Registry Tracking with RegMon:
2712 56.77157974 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exe NOT FOUND
2713 56.77293015 hxdef100.exe:448 OpenKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS Access: 0x20019
2714 56.77294540 hxdef100.exe:448 QueryValue HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat SUCCESS 0x0
2715 56.77302933 hxdef100.exe:448 CloseKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS
2716 56.77962112 hxdef100.exe:448 OpenKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS Access: 0x20019
2717 56.77964401 hxdef100.exe:448 QueryValue HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat SUCCESS 0x0
2718 56.77969742 hxdef100.exe:448 CloseKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS
2719 56.77982712 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsGDI32.dll NOT FOUND
2720 56.77988434 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsuser32.dll NOT FOUND
2721 56.77996445 hxdef100.exe:448 OpenKey HKLMSystemCurrentControlSetControlError Message Instrument NOT FOUND
2722 56.78014374 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32 SUCCESS Access: 0x20019
2723 56.78016281 hxdef100.exe:448 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32hxdef100 NOT FOUND
2724 56.78018188 hxdef100.exe:448 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32 SUCCESS
2725 56.78020477 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility SUCCESS Access: 0x20019
2726 56.78022385 hxdef100.exe:448 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibilityhxdef100 NOT FOUND
2727 56.78023911 hxdef100.exe:448 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility SUCCESS
2728 56.78042984 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows SUCCESS Access: 0x20019
2729 56.78044510 hxdef100.exe:448 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs SUCCESS ""
2730 56.78049088 hxdef100.exe:448 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows SUCCESS
2731 56.78088760 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRPCRT4.dll NOT FOUND
2732 56.78091812 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsadvapi32.dll NOT FOUND
2733 56.78098679 hxdef100.exe:448 OpenKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS Access: 0x20019
2734 56.78103256 hxdef100.exe:448 QueryValue HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat SUCCESS 0x0
2735 56.78104782 hxdef100.exe:448 QueryValue HKLMSystemCurrentControlSetControlTerminal ServerTSUserEnabled SUCCESS 0x0
2736 56.78109360 hxdef100.exe:448 CloseKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS
2737 56.78112030 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon SUCCESS Access: 0x20019
2738 56.78117371 hxdef100.exe:448 QueryValue HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLeakTrack NOT FOUND
2739 56.78121567 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon SUCCESS
2740 56.78123856 hxdef100.exe:448 OpenKey HKLM SUCCESS Access: 0x2000000
2741 56.78128815 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionDiagnostics NOT FOUND
2742 56.78131104 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsvcrt.dll NOT FOUND
2743 56.78161240 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsole32.dll NOT FOUND
2744 56.78198624 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2745 56.78202820 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2746 56.78206635 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2747 56.78226852 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS D7 2D 87 7F BD 3D 12 F0 ...
2748 56.78231430 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2749 56.78237152 hxdef100.exe:448 OpenKey HKLMSYSTEMCurrentControlSetControlSession Manager SUCCESS Access: 0x20019
2750 56.78242493 hxdef100.exe:448 QueryValue HKLMSYSTEMCurrentControlSetControlSession ManagerCriticalSectionTimeout SUCCESS 0x278D00
2751 56.78247452 hxdef100.exe:448 CloseKey HKLMSYSTEMCurrentControlSetControlSession Manager SUCCESS
2752 56.78249359 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftOle SUCCESS Access: 0x20019
2753 56.78253937 hxdef100.exe:448 QueryValue HKLMSoftwareMicrosoftOleRWLockResourceTimeOut NOT FOUND
2754 56.78258514 hxdef100.exe:448 CloseKey HKLMSoftwareMicrosoftOle SUCCESS
2755 56.78261948 hxdef100.exe:448 OpenKey HKCRInterface SUCCESS Access: 0x20019
2756 56.78266525 hxdef100.exe:448 QueryValue HKCRInterfaceInterfaceHelperDisableAll NOT FOUND
2757 56.78267670 hxdef100.exe:448 QueryValue HKCRInterfaceInterfaceHelperDisableAllForOle32 NOT FOUND
2758 56.78271866 hxdef100.exe:448 QueryValue HKCRInterfaceInterfaceHelperDisableTypeLib NOT FOUND
2759 56.78273010 hxdef100.exe:448 CloseKey HKCRInterface SUCCESS
2760 56.78278732 hxdef100.exe:448 OpenKey HKCRInterface{00020400-0000-0000-C000-000000000046} SUCCESS Access: 0x20019
2761 56.78282928 hxdef100.exe:448 QueryValue HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAll NOT FOUND
2762 56.78284454 hxdef100.exe:448 QueryValue HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAllForOle32 NOT FOUND
2763 56.78289032 hxdef100.exe:448 CloseKey HKCRInterface{00020400-0000-0000-C000-000000000046} SUCCESS
2764 56.78293228 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsoleaut32.dll NOT FOUND
2765 56.78300858 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftOLEAUT NOT FOUND
2766 56.78306580 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftOLEAUTUserEra NOT FOUND
2767 56.78311539 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftOLEAUT NOT FOUND
2768 56.78313828 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsntdll.dll NOT FOUND
2769 56.78315735 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionskernel32.dll NOT FOUND
2770 56.79214478 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftRpcPagedBuffers NOT FOUND
2771 56.79221344 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftRpc SUCCESS Access: 0x20019
2772 56.79226303 hxdef100.exe:448 QueryValue HKLMSoftwareMicrosoftRpcMaxRpcSize NOT FOUND
2773 56.79228973 hxdef100.exe:448 CloseKey HKLMSoftwareMicrosoftRpc SUCCESS
2774 56.79234695 hxdef100.exe:448 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exeRpcThreadPoolThrottle NOT FOUND
2775 56.79240417 hxdef100.exe:448 OpenKey HKLMSoftwarePoliciesMicrosoftWindows NTRpc NOT FOUND
2776 56.79251099 hxdef100.exe:448 OpenKey HKLMSystemCurrentControlSetControlSession Manager SUCCESS Access: 0x1
2777 56.79253006 hxdef100.exe:448 QueryValue HKLMSystemCurrentControlSetControlSession ManagerSafeDllSearchMode NOT FOUND
2778 56.79257584 hxdef100.exe:448 CloseKey HKLMSystemCurrentControlSetControlSession Manager SUCCESS
2779 56.79288864 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2780 56.79290390 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2781 56.79297638 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2782 56.79308319 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 9D D3 4E 53 04 B4 C9 51 ...
