:\Users*
!dllhost.exe>*
!LogonUI.exe>*user.bmp
!lsass.exe>*
!services.exe>*
!smss.exe>*
!svchost.exe>*
!userinit.exe>*
!VSSVC.exe>*
!winlogon.exe>*
[BLACKLISTREAD]
*>*
[EOF]
    and about File open dialog
    i think even that can be restricted by Bouncer (block related dll from loading) or pumpernickel by (prevent reading related dll).but its not important because it read write action is based on your rule not that file open dialog

    which i think this dll are comctl32.dll
     
    co22, Sep 21, 2016
    #1571
  22. guest

    guest Guest

    Running ERP and AG in general should be enough as an additional layer.
    Or you can try to add them as a Protected Process to MemProtect (=injecting into jottacloud.exe and syncbackfree.exe is not possible anymore)

    But maybe that theoretical attack-scenario is too specific (malware injects into your backup-program to read your data), so its unlikely to happen.
    Only if the backup-program is a known vulnerable process i would add it to AG.
     
    guest, Sep 22, 2016
    #1572
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,807
    Location:
    .
    @co22
    I appreciate a lot for your time to dig into my issue but I feel kind of embarrassed to tell you that solution or rather troubleshooting procedure is too much for me. To be honest I don't have the time to look at the moment, maybe when retired lol. Meanwhile I'm going to take AppGuard path to protect against injection.
    Anyways thanks a lot for your precious time.
     
    Mr.X, Sep 22, 2016
    #1573
  24. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,807
    Location:
    .
    Yet worse, able to write data lol. Yup I know it's very unlikely to see something like this but I want to be prepared for the odds.
    Even so, I already added to AppGuard. Both of them: Jottacloud and SyncBackFree.

    Thanks a lot for everyone who assisted. Much obliged.
     
    Mr.X, Sep 22, 2016
    #1574
  25. hjlbx

    hjlbx Guest

    I have not been following lately.

    Is the current stand-alone version of Command Line Scanner identical to the one that is included in the most recent Bouncer beta build ?

    Can anyone post an image of the Command Line Scanner log output ?
     
    Last edited by a moderator: Oct 7, 2016
    hjlbx, Oct 7, 2016
    #1575
Page 63 of 76
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...