SHARE
TWEET

remcos_agent_Protected_exe_2019-08-21_11_50.txt

paladin316 Aug 21st, 2019 87 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_agent_Protected.exe"
  7. * File Size: 1179136
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826"
  10. * MD5: "d5581c9db64b399c7d0cdb3f7b78673b"
  11. * SHA1: "87396211e6468d73c97301fe0b673f64bcd6d17c"
  12. * SHA512: "5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6"
  13. * CRC32: "90766F96"
  14. * SSDEEP: "24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaLIahgxY3b5:1h+ZkldoPK8YaLDN"
  15.  
  16. * Process Execution:
  17.     "remcos_agent_Protected.exe",
  18.     "remcos_agent_Protected.exe",
  19.     "wscript.exe",
  20.     "cmd.exe",
  21.     "remcos.exe",
  22.     "remcos.exe",
  23.     "svchost.exe",
  24.     "svchost.exe",
  25.     "svchost.exe",
  26.     "schtasks.exe",
  27.     "schtasks.exe",
  28.     "svchost.exe",
  29.     "svchost.exe",
  30.     "svchost.exe"
  31.  
  32.  
  33. * Executed Commands:
  34.     "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  35.     "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F",
  36.     "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  37.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  38.     "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  39.     "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  40.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  41.     "C:\\Windows\\SysWOW64\\svchost.exe"
  42.  
  43.  
  44. * Signatures Detected:
  45.    
  46.         "Description": "Creates RWX memory",
  47.         "Details":
  48.    
  49.    
  50.         "Description": "Possible date expiration check, exits too soon after checking local time",
  51.         "Details":
  52.            
  53.                 "process": "schtasks.exe, PID 3260"
  54.            
  55.        
  56.    
  57.    
  58.         "Description": "Detected script timer window indicative of sleep style evasion",
  59.         "Details":
  60.            
  61.                 "Window": "WSH-Timer"
  62.            
  63.        
  64.    
  65.    
  66.         "Description": "A process attempted to delay the analysis task.",
  67.         "Details":
  68.            
  69.                 "Process": "remcos.exe tried to sleep 1931 seconds, actually delayed analysis time by 0 seconds"
  70.            
  71.        
  72.    
  73.    
  74.         "Description": "Reads data out of its own binary image",
  75.         "Details":
  76.            
  77.                 "self_read": "process: remcos_agent_Protected.exe, pid: 3572, offset: 0x00000000, length: 0x0011fe00"
  78.            
  79.            
  80.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x00000000, length: 0x00000040"
  81.            
  82.            
  83.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x000000f0, length: 0x00000018"
  84.            
  85.            
  86.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x000001e8, length: 0x00000078"
  87.            
  88.            
  89.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018000, length: 0x00000020"
  90.            
  91.            
  92.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018058, length: 0x00000018"
  93.            
  94.            
  95.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x000181a8, length: 0x00000018"
  96.            
  97.            
  98.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018470, length: 0x00000010"
  99.            
  100.            
  101.                 "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018640, length: 0x00000012"
  102.            
  103.            
  104.                 "self_read": "process: remcos.exe, pid: 2172, offset: 0x00000000, length: 0x0011fe00"
  105.            
  106.            
  107.                 "self_read": "process: remcos.exe, pid: 1424, offset: 0x00000000, length: 0x0011fe00"
  108.            
  109.        
  110.    
  111.    
  112.         "Description": "A process created a hidden window",
  113.         "Details":
  114.            
  115.                 "Process": "remcos_agent_Protected.exe -> schtasks"
  116.            
  117.            
  118.                 "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  119.            
  120.            
  121.                 "Process": "wscript.exe -> cmd"
  122.            
  123.            
  124.                 "Process": "remcos.exe -> schtasks"
  125.            
  126.        
  127.    
  128.    
  129.         "Description": "Drops a binary and executes it",
  130.         "Details":
  131.            
  132.                 "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  133.            
  134.        
  135.    
  136.    
  137.         "Description": "Performs some HTTP requests",
  138.         "Details":
  139.            
  140.                 "url": "http://www.msftncsi.com/ncsi.txt"
  141.            
  142.        
  143.    
  144.    
  145.         "Description": "Executed a process and injected code into it, probably while unpacking",
  146.         "Details":
  147.            
  148.                 "Injection": "remcos_agent_Protected.exe(3572) -> remcos_agent_Protected.exe(3236)"
  149.            
  150.        
  151.    
  152.    
  153.         "Description": "Sniffs keystrokes",
  154.         "Details":
  155.            
  156.                 "SetWindowsHookExA": "Process: remcos.exe(1424)"
  157.            
  158.        
  159.    
  160.    
  161.         "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  162.         "Details":
  163.            
  164.                 "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  165.            
  166.        
  167.    
  168.    
  169.         "Description": "Installs itself for autorun at Windows startup",
  170.         "Details":
  171.            
  172.                 "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  173.            
  174.            
  175.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  176.            
  177.            
  178.                 "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  179.            
  180.            
  181.                 "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  182.            
  183.            
  184.                 "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc  minute /mo 1 /F"
  185.            
  186.        
  187.    
  188.    
  189.         "Description": "Creates a hidden or system file",
  190.         "Details":
  191.            
  192.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  193.            
  194.            
  195.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  196.            
  197.            
  198.                 "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  199.            
  200.        
  201.    
  202.    
  203.         "Description": "File has been identified by 49 Antiviruses on VirusTotal as malicious",
  204.         "Details":
  205.            
  206.                 "MicroWorld-eScan": "AIT:Trojan.Nymeria.1823"
  207.            
  208.            
  209.                 "FireEye": "Generic.mg.d5581c9db64b399c"
  210.            
  211.            
  212.                 "McAfee": "Artemis!D5581C9DB64B"
  213.            
  214.            
  215.                 "Cylance": "Unsafe"
  216.            
  217.            
  218.                 "CrowdStrike": "win/malicious_confidence_100% (W)"
  219.            
  220.            
  221.                 "Alibaba": "Backdoor:Win32/Remcos.c4e51595"
  222.            
  223.            
  224.                 "K7GW": "Trojan ( 00549f261 )"
  225.            
  226.            
  227.                 "K7AntiVirus": "Trojan ( 00549f261 )"
  228.            
  229.            
  230.                 "Arcabit": "AIT:Trojan.Nymeria.D71F"
  231.            
  232.            
  233.                 "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  234.            
  235.            
  236.                 "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  237.            
  238.            
  239.                 "Symantec": "ML.Attribute.HighConfidence"
  240.            
  241.            
  242.                 "APEX": "Malicious"
  243.            
  244.            
  245.                 "Avast": "Win32:Trojan-gen"
  246.            
  247.            
  248.                 "ClamAV": "Win.Malware.Autoit-6985962-0"
  249.            
  250.            
  251.                 "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  252.            
  253.            
  254.                 "BitDefender": "AIT:Trojan.Nymeria.1823"
  255.            
  256.            
  257.                 "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  258.            
  259.            
  260.                 "Paloalto": "generic.ml"
  261.            
  262.            
  263.                 "AegisLab": "Trojan.Win32.Remcos.4!c"
  264.            
  265.            
  266.                 "Tencent": "Win32.Trojan.Inject.Auto"
  267.            
  268.            
  269.                 "Endgame": "malicious (high confidence)"
  270.            
  271.            
  272.                 "Emsisoft": "AIT:Trojan.Nymeria.1823 (B)"
  273.            
  274.            
  275.                 "F-Secure": "Dropper.DR/AutoIt.Gen8"
  276.            
  277.            
  278.                 "DrWeb": "Trojan.Inject3.16009"
  279.            
  280.            
  281.                 "Invincea": "heuristic"
  282.            
  283.            
  284.                 "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.th"
  285.            
  286.            
  287.                 "Sophos": "Troj/AutoIt-CKU"
  288.            
  289.            
  290.                 "Ikarus": "Trojan.Autoit"
  291.            
  292.            
  293.                 "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  294.            
  295.            
  296.                 "Avira": "DR/AutoIt.Gen8"
  297.            
  298.            
  299.                 "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  300.            
  301.            
  302.                 "Microsoft": "VirTool:Win32/AutInject.CZ!bit"
  303.            
  304.            
  305.                 "ViRobot": "Trojan.Win32.Z.Autoit.1179136.D"
  306.            
  307.            
  308.                 "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  309.            
  310.            
  311.                 "GData": "AIT:Trojan.Nymeria.1823"
  312.            
  313.            
  314.                 "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  315.            
  316.            
  317.                 "Acronis": "suspicious"
  318.            
  319.            
  320.                 "VBA32": "Backdoor.Remcos"
  321.            
  322.            
  323.                 "MAX": "malware (ai score=94)"
  324.            
  325.            
  326.                 "Malwarebytes": "Backdoor.Remcos"
  327.            
  328.            
  329.                 "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUP"
  330.            
  331.            
  332.                 "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  333.            
  334.            
  335.                 "Rising": "Trojan.Win32.Agent_.sa (CLASSIC)"
  336.            
  337.            
  338.                 "Fortinet": "AutoIt/Injector.DWD!tr"
  339.            
  340.            
  341.                 "AVG": "Win32:Trojan-gen"
  342.            
  343.            
  344.                 "Cybereason": "malicious.db64b3"
  345.            
  346.            
  347.                 "Panda": "Trj/CI.A"
  348.            
  349.            
  350.                 "Qihoo-360": "Win32/Backdoor.25f"
  351.            
  352.        
  353.    
  354.    
  355.         "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  356.         "Details":
  357.            
  358.                 "target": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  359.            
  360.            
  361.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  362.            
  363.            
  364.                 "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:8723a807de8ee4f50121a987cf189bb6c963aa964a47f55bad943bb00a27f863 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  365.            
  366.        
  367.    
  368.    
  369.         "Description": "Creates a copy of itself",
  370.         "Details":
  371.            
  372.                 "copy": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  373.            
  374.        
  375.    
  376.    
  377.         "Description": "Creates a slightly modified copy of itself",
  378.         "Details":
  379.            
  380.                 "file": "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe"
  381.            
  382.            
  383.                 "percent_match": 100
  384.            
  385.        
  386.    
  387.    
  388.         "Description": "Anomalous binary characteristics",
  389.         "Details":
  390.            
  391.                 "anomaly": "Actual checksum does not match that reported in PE header"
  392.            
  393.        
  394.    
  395.    
  396.         "Description": "Clears web history",
  397.         "Details":
  398.            
  399.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  400.            
  401.            
  402.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  403.            
  404.            
  405.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  406.            
  407.            
  408.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  409.            
  410.            
  411.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  412.            
  413.            
  414.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  415.            
  416.            
  417.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  418.            
  419.            
  420.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  421.            
  422.            
  423.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  424.            
  425.            
  426.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  427.            
  428.            
  429.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  430.            
  431.            
  432.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  433.            
  434.            
  435.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  436.            
  437.            
  438.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  439.            
  440.            
  441.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  442.            
  443.            
  444.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  445.            
  446.            
  447.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  448.            
  449.            
  450.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  451.            
  452.            
  453.                 "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  454.            
  455.        
  456.    
  457.  
  458.  
  459. * Started Service:
  460.  
  461. * Mutexes:
  462.     "MDMAppInstaller",
  463.     "Local\\ZoneAttributeCacheCounterMutex",
  464.     "Local\\ZonesCacheCounterMutex",
  465.     "Local\\ZonesLockedCacheCounterMutex",
  466.     "Remcos_Mutex_Inj",
  467.     "Remcos-S1KNPZ",
  468.     "Mutex_RemWatchdog"
  469.  
  470.  
  471. * Modified Files:
  472.     "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  473.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  474.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  475.     "C:\\Windows\\sysnative\\Tasks\\setx",
  476.     "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
  477.     "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  478.     "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat",
  479.     "\\??\\PIPE\\samr",
  480.     "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  481.     "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  482.     "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  483.     "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  484.     "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  485.     "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR"
  486.  
  487.  
  488. * Deleted Files:
  489.     "C:\\Windows\\Tasks\\setx.job",
  490.     "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
  491.     "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
  492.     "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  493.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  494.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  495.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  496.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  497.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  498.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  499.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  500.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  501.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  502.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  503.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  504.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  505.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  506.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  507.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  508.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  509.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  510.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  511.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  512.     "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  513.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  514.     "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  515.  
  516.  
  517. * Modified Registry Keys:
  518.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  519.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  520.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  521.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  522.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Path",
  523.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Hash",
  524.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  525.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  526.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Triggers",
  527.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\DynamicInfo",
  528.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Path",
  529.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Hash",
  530.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
  531.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
  532.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Triggers",
  533.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\DynamicInfo",
  534.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  535.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
  536.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  537.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  538.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  539.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  540.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  541.     "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR",
  542.     "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  543.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  544.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  545.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier"
  546.  
  547.  
  548. * Deleted Registry Keys:
  549.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  550.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  551.     "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  552.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  553.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  554.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  555.     "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart"
  556.  
  557.  
  558. * DNS Communications:
  559.    
  560.         "type": "A",
  561.         "request": "daya4659.ddns.net",
  562.         "answers":
  563.    
  564.  
  565.  
  566. * Domains:
  567.    
  568.         "ip": "",
  569.         "domain": "daya4659.ddns.net"
  570.    
  571.  
  572.  
  573. * Network Communication - ICMP:
  574.  
  575. * Network Communication - HTTP:
  576.    
  577.         "count": 1,
  578.         "body": "",
  579.         "uri": "http://www.msftncsi.com/ncsi.txt",
  580.         "user-agent": "Microsoft NCSI",
  581.         "method": "GET",
  582.         "host": "www.msftncsi.com",
  583.         "version": "1.1",
  584.         "path": "/ncsi.txt",
  585.         "data": "GET /ncsi.txt HTTP/1.1\r\nConnection: Close\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftncsi.com\r\n\r\n",
  586.         "port": 80
  587.    
  588.  
  589.  
  590. * Network Communication - SMTP:
  591.  
  592. * Network Communication - Hosts:
  593.  
  594. * Network Communication - IRC:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top