Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * MalFamily: "Remcos"
- * MalScore: 10.0
- * File Name: "remcos_agent_Protected.exe"
- * File Size: 1179136
- * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
- * SHA256: "7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826"
- * MD5: "d5581c9db64b399c7d0cdb3f7b78673b"
- * SHA1: "87396211e6468d73c97301fe0b673f64bcd6d17c"
- * SHA512: "5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6"
- * CRC32: "90766F96"
- * SSDEEP: "24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaLIahgxY3b5:1h+ZkldoPK8YaLDN"
- * Process Execution:
- "remcos_agent_Protected.exe",
- "remcos_agent_Protected.exe",
- "wscript.exe",
- "cmd.exe",
- "remcos.exe",
- "remcos.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe",
- "schtasks.exe",
- "schtasks.exe",
- "svchost.exe",
- "svchost.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
- "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
- "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
- "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
- "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
- "C:\\Windows\\SysWOW64\\svchost.exe"
- * Signatures Detected:
- "Description": "Creates RWX memory",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "schtasks.exe, PID 3260"
- "Description": "Detected script timer window indicative of sleep style evasion",
- "Details":
- "Window": "WSH-Timer"
- "Description": "A process attempted to delay the analysis task.",
- "Details":
- "Process": "remcos.exe tried to sleep 1931 seconds, actually delayed analysis time by 0 seconds"
- "Description": "Reads data out of its own binary image",
- "Details":
- "self_read": "process: remcos_agent_Protected.exe, pid: 3572, offset: 0x00000000, length: 0x0011fe00"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x00000000, length: 0x00000040"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x000000f0, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x000001e8, length: 0x00000078"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018000, length: 0x00000020"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018058, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x000181a8, length: 0x00000018"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018470, length: 0x00000010"
- "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018640, length: 0x00000012"
- "self_read": "process: remcos.exe, pid: 2172, offset: 0x00000000, length: 0x0011fe00"
- "self_read": "process: remcos.exe, pid: 1424, offset: 0x00000000, length: 0x0011fe00"
- "Description": "A process created a hidden window",
- "Details":
- "Process": "remcos_agent_Protected.exe -> schtasks"
- "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
- "Process": "wscript.exe -> cmd"
- "Process": "remcos.exe -> schtasks"
- "Description": "Drops a binary and executes it",
- "Details":
- "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
- "Description": "Performs some HTTP requests",
- "Details":
- "url": "http://www.msftncsi.com/ncsi.txt"
- "Description": "Executed a process and injected code into it, probably while unpacking",
- "Details":
- "Injection": "remcos_agent_Protected.exe(3572) -> remcos_agent_Protected.exe(3236)"
- "Description": "Sniffs keystrokes",
- "Details":
- "SetWindowsHookExA": "Process: remcos.exe(1424)"
- "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
- "Details":
- "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
- "Description": "Installs itself for autorun at Windows startup",
- "Details":
- "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
- "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
- "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
- "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
- "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
- "Description": "File has been identified by 49 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "AIT:Trojan.Nymeria.1823"
- "FireEye": "Generic.mg.d5581c9db64b399c"
- "McAfee": "Artemis!D5581C9DB64B"
- "Cylance": "Unsafe"
- "CrowdStrike": "win/malicious_confidence_100% (W)"
- "Alibaba": "Backdoor:Win32/Remcos.c4e51595"
- "K7GW": "Trojan ( 00549f261 )"
- "K7AntiVirus": "Trojan ( 00549f261 )"
- "Arcabit": "AIT:Trojan.Nymeria.D71F"
- "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
- "Cyren": "W32/AutoIt.JD.gen!Eldorado"
- "Symantec": "ML.Attribute.HighConfidence"
- "APEX": "Malicious"
- "Avast": "Win32:Trojan-gen"
- "ClamAV": "Win.Malware.Autoit-6985962-0"
- "Kaspersky": "Backdoor.Win32.Remcos.cxb"
- "BitDefender": "AIT:Trojan.Nymeria.1823"
- "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
- "Paloalto": "generic.ml"
- "AegisLab": "Trojan.Win32.Remcos.4!c"
- "Tencent": "Win32.Trojan.Inject.Auto"
- "Endgame": "malicious (high confidence)"
- "Emsisoft": "AIT:Trojan.Nymeria.1823 (B)"
- "F-Secure": "Dropper.DR/AutoIt.Gen8"
- "DrWeb": "Trojan.Inject3.16009"
- "Invincea": "heuristic"
- "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.th"
- "Sophos": "Troj/AutoIt-CKU"
- "Ikarus": "Trojan.Autoit"
- "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
- "Avira": "DR/AutoIt.Gen8"
- "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
- "Microsoft": "VirTool:Win32/AutInject.CZ!bit"
- "ViRobot": "Trojan.Win32.Z.Autoit.1179136.D"
- "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
- "GData": "AIT:Trojan.Nymeria.1823"
- "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
- "Acronis": "suspicious"
- "VBA32": "Backdoor.Remcos"
- "MAX": "malware (ai score=94)"
- "Malwarebytes": "Backdoor.Remcos"
- "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUP"
- "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
- "Rising": "Trojan.Win32.Agent_.sa (CLASSIC)"
- "Fortinet": "AutoIt/Injector.DWD!tr"
- "AVG": "Win32:Trojan-gen"
- "Cybereason": "malicious.db64b3"
- "Panda": "Trj/CI.A"
- "Qihoo-360": "Win32/Backdoor.25f"
- "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
- "Details":
- "target": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:8723a807de8ee4f50121a987cf189bb6c963aa964a47f55bad943bb00a27f863 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
- "Description": "Creates a copy of itself",
- "Details":
- "copy": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
- "Description": "Creates a slightly modified copy of itself",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe"
- "percent_match": 100
- "Description": "Anomalous binary characteristics",
- "Details":
- "anomaly": "Actual checksum does not match that reported in PE header"
- "Description": "Clears web history",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
- "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
- * Started Service:
- * Mutexes:
- "MDMAppInstaller",
- "Local\\ZoneAttributeCacheCounterMutex",
- "Local\\ZonesCacheCounterMutex",
- "Local\\ZonesLockedCacheCounterMutex",
- "Remcos_Mutex_Inj",
- "Remcos-S1KNPZ",
- "Mutex_RemWatchdog"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
- "C:\\Windows\\sysnative\\Tasks\\setx",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
- "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
- "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR"
- * Deleted Files:
- "C:\\Windows\\Tasks\\setx.job",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
- "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
- "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
- "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
- "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Path",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Hash",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Triggers",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\DynamicInfo",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
- "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier"
- * Deleted Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart"
- * DNS Communications:
- "type": "A",
- "request": "daya4659.ddns.net",
- "answers":
- * Domains:
- "ip": "",
- "domain": "daya4659.ddns.net"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- "count": 1,
- "body": "",
- "uri": "http://www.msftncsi.com/ncsi.txt",
- "user-agent": "Microsoft NCSI",
- "method": "GET",
- "host": "www.msftncsi.com",
- "version": "1.1",
- "path": "/ncsi.txt",
- "data": "GET /ncsi.txt HTTP/1.1\r\nConnection: Close\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftncsi.com\r\n\r\n",
- "port": 80
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement