0% found this document useful (0 votes)
88 views5 pages

ScreenSharing Guide - Remorsefull

The document provides a comprehensive list of tools and commands for monitoring and analyzing system activity, including file paths, registry keys, and PowerShell commands. It includes instructions for using various utilities like Process Hacker, USB Deview, and others to investigate system behavior and potential malware. Additionally, it offers links to external resources and tools for further analysis and troubleshooting.

Uploaded by

johlon0001
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
88 views5 pages

ScreenSharing Guide - Remorsefull

The document provides a comprehensive list of tools and commands for monitoring and analyzing system activity, including file paths, registry keys, and PowerShell commands. It includes instructions for using various utilities like Process Hacker, USB Deview, and others to investigate system behavior and potential malware. Additionally, it offers links to external resources and tools for further analysis and troubleshooting.

Uploaded by

johlon0001
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Links

Anydesk
Process Hacker
dll detector
SS Tool
Activity Viewer
Search Everything
Browsing history viewer
USB Deview
Other ss guide
Luyten
USB Detector
Other USB Detector

1.​ C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Recent

2.​C:\Users\%username%\AppData\Local\CrashDumps

3.​Powershell ISE - (Get-PSReadlineOption).HistorySavePath - Open text file

4.​ Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

5.​Save to txt - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts - Search


process hacker (for dlls injected)

6.​C:\$Recycle.Bin

7.​Look in latest.log for chat logs


8.​Check launcher_accounts.json in .minecraft for alts

Process Hacker

1.​ explorer.exe - pcaclient

2.​explorer.exe - file:/// * {"displayText"

3.​explorer.exe - \users\ - .exe / .jar

4.​SearchIndexer - file:c / .exe

5.​Check browser - download

6.​Check last activity viewer

7.​echo.ac/sgrm and follow instructions there

8.​csrss - :\

9.​Cdpu - ,"platform":"x_exe_path"},

10.​ Pcasvc - .exe or e,0a000000,Reason,00002100


11.​ DPS - !! - .exe / downloads

CMD (run as admin)​

1.​ fsutil usn readjournal c: csv > AllTheJournal.txt

2.​fsutil usn readjournal c: csv | findstr /i /C:.exe >> client.txt

3.​fsutil usn readjournal c: csv | findstr /i /C:".pf" | findstr /i


/C:"0x80000200" > %userprofile%\Desktop\Deleted-PF.txt

4.​fsutil usn readjournal c: csv | findstr /i /c:.exe | findstr /i


/c:0x80000200 >> DeletedExes.txt

5.​fsutil usn deleteJournal /D C:

6.​fsutil usn queryJournal c:

7.​fsutil usn createJournal m=2147483648 a=1 C:

Private methods : ​

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass &&
powershell Invoke-Expression (Invoke-RestMethod
https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1)
(You need to run cmd in admin mode)

Useful
●​ Win+r
C:$Recycle.Bin shell:recent prefetch %temp% %appdata%
%LOCALAPPDATA%\CrashDumps firewall.cpl
●​ Regedit
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\
UserSettings HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

​ Programs
●​ System informer https://systeminformer.sourceforge.io/canary
●​ WinPrefetchview: https://www.nirsoft.net/utils/win_prefetch_view.html
●​ Search Everything: https://www.voidtools.com/downloads/
●​ Last Activity View: https://www.nirsoft.net/utils/lastactivityview.zip
●​ USB Deview: https://www.nirsoft.net/utils/usbdeview.zip
●​ Recaf https://github.com/Col-E/Recaf
●​ Journal trace: https://github.com/spokwn/JournalTrace/releases/tag/1.2
●​ Downloads:
https://www.nirsoft.net/utils/web_browser_downloads_view.html
●​ Folder modified https://www.nirsoft.net/utils/shellbagsview.zip
●​ Echo usb https://dl.echo.ac/tool/usb
●​ Echo Journal https://dl.echo.ac/tool/journal
●​ Osforensics https://www.osforensics.com/download.html
​ System Informer
​ System Informer
​ System Informer, A free, powerful, multi-purpose tool that helps you monitor
system resources, debug software and detect malware.
​ NirSoft
​ View the content of Windows Prefetch (.pf) files
​ View the content of Windows Prefetch (.pf) files

​ cd c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i
/c:.exe | findstr /i /c:0x80000200 >> DeletedF.txt && notepad DeletedF.txt cd
c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i /c:.exe |
findstr /i /c:0x00000100 >> CreatedF.txt && notepad CreatedF.txt cd
c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i /C:".pf" |
findstr /i /C:"0x80000200" >> DeletedPF.txt && notepad DeletedPF.txt - prefetch
cd c:\users%username%\desktop && fsutil usn readjournal c: csv | findstr /i
/C:".pf" | findstr /i /C:"%date%" | findstr /i /C:"net" /i /C:"net1" >> ProcessR.txt &&
notepad ProcessR.txt process restart cd c:\users%username%\desktop && echo
============= old file name ======== >> FIlesRNO.txt && fsutil usn
readjournal c: csv | findstr /i /c:.exe | findstr /i /c:0x00001000 >> FIlesRNO.txt &&
echo ============= new name files ========= >> FIlesRNO.txt && fsutil usn
readjournal c: csv | findstr /i /c:.exe | findstr /i /c:0x00002000 >> FIlesRNO.txt
rename files
​ [
​ 10:37 PM
​ ]
​ Get-ChildItem -Recurse $env:temp*.dll -ea SilentlyContinue| ForEach-object
{Get-AuthenticodeSignature $ -ea SilentlyContinue} | Where-Object {$.status -ine
"Valid"}|Select Status,Path - Checks for unsigned dlls Get-ChildItem -Recurse
$env:temp*.exe -ea SilentlyContinue| ForEach-object
{Get-AuthenticodeSignature $ -ea SilentlyContinue} | Where-Object {$.status -ine
"Valid"}|Select Status,Path - Checks for unsigned exes
●​ Services only*
​ get-service | findstr -i "pcasvc"; get-service | findstr -i "DPS"; get-service | findstr
-i "Diagtrack"; get-service | findstr -i "sysmain"; get-service | findstr -i "eventlog";
get-service | findstr -i "sgrmbroker": get-service | findstr -i "cdpusersvc"

You might also like