paladin316

remcos_agent_Protected_exe_2019-08-21_11_50.txt

Aug 21st, 2019
173
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_agent_Protected.exe"
  7. * File Size: 1179136
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826"
  10. * MD5: "d5581c9db64b399c7d0cdb3f7b78673b"
  11. * SHA1: "87396211e6468d73c97301fe0b673f64bcd6d17c"
  12. * SHA512: "5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6"
  13. * CRC32: "90766F96"
  14. * SSDEEP: "24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaLIahgxY3b5:1h+ZkldoPK8YaLDN"
  15.  
  16. * Process Execution:
  17. "remcos_agent_Protected.exe",
  18. "remcos_agent_Protected.exe",
  19. "wscript.exe",
  20. "cmd.exe",
  21. "remcos.exe",
  22. "remcos.exe",
  23. "svchost.exe",
  24. "svchost.exe",
  25. "svchost.exe",
  26. "schtasks.exe",
  27. "schtasks.exe",
  28. "svchost.exe",
  29. "svchost.exe",
  30. "svchost.exe"
  31.  
  32.  
  33. * Executed Commands:
  34. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  35. "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  36. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  37. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  38. "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  39. "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  40. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  41. "C:\\Windows\\SysWOW64\\svchost.exe"
  42.  
  43.  
  44. * Signatures Detected:
  45.  
  46. "Description": "Creates RWX memory",
  47. "Details":
  48.  
  49.  
  50. "Description": "Possible date expiration check, exits too soon after checking local time",
  51. "Details":
  52.  
  53. "process": "schtasks.exe, PID 3260"
  54.  
  55.  
  56.  
  57.  
  58. "Description": "Detected script timer window indicative of sleep style evasion",
  59. "Details":
  60.  
  61. "Window": "WSH-Timer"
  62.  
  63.  
  64.  
  65.  
  66. "Description": "A process attempted to delay the analysis task.",
  67. "Details":
  68.  
  69. "Process": "remcos.exe tried to sleep 1931 seconds, actually delayed analysis time by 0 seconds"
  70.  
  71.  
  72.  
  73.  
  74. "Description": "Reads data out of its own binary image",
  75. "Details":
  76.  
  77. "self_read": "process: remcos_agent_Protected.exe, pid: 3572, offset: 0x00000000, length: 0x0011fe00"
  78.  
  79.  
  80. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00000000, length: 0x00000040"
  81.  
  82.  
  83. "self_read": "process: wscript.exe, pid: 3156, offset: 0x000000f0, length: 0x00000018"
  84.  
  85.  
  86. "self_read": "process: wscript.exe, pid: 3156, offset: 0x000001e8, length: 0x00000078"
  87.  
  88.  
  89. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018000, length: 0x00000020"
  90.  
  91.  
  92. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018058, length: 0x00000018"
  93.  
  94.  
  95. "self_read": "process: wscript.exe, pid: 3156, offset: 0x000181a8, length: 0x00000018"
  96.  
  97.  
  98. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018470, length: 0x00000010"
  99.  
  100.  
  101. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018640, length: 0x00000012"
  102.  
  103.  
  104. "self_read": "process: remcos.exe, pid: 2172, offset: 0x00000000, length: 0x0011fe00"
  105.  
  106.  
  107. "self_read": "process: remcos.exe, pid: 1424, offset: 0x00000000, length: 0x0011fe00"
  108.  
  109.  
  110.  
  111.  
  112. "Description": "A process created a hidden window",
  113. "Details":
  114.  
  115. "Process": "remcos_agent_Protected.exe -> schtasks"
  116.  
  117.  
  118. "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  119.  
  120.  
  121. "Process": "wscript.exe -> cmd"
  122.  
  123.  
  124. "Process": "remcos.exe -> schtasks"
  125.  
  126.  
  127.  
  128.  
  129. "Description": "Drops a binary and executes it",
  130. "Details":
  131.  
  132. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  133.  
  134.  
  135.  
  136.  
  137. "Description": "Performs some HTTP requests",
  138. "Details":
  139.  
  140. "url": "http://www.msftncsi.com/ncsi.txt"
  141.  
  142.  
  143.  
  144.  
  145. "Description": "Executed a process and injected code into it, probably while unpacking",
  146. "Details":
  147.  
  148. "Injection": "remcos_agent_Protected.exe(3572) -> remcos_agent_Protected.exe(3236)"
  149.  
  150.  
  151.  
  152.  
  153. "Description": "Sniffs keystrokes",
  154. "Details":
  155.  
  156. "SetWindowsHookExA": "Process: remcos.exe(1424)"
  157.  
