API tools faq
paste
Advertisement
paladin316

remcos_agent_Protected_exe_2019-08-21_11_50.txt

paladin316
Aug 21st, 2019
1,769
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 22.38 KB | None | 0 0
raw download clone embed print report
  1.  
  2. * MalFamily: "Remcos"
  3.  
  4. * MalScore: 10.0
  5.  
  6. * File Name: "remcos_agent_Protected.exe"
  7. * File Size: 1179136
  8. * File Type: "PE32 executable (GUI) Intel 80386, for MS Windows"
  9. * SHA256: "7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826"
  10. * MD5: "d5581c9db64b399c7d0cdb3f7b78673b"
  11. * SHA1: "87396211e6468d73c97301fe0b673f64bcd6d17c"
  12. * SHA512: "5a8034902bfd110826aebc8196469f0dea26d94fcb093406342657b9660f400cc495a6a7ce843d32a7541083cfbc3f0fbdf9aab1ad08294729307bffe7c512c6"
  13. * CRC32: "90766F96"
  14. * SSDEEP: "24576:yAHnh+eWsN3skA4RV1Hom2KXMmHaLIahgxY3b5:1h+ZkldoPK8YaLDN"
  15.  
  16. * Process Execution:
  17. "remcos_agent_Protected.exe",
  18. "remcos_agent_Protected.exe",
  19. "wscript.exe",
  20. "cmd.exe",
  21. "remcos.exe",
  22. "remcos.exe",
  23. "svchost.exe",
  24. "svchost.exe",
  25. "svchost.exe",
  26. "schtasks.exe",
  27. "schtasks.exe",
  28. "svchost.exe",
  29. "svchost.exe",
  30. "svchost.exe"
  31.  
  32.  
  33. * Executed Commands:
  34. "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  35. "schtasks /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F",
  36. "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs\"",
  37. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs ",
  38. "\"C:\\Windows\\System32\\cmd.exe\" /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  39. "cmd /c \"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\"",
  40. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  41. "C:\\Windows\\SysWOW64\\svchost.exe"
  42.  
  43.  
  44. * Signatures Detected:
  45.  
  46. "Description": "Creates RWX memory",
  47. "Details":
  48.  
  49.  
  50. "Description": "Possible date expiration check, exits too soon after checking local time",
  51. "Details":
  52.  
  53. "process": "schtasks.exe, PID 3260"
  54.  
  55.  
  56.  
  57.  
  58. "Description": "Detected script timer window indicative of sleep style evasion",
  59. "Details":
  60.  
  61. "Window": "WSH-Timer"
  62.  
  63.  
  64.  
  65.  
  66. "Description": "A process attempted to delay the analysis task.",
  67. "Details":
  68.  
  69. "Process": "remcos.exe tried to sleep 1931 seconds, actually delayed analysis time by 0 seconds"
  70.  
  71.  
  72.  
  73.  
  74. "Description": "Reads data out of its own binary image",
  75. "Details":
  76.  
  77. "self_read": "process: remcos_agent_Protected.exe, pid: 3572, offset: 0x00000000, length: 0x0011fe00"
  78.  
  79.  
  80. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00000000, length: 0x00000040"
  81.  
  82.  
  83. "self_read": "process: wscript.exe, pid: 3156, offset: 0x000000f0, length: 0x00000018"
  84.  
  85.  
  86. "self_read": "process: wscript.exe, pid: 3156, offset: 0x000001e8, length: 0x00000078"
  87.  
  88.  
  89. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018000, length: 0x00000020"
  90.  
  91.  
  92. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018058, length: 0x00000018"
  93.  
  94.  
  95. "self_read": "process: wscript.exe, pid: 3156, offset: 0x000181a8, length: 0x00000018"
  96.  
  97.  
  98. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018470, length: 0x00000010"
  99.  
  100.  
  101. "self_read": "process: wscript.exe, pid: 3156, offset: 0x00018640, length: 0x00000012"
  102.  
  103.  
  104. "self_read": "process: remcos.exe, pid: 2172, offset: 0x00000000, length: 0x0011fe00"
  105.  
  106.  
  107. "self_read": "process: remcos.exe, pid: 1424, offset: 0x00000000, length: 0x0011fe00"
  108.  
  109.  
  110.  
  111.  
  112. "Description": "A process created a hidden window",
  113. "Details":
  114.  
  115. "Process": "remcos_agent_Protected.exe -> schtasks"
  116.  
  117.  
  118. "Process": "remcos_agent_Protected.exe -> C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs"
  119.  
  120.  
  121. "Process": "wscript.exe -> cmd"
  122.  
