# Sysinternals cyberdefenders

Scenario:

A user thought they were downloading the SysInternals tool suite and attempted to open it, but the tools did not launch and became inaccessible. Since then, the user has observed that their system has gradually slowed down and become less responsive.

#### Q1 What was the malicious executable file name that the user downloaded?

 let's go to C:\Users\Public\Downloads folder which stores files downloaded by any user account on the computer .

<figure><img src="/files/Flq2Dw2XY8OFI5UWAxwE" alt=""><figcaption><p>Sysinternals.exe</p></figcaption></figure>

~~Ans : Sysinternals.exe~~

#### Q2 When was the last time the malicious executable file was modified?

First we need to use AppCompatCacheParser is a tool used to parse AppCompatCache entries from the SYSTEM registry hive.&#x20;

The SYSTEM hive is a binary file that contains configuration information and settings for the Windows operating system.

To use AppCompatCacheParser to parse the SYSTEM hive, follow these steps:

1. Download the latest version of AppCompatCacheParser from the Github repository: [https://github.com/EricZimmerman/AppCompatCacheParser/](https://github.com/EricZimmerman/AppCompatCacheParser/releases).
2. Copy the SYSTEM hive file from the target computer to your forensic workstation. The SYSTEM hive file is located in the %SystemRoot%\System32\Config folder on the target computer.
3. Open a command prompt or PowerShell window on your forensic workstation.
4. Run the following command to parse the SYSTEM hive file:
5.

````
```php-template
````

````
AppCompatCacheParser.exe -f .\SYSTEM --csv <DestinationPath> --csvf <Output.csv>
```
````

<figure><img src="/files/k16z4E5bxXebAGR2wgby" alt=""><figcaption></figcaption></figure>

Then open file we generated and filter syinternal.exe

<figure><img src="/files/2pAemoXc1VjAHf1ph7sM" alt=""><figcaption><p>2022-11-15 21:18:51</p></figcaption></figure>

&#x20;

#### Q3 What is the SHA1 hash value of the malware?

we can use AmcacheParser.exe to parse Amcache.hve files, which contain information about programs and files on a Windows system. located in the %SystemRoot%\AppCompat\Programs directory.

To use AmcacheParser.exe to parse the Amcache.hve file, follow these steps:

1. Download it
2. Copy the Amcache.hve file from the target computer to your forensic workstation. The Amcache.hve file is located in the %SystemRoot%\AppCompat\Programs directory on the target computer.
3. Open a command prompt or PowerShell window on your forensic workstation.
4. Run the following command to parse the Amcache.hve file:

   ```php-template
   AmcacheParser.exe -f amcache.hve -csv <output.csv>
   ```

<figure><img src="/files/s25xqdfs3lCQd8zPb0IC" alt=""><figcaption></figcaption></figure>

we can see the files we generated

<figure><img src="/files/WorLXuR6bX1XRWxWkYE7" alt=""><figcaption></figcaption></figure>

let's investigate Amcache\_UnassociatedFileEntires.csv file&#x20;

<figure><img src="/files/hiFSyaevpXHCAZMluI1T" alt=""><figcaption></figcaption></figure>

**Ans  : fa1002b02fc5551e075ec44bb4ff9cc1\*\*\*\*\*\*\***

#### Q4 What is the malware's family?

by going to Virustotal and submitting the hash from the last Q&#x20;

<figure><img src="/files/CCFtvDrERcAjOqrdTLiQ" alt=""><figcaption></figcaption></figure>

**Ans : re\*\*\***

#### Q5 What is the first mapped domain's Fully Qualified Domain Name (FQDN)?

We can check the ConsoleHost\_history.txt which is a default file on Windows operating systems that contains a history of commands entered in the Windows Command Prompt or PowerShell console.

located in Users\IEUser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine

<figure><img src="/files/cC9KUkbXPqZQM6ErwJTW" alt=""><figcaption></figcaption></figure>

#### Q6 The mapped domain is linked to an IP address. What is that IP address?

from prev screen you can found it&#x20;

#### Q7 What is the name of the executable dropped by the first-stage executable?

From behavior tab in virus total&#x20;

<figure><img src="/files/XHTpl2gmxxswezgN37VT" alt=""><figcaption><p> <a href="https://www.virustotal.com/gui/undefined">C:\Windows\System32\cmd.exe /C c:\Windows\vmtoolsIO.exe -install &#x26;&#x26; net start VMwareIOHelperService &#x26;&#x26; sc config VMwareIOHelperService start= auto</a></p></figcaption></figure>

You can also Check strings of Sysinternals.exe

~~Ans : vmtoolsIO.exe~~

#### Q8 What is the name of the service installed by 2nd stage executable?

~~`Ans : VMwareIOHelperService`~~

#### Q9 What is the extension of files deleted by the 2nd stage executable?

we can check the system logs to see if there are any entries related to the deletion of files. This may give you some information about the deleted files and their extensions.

which store in C:\Windows\System32\winevt\Logs.

<figure><img src="/files/WU0QsDjZXZnt0hkWZt89" alt=""><figcaption></figcaption></figure>

you can searching for sysmon event and filter with event id 26  or preftech directory to see what  has been removed that time

you can find it with youself  >>

&#x20;

<figure><img src="/files/rXDA2en108f44OvGhqf7" alt=""><figcaption><p>we finished it</p></figcaption></figure>

I know each Q  have more way to get answers but i choose the easiest one&#x20;

Thanks for your timeeeeeee 🥰


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xmedhat.gitbook.io/whoami/writesup/sysinternals-cyberdefenders.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.