  158.  
  159.  
  160.  
  161. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  162. "Details":
  163.  
  164. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  165.  
  166.  
  167.  
  168.  
  169. "Description": "Installs itself for autorun at Windows startup",
  170. "Details":
  171.  
  172. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  173.  
  174.  
  175. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  176.  
  177.  
  178. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  179.  
  180.  
  181. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  182.  
  183.  
  184. "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F"
  185.  
  186.  
  187.  
  188.  
  189. "Description": "Creates a hidden or system file",
  190. "Details":
  191.  
  192. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  193.  
  194.  
  195. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  196.  
  197.  
  198. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  199.  
  200.  
  201.  
  202.  
  203. "Description": "File has been identified by 49 Antiviruses on VirusTotal as malicious",
  204. "Details":
  205.  
  206. "MicroWorld-eScan": "AIT:Trojan.Nymeria.1823"
  207.  
  208.  
  209. "FireEye": "Generic.mg.d5581c9db64b399c"
  210.  
  211.  
  212. "McAfee": "Artemis!D5581C9DB64B"
  213.  
  214.  
  215. "Cylance": "Unsafe"
  216.  
  217.  
  218. "CrowdStrike": "win/malicious_confidence_100% (W)"
  219.  
  220.  
  221. "Alibaba": "Backdoor:Win32/Remcos.c4e51595"
  222.  
  223.  
  224. "K7GW": "Trojan ( 00549f261 )"
  225.  
  226.  
  227. "K7AntiVirus": "Trojan ( 00549f261 )"
  228.  
  229.  
  230. "Arcabit": "AIT:Trojan.Nymeria.D71F"
  231.  
  232.  
  233. "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  234.  
  235.  
  236. "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  237.  
  238.  
  239. "Symantec": "ML.Attribute.HighConfidence"
  240.  
  241.  
  242. "APEX": "Malicious"
  243.  
  244.  
  245. "Avast": "Win32:Trojan-gen"
  246.  
  247.  
  248. "ClamAV": "Win.Malware.Autoit-6985962-0"
  249.  
  250.  
  251. "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  252.  
  253.  
  254. "BitDefender": "AIT:Trojan.Nymeria.1823"
  255.  
  256.  
  257. "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  258.  
  259.  
  260. "Paloalto": "generic.ml"
  261.  
  262.  
  263. "AegisLab": "Trojan.Win32.Remcos.4!c"
  264.  
  265.  
  266. "Tencent": "Win32.Trojan.Inject.Auto"
  267.  
  268.  
  269. "Endgame": "malicious (high confidence)"
  270.  
  271.  
  272. "Emsisoft": "AIT:Trojan.Nymeria.1823 (B)"
  273.  
  274.  
  275. "F-Secure": "Dropper.DR/AutoIt.Gen8"
  276.  
  277.  
  278. "DrWeb": "Trojan.Inject3.16009"
  279.  
  280.  
  281. "Invincea": "heuristic"
  282.  
  283.  
  284. "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.th"
  285.  
  286.  
  287. "Sophos": "Troj/AutoIt-CKU"
  288.  
  289.  
  290. "Ikarus": "Trojan.Autoit"
  291.  
  292.  
  293. "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  294.  
  295.  
  296. "Avira": "DR/AutoIt.Gen8"
  297.  
  298.  
  299. "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  300.  
  301.  
  302. "Microsoft": "VirTool:Win32/AutInject.CZ!bit"
  303.  
  304.  
  305. "ViRobot": "Trojan.Win32.Z.Autoit.1179136.D"
  306.  
  307.  
  308. "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  309.  
  310.  
  311. "GData": "AIT:Trojan.Nymeria.1823"
  312.  
  313.  
  314. "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  315.  
  316.  
  317. "Acronis": "suspicious"
  318.  
  319.  
  320. "VBA32": "Backdoor.Remcos"
  321.  
  322.  
  323. "MAX": "malware (ai score=94)"
  324.  
  325.  
  326. "Malwarebytes": "Backdoor.Remcos"
  327.  
  328.  
  329. "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUP"
  330.  
  331.  
  332. "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  333.  
  334.  
  335. "Rising": "Trojan.Win32.Agent_.sa (CLASSIC)"
  336.  
  337.  
  338. "Fortinet": "AutoIt/Injector.DWD!tr"
  339.  
  340.  
  341. "AVG": "Win32:Trojan-gen"
  342.  
  343.  
  344. "Cybereason": "malicious.db64b3"
  345.  
  346.  
  347. "Panda": "Trj/CI.A"
  348.  
  349.  
  350. "Qihoo-360": "Win32/Backdoor.25f"
  351.  
