It is no coincidence that a friend showed me a very interesting way to find out a detailed list of programs that were launched in the Windows operating system! To be honest, I didn't even know about it. And already once it helped me a lot!
Well, now let's continue on the topic - information about the programs that were launched is in the Amcache.hve system registry branch (who knew that there was one? I didn’t know before).
It is located along the path \ Windows \ AppCompat \ Programs \ Amcache.hve
How to copy a file on a live system - read forum.
It is suggested to analyze the file using the RegRipper utility described earlier from the previous article. I'll show you a couple of examples.
A couple of examples (one)
In the output file we see the path to the executable file, the start time (apparently this is it, in UTC) and, what is most delicious, the SHA1-hash of the executable file, which allows you to find it in the VirusTotal database. This is especially true if it is a previously known malicious file that has been renamed (for example, some kind of exploit like mimikatz).
And here is the result of a search by hash .. At least it is a little clear what it is. And then on the file path in Amcache, nothing at all can be understood.
By the way, don't look that the hash is different. VirusTotal automatically recalculates for a different algorithm, and can also search for SHA1.
In this way, you can investigate the history of the infection and the attachment of the attacker to the infected or compromised machine. Very comfortably!
Well, now let's continue on the topic - information about the programs that were launched is in the Amcache.hve system registry branch (who knew that there was one? I didn’t know before).
It is located along the path \ Windows \ AppCompat \ Programs \ Amcache.hve
How to copy a file on a live system - read forum.
It is suggested to analyze the file using the RegRipper utility described earlier from the previous article. I'll show you a couple of examples.
A couple of examples (one)
- Downloading the RegRipper program from GitHub;
- Download the Amcache.hve registry file (see above);
- Run rip.exe with the “amcache” plugin specified:
Code:
rip -r .. \ reg \ Amcache.hve -p amcache> amcache.txt
![WDeMW9ubba4.jpg](https://sun9-55.userapi.com/impg/J60PDFLb0elstIDBLKO42DPYRYzmhb3DYtMT8w/WDeMW9ubba4.jpg?size=620x313&quality=96&sign=7e0d5d0ccf6526a04ef9274348fd5aa8&type=album)
In the output file we see the path to the executable file, the start time (apparently this is it, in UTC) and, what is most delicious, the SHA1-hash of the executable file, which allows you to find it in the VirusTotal database. This is especially true if it is a previously known malicious file that has been renamed (for example, some kind of exploit like mimikatz).
![57qaQ2y9xjE.jpg](https://sun9-75.userapi.com/impg/n6l0h8zsow497nW84vsuQuwtJbUaLgP8kU8Z1w/57qaQ2y9xjE.jpg?size=698x236&quality=96&sign=a15e1813dbf8f7e7a1d6322befda4a4f&type=album)
And here is the result of a search by hash .. At least it is a little clear what it is. And then on the file path in Amcache, nothing at all can be understood.
By the way, don't look that the hash is different. VirusTotal automatically recalculates for a different algorithm, and can also search for SHA1.
![JqObknKyjdQ.jpg](https://sun9-73.userapi.com/impg/TVbCBsNV2F_LEXTWiZBDcs3k7pAod3C-x2KkaA/JqObknKyjdQ.jpg?size=620x381&quality=96&sign=551abd17990e1c2a8585beb5f1d32fe4&type=album)
In this way, you can investigate the history of the infection and the attachment of the attacker to the infected or compromised machine. Very comfortably!