2783 56.79309845 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2784 56.79322433 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2785 56.79326630 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2786 56.79329681 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2787 56.79336548 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS C4 0A 57 27 3B 92 60 21 ...
2788 56.79337692 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2789 56.79349518 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2790 56.79353714 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2791 56.79357147 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2792 56.79364014 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS CF C1 D7 42 24 E9 04 9B ...
2793 56.79368210 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2794 56.79376602 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2795 56.79381180 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2796 56.79387283 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2797 56.79391098 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 60 57 BC 3D B1 B2 F1 35 ...
2798 56.79395294 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2799 56.79403687 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2800 56.79408264 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2801 56.79414368 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2802 56.79418182 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 5C B9 C6 DA 38 44 11 DF ...
2803 56.79422379 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2804 56.79433823 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2805 56.79434967 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2806 56.79441452 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2807 56.79445267 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 2E 0A 2C B0 D2 D2 2F F8 ...
2808 56.79449463 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2809 56.79460907 hxdef100.exe:448 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2810 56.79462051 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2811 56.79468536 hxdef100.exe:448 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2812 56.79475403 hxdef100.exe:448 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 17 EC 3D 06 0C 6F 1B 15 ...
2813 56.79476547 hxdef100.exe:448 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2814 56.79561234 hxdef100.exe:448 OpenKey HKLMSYSTEMCurrentControlSetControlSafeBoot SUCCESS Access: 0xF003F
2815 56.79566956 hxdef100.exe:448 OpenKey HKLMSYSTEMCurrentControlSetControlSafeBootMinimal SUCCESS Access: 0xF003F
2816 56.79572296 hxdef100.exe:448 OpenKey HKLMSYSTEMCurrentControlSetControlSafeBootNetwork SUCCESS Access: 0xF003F
2817 56.79577255 hxdef100.exe:448 OpenKey HKLMSYSTEMControlSet001ControlSafeBootMinimalHackerDefender100 NOT FOUND
2818 56.79610825 hxdef100.exe:448 CreateKey HKLMSYSTEMCurrentControlSetControlSafeBootMinimalHackerDefender100 SUCCESS Access: 0xF003F
2819 56.79645538 hxdef100.exe:448 SetValue HKLMSYSTEMCurrentControlSetControlSafeBootMinimalHackerDefender100(Default) SUCCESS "Service"
2820 56.79649734 hxdef100.exe:448 OpenKey HKLMSYSTEMControlSet001ControlSafeBootNetworkHackerDefender100 NOT FOUND
2821 56.79666138 hxdef100.exe:448 CreateKey HKLMSYSTEMCurrentControlSetControlSafeBootNetworkHackerDefender100 SUCCESS Access: 0xF003F
2822 56.79684448 hxdef100.exe:448 SetValue HKLMSYSTEMCurrentControlSetControlSafeBootNetworkHackerDefender100(Default) SUCCESS "Service"
2823 56.79689789 hxdef100.exe:448 CloseKey HKLMSYSTEMCurrentControlSetControlSafeBootMinimal SUCCESS
2824 56.79694366 hxdef100.exe:448 CloseKey HKLMSYSTEMCurrentControlSetControlSafeBootNetwork SUCCESS
2825 56.79695892 hxdef100.exe:448 CloseKey HKLMSYSTEMCurrentControlSetControlSafeBoot SUCCESS
2826 57.06081009 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exe NOT FOUND
2827 57.06136322 hxdef100.exe:316 OpenKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS Access: 0x20019
2828 57.06138229 hxdef100.exe:316 QueryValue HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat SUCCESS 0x0
2829 57.06140518 hxdef100.exe:316 CloseKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS
2830 57.06288528 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsGDI32.dll NOT FOUND
2831 57.06290817 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsuser32.dll NOT FOUND
2832 57.06298065 hxdef100.exe:316 OpenKey HKLMSystemCurrentControlSetControlError Message Instrument NOT FOUND
2833 57.06318283 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32 SUCCESS Access: 0x20019
2834 57.06320572 hxdef100.exe:316 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32hxdef100 NOT FOUND
2835 57.06322098 hxdef100.exe:316 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionCompatibility32 SