Professional Documents
Culture Documents
2017)
Location Temporary Internet Files AppData %SystemRoot% (e.g. C:\Windows) and subfolders
Removable Drive (E:, F:, ) $Recycle.bin C:\ (non-recursive)
User Temp (e.g. %UserProfile%\AppData\Local\Temp) C:\Temp
C:\Windows\Temp
\\Client\[A-Z]$ (client drive mounted into remote session)
C:\PerfLogs
Other dirs only writable for Administrators group
Virustotal Check "Probably harmless" note Comments > Negative user comments File Detail > Revoked certificate
(Requires Hash / "Microsoft software catalogue" note Additional Information > Tags > CVE-* Additional Information > Many different file names
Sample) FileVersionInfo properties > empty or non-existent Packers identified > Rare Packers like: Themida, Enigma,
Additional Information > File names: *.virus ApLib, Tasm, ExeCryptor
Additional Information > File names: hash value as file name
Packers identified > Uncommon Packers like: PECompact,
VMProtect, Telock, Petite, WinUnpack, ASProtect