  123.  
  124. "Process": "remcos.exe -> schtasks"
  125.  
  126.  
  127.  
  128.  
  129. "Description": "Drops a binary and executes it",
  130. "Details":
  131.  
  132. "binary": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  133.  
  134.  
  135.  
  136.  
  137. "Description": "Performs some HTTP requests",
  138. "Details":
  139.  
  140. "url": "http://www.msftncsi.com/ncsi.txt"
  141.  
  142.  
  143.  
  144.  
  145. "Description": "Executed a process and injected code into it, probably while unpacking",
  146. "Details":
  147.  
  148. "Injection": "remcos_agent_Protected.exe(3572) -> remcos_agent_Protected.exe(3236)"
  149.  
  150.  
  151.  
  152.  
  153. "Description": "Sniffs keystrokes",
  154. "Details":
  155.  
  156. "SetWindowsHookExA": "Process: remcos.exe(1424)"
  157.  
  158.  
  159.  
  160.  
  161. "Description": "Attempts to execute a Living Off The Land Binary command for post exeploitation",
  162. "Details":
  163.  
  164. "MITRE T1078 - schtask": "(Tactic: Execution, Persistence, Privilege Escalation)"
  165.  
  166.  
  167.  
  168.  
  169. "Description": "Installs itself for autorun at Windows startup",
  170. "Details":
  171.  
  172. "key": "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  173.  
  174.  
  175. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  176.  
  177.  
  178. "key": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos"
  179.  
  180.  
  181. "data": "\"C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe\""
  182.  
  183.  
  184. "task": "\"C:\\Windows\\SysWOW64\\schtasks.exe\" /create /tn setx /tr \"C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe\" /sc minute /mo 1 /F"
  185.  
  186.  
  187.  
  188.  
  189. "Description": "Creates a hidden or system file",
  190. "Details":
  191.  
  192. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  193.  
  194.  
  195. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos"
  196.  
  197.  
  198. "file": "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat"
  199.  
  200.  
  201.  
  202.  
  203. "Description": "File has been identified by 49 Antiviruses on VirusTotal as malicious",
  204. "Details":
  205.  
  206. "MicroWorld-eScan": "AIT:Trojan.Nymeria.1823"
  207.  
  208.  
  209. "FireEye": "Generic.mg.d5581c9db64b399c"
  210.  
  211.  
  212. "McAfee": "Artemis!D5581C9DB64B"
  213.  
  214.  
  215. "Cylance": "Unsafe"
  216.  
  217.  
  218. "CrowdStrike": "win/malicious_confidence_100% (W)"
  219.  
  220.  
  221. "Alibaba": "Backdoor:Win32/Remcos.c4e51595"
  222.  
  223.  
  224. "K7GW": "Trojan ( 00549f261 )"
  225.  
  226.  
  227. "K7AntiVirus": "Trojan ( 00549f261 )"
  228.  
  229.  
  230. "Arcabit": "AIT:Trojan.Nymeria.D71F"
  231.  
  232.  
  233. "TrendMicro": "Trojan.AutoIt.CRYPTINJECT.SMA"
  234.  
  235.  
  236. "Cyren": "W32/AutoIt.JD.gen!Eldorado"
  237.  
  238.  
  239. "Symantec": "ML.Attribute.HighConfidence"
  240.  
  241.  
  242. "APEX": "Malicious"
  243.  
  244.  
  245. "Avast": "Win32:Trojan-gen"
  246.  
  247.  
  248. "ClamAV": "Win.Malware.Autoit-6985962-0"
  249.  
  250.  
  251. "Kaspersky": "Backdoor.Win32.Remcos.cxb"
  252.  
  253.  
  254. "BitDefender": "AIT:Trojan.Nymeria.1823"
  255.  
  256.  
  257. "NANO-Antivirus": "Trojan.Win32.Remcos.fqrrmb"
  258.  
  259.  
  260. "Paloalto": "generic.ml"
  261.  
  262.  
  263. "AegisLab": "Trojan.Win32.Remcos.4!c"
  264.  
  265.  
  266. "Tencent": "Win32.Trojan.Inject.Auto"
  267.  
  268.  
  269. "Endgame": "malicious (high confidence)"
  270.  
  271.  
  272. "Emsisoft": "AIT:Trojan.Nymeria.1823 (B)"
  273.  
  274.  
  275. "F-Secure": "Dropper.DR/AutoIt.Gen8"
  276.  
  277.  
  278. "DrWeb": "Trojan.Inject3.16009"
  279.  
  280.  
  281. "Invincea": "heuristic"
  282.  