  352.  
  353.  
  354.  
  355. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  356. "Details":
  357.  
  358. "target": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  359.  
  360.  
  361. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  362.  
  363.  
  364. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:8723a807de8ee4f50121a987cf189bb6c963aa964a47f55bad943bb00a27f863 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  365.  
  366.  
  367.  
  368.  
  369. "Description": "Creates a copy of itself",
  370. "Details":
  371.  
  372. "copy": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  373.  
  374.  
  375.  
  376.  
  377. "Description": "Creates a slightly modified copy of itself",
  378. "Details":
  379.  
  380. "file": "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe"
  381.  
  382.  
  383. "percent_match": 100
  384.  
  385.  
  386.  
  387.  
  388. "Description": "Anomalous binary characteristics",
  389. "Details":
  390.  
  391. "anomaly": "Actual checksum does not match that reported in PE header"
  392.  
  393.  
  394.  
  395.  
  396. "Description": "Clears web history",
  397. "Details":
  398.  
  399. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  400.  
  401.  
  402. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  403.  
  404.  
  405. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  406.  
  407.  
  408. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  409.  
  410.  
  411. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  412.  
  413.  
  414. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  415.  
  416.  
  417. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  418.  
  419.  
  420. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  421.  
  422.  
  423. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  424.  
  425.  
  426. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  427.  
  428.  
  429. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  430.  
  431.  
  432. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  433.  
  434.  
  435. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  436.  
  437.  
  438. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  439.  
  440.  
  441. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  442.  
  443.  
  444. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  445.  
  446.  
  447. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  448.  
  449.  
  450. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  451.  
  452.  
  453. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  454.  
  455.  
  456.  
  457.  
  458.  
  459. * Started Service:
  460.  
  461. * Mutexes:
  462. "MDMAppInstaller",
  463. "Local\\ZoneAttributeCacheCounterMutex",
  464. "Local\\ZonesCacheCounterMutex",
  465. "Local\\ZonesLockedCacheCounterMutex",
  466. "Remcos_Mutex_Inj",
  467. "Remcos-S1KNPZ",
  468. "Mutex_RemWatchdog"
  469.  
  470.  
  471. * Modified Files:
  472. "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  473. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  474. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  475. "C:\\Windows\\sysnative\\Tasks\\setx",
  476. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
  477. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  478. "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat",
  479. "\\??\\PIPE\\samr",
  480. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  481. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  482. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  483. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  484. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  485. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR"
  486.  
  487.  
  488. * Deleted Files:
  489. "C:\\Windows\\Tasks\\setx.job",
  490. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
  491. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
  492. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  493. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  494. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  495. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  496. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  497. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  498. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  499. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  500. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  501. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  502. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  503. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  504. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  505. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  506. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  507. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  508. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  509. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  510. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  511. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  512. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  513. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  514. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  515.  
  516.  
  517. * Modified Registry Keys:
  518. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  519. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  520. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  521. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  522. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Path",
  523. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Hash",
  524. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  525. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  526. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Triggers",
  527. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\DynamicInfo",
  528. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Path",
  529. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Hash",
  530. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
  531. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
  532. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Triggers",
  533. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\DynamicInfo",
  534. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  535. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
  536. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  537. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  538. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  539. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  540. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  541. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR",
  542. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  543. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  544. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  545. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier"
  546.  
  547.  
  548. * Deleted Registry Keys:
  549. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  550. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  551. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  552. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  553. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  554. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  555. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart"
  556.  
  557.  
  558. * DNS Communications:
  559.  
  560. "type": "A",
  561. "request": "daya4659.ddns.net",
  562. "answers":
  563.  
  564.  
  565.  
  566. * Domains:
  567.  
  568. "ip": "",
  569. "domain": "daya4659.ddns.net"
  570.  
  571.  
  572.  
  573. * Network Communication - ICMP:
  574.  
  575. * Network Communication - HTTP:
  576.  
  577. "count": 1,
  578. "body": "",
  579. "uri": "http://www.msftncsi.com/ncsi.txt",
  580. "user-agent": "Microsoft NCSI",
  581. "method": "GET",
  582. "host": "www.msftncsi.com",
  583. "version": "1.1",
  584. "path": "/ncsi.txt",
  585. "data": "GET /ncsi.txt HTTP/1.1\r\nConnection: Close\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftncsi.com\r\n\r\n",
  586. "port": 80
  587.  
  588.  
  589.  
  590. * Network Communication - SMTP:
  591.  
  592. * Network Communication - Hosts:
  593.  
  594. * Network Communication - IRC:
RAW Paste Data