  283.  
  284. "McAfee-GW-Edition": "BehavesLike.Win32.Dropper.th"
  285.  
  286.  
  287. "Sophos": "Troj/AutoIt-CKU"
  288.  
  289.  
  290. "Ikarus": "Trojan.Autoit"
  291.  
  292.  
  293. "F-Prot": "W32/AutoIt.JD.gen!Eldorado"
  294.  
  295.  
  296. "Avira": "DR/AutoIt.Gen8"
  297.  
  298.  
  299. "Antiy-AVL": "GrayWare/Autoit.ShellCode.a"
  300.  
  301.  
  302. "Microsoft": "VirTool:Win32/AutInject.CZ!bit"
  303.  
  304.  
  305. "ViRobot": "Trojan.Win32.Z.Autoit.1179136.D"
  306.  
  307.  
  308. "ZoneAlarm": "Backdoor.Win32.Remcos.cxb"
  309.  
  310.  
  311. "GData": "AIT:Trojan.Nymeria.1823"
  312.  
  313.  
  314. "AhnLab-V3": "Win-Trojan/AutoInj.Exp"
  315.  
  316.  
  317. "Acronis": "suspicious"
  318.  
  319.  
  320. "VBA32": "Backdoor.Remcos"
  321.  
  322.  
  323. "MAX": "malware (ai score=94)"
  324.  
  325.  
  326. "Malwarebytes": "Backdoor.Remcos"
  327.  
  328.  
  329. "ESET-NOD32": "a variant of Win32/Injector.Autoit.DUP"
  330.  
  331.  
  332. "TrendMicro-HouseCall": "Trojan.AutoIt.CRYPTINJECT.SMA"
  333.  
  334.  
  335. "Rising": "Trojan.Win32.Agent_.sa (CLASSIC)"
  336.  
  337.  
  338. "Fortinet": "AutoIt/Injector.DWD!tr"
  339.  
  340.  
  341. "AVG": "Win32:Trojan-gen"
  342.  
  343.  
  344. "Cybereason": "malicious.db64b3"
  345.  
  346.  
  347. "Panda": "Trj/CI.A"
  348.  
  349.  
  350. "Qihoo-360": "Win32/Backdoor.25f"
  351.  
  352.  
  353.  
  354.  
  355. "Description": "Clamav Hits in Target/Dropped/SuriExtracted",
  356. "Details":
  357.  
  358. "target": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  359.  
  360.  
  361. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:7210f2ca290296d1f6e61da4b3192ad19afd719d6cf77dbb2d6810734b349826 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  362.  
  363.  
  364. "dropped": "clamav:Win.Malware.Autoit-6985962-0, sha256:8723a807de8ee4f50121a987cf189bb6c963aa964a47f55bad943bb00a27f863 , guest_paths:C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe, type:PE32 executable (GUI) Intel 80386, for MS Windows"
  365.  
  366.  
  367.  
  368.  
  369. "Description": "Creates a copy of itself",
  370. "Details":
  371.  
  372. "copy": "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe"
  373.  
  374.  
  375.  
  376.  
  377. "Description": "Creates a slightly modified copy of itself",
  378. "Details":
  379.  
  380. "file": "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe"
  381.  
  382.  
  383. "percent_match": 100
  384.  
  385.  
  386.  
  387.  
  388. "Description": "Anomalous binary characteristics",
  389. "Details":
  390.  
  391. "anomaly": "Actual checksum does not match that reported in PE header"
  392.  
  393.  
  394.  
  395.  
  396. "Description": "Clears web history",
  397. "Details":
  398.  
  399. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat"
  400.  
  401.  
  402. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt"
  403.  
  404.  
  405. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt"
  406.  
  407.  
  408. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt"
  409.  
  410.  
  411. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt"
  412.  
  413.  
  414. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low"
  415.  
  416.  
  417. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt"
  418.  
  419.  
  420. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt"
  421.  
  422.  
  423. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt"
  424.  
  425.  
  426. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt"
  427.  
  428.  
  429. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt"
  430.  
  431.  
  432. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt"
  433.  
  434.  
  435. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt"
  436.  
  437.  
  438. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt"
  439.  
  440.  
  441. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat"
  442.  
  443.  
  444. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt"
  445.  
  446.  
  447. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt"
  448.  
  449.  
  450. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt"
  451.  
  452.  
  453. "file": "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt"
  454.  
  455.  
  456.  
  457.  
  458.  
  459. * Started Service:
  460.  
  461. * Mutexes:
  462. "MDMAppInstaller",
  463. "Local\\ZoneAttributeCacheCounterMutex",
  464. "Local\\ZonesCacheCounterMutex",
  465. "Local\\ZonesLockedCacheCounterMutex",
  466. "Remcos_Mutex_Inj",
  467. "Remcos-S1KNPZ",
  468. "Mutex_RemWatchdog"
  469.  
  470.  
  471. * Modified Files:
  472. "C:\\Users\\user\\AppData\\Roaming\\CapabilityAccessHandlers\\sfc.exe",
  473. "C:\\Users\\user\\AppData\\Roaming\\remcos\\remcos.exe",
  474. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  475. "C:\\Windows\\sysnative\\Tasks\\setx",
  476. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
  477. "C:\\Windows\\appcompat\\Programs\\RecentFileCache.bcf",
  478. "C:\\Users\\user\\AppData\\Roaming\\remcos\\logs.dat",
  479. "\\??\\PIPE\\samr",
  480. "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
  481. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
  482. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
  483. "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
  484. "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
  485. "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR"
  486.  
  487.  
  488. * Deleted Files:
  489. "C:\\Windows\\Tasks\\setx.job",
  490. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MpIdleTask",
  491. "C:\\Windows\\sysnative\\Tasks\\Microsoft\\Windows Defender\\MP Scheduled Scan",
  492. "C:\\Users\\user\\AppData\\Local\\Temp\\install.vbs",
  493. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat",
  494. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\index.dat",
  495. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low",
  496. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@3lift1.txt",
  497. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@advertising1.txt",
  498. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@atwola2.txt",
  499. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@bing2.txt",
  500. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.bing2.txt",
  501. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@c.msn2.txt",
  502. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@doubleclick1.txt",
  503. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google1.txt",
  504. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google3.txt",
  505. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google4.txt",
  506. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@google5.txt",
  507. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@media2.txt",
  508. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@msn1.txt",
  509. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@scorecardresearch2.txt",
  510. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.google1.txt",
  511. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\user@www.msn2.txt",
  512. "C:\\Users\\user\\AppData\\Roaming\\Microsoft\\Windows\\Cookies",
  513. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies",
  514. "C:\\Users\\user\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data"
  515.  
  516.  
  517. * Modified Registry Keys:
  518. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\UNCAsIntranet",
  519. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\AutoDetect",
  520. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  521. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\remcos",
  522. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Path",
  523. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Hash",
  524. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Id",
  525. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\setx\\Index",
  526. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\Triggers",
  527. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\10EC5951-9C53-4886-9C32-FBB3A627B1A4\\DynamicInfo",
  528. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Path",
  529. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Hash",
  530. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Id",
  531. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\Microsoft\\Windows Defender\\MP Scheduled Scan\\Index",
  532. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\Triggers",
  533. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\9CDF079F-D488-47E0-8840-9A3500F1BBE4\\DynamicInfo",
  534. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
  535. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\PreviousServiceShutdown",
  536. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ProcessID",
  537. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\",
  538. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\exepath",
  539. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\licence",
  540. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\WD",
  541. "HKEY_CURRENT_USER\\Software\\Remcos-S1KNPZ\\FR",
  542. "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
  543. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
  544. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
  545. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier"
  546.  
  547.  
  548. * Deleted Registry Keys:
  549. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  550. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\ProxyBypass",
  551. "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  552. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap\\IntranetName",
  553. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job",
  554. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\CompatibilityAdapter\\Signatures\\setx.job.fp",
  555. "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart"
  556.  
  557.  
  558. * DNS Communications:
  559.  
  560. "type": "A",
  561. "request": "daya4659.ddns.net",
  562. "answers":
  563.  
  564.  
  565.  
  566. * Domains:
  567.  
  568. "ip": "",
  569. "domain": "daya4659.ddns.net"
  570.  
  571.  
  572.  
  573. * Network Communication - ICMP:
  574.  
  575. * Network Communication - HTTP:
  576.  
  577. "count": 1,
  578. "body": "",
  579. "uri": "http://www.msftncsi.com/ncsi.txt",
  580. "user-agent": "Microsoft NCSI",
  581. "method": "GET",
  582. "host": "www.msftncsi.com",
  583. "version": "1.1",
  584. "path": "/ncsi.txt",
  585. "data": "GET /ncsi.txt HTTP/1.1\r\nConnection: Close\r\nUser-Agent: Microsoft NCSI\r\nHost: www.msftncsi.com\r\n\r\n",
  586. "port": 80
  587.  
  588.  
  589.  
  590. * Network Communication - SMTP:
  591.  
  592. * Network Communication - Hosts:
  593.  
  594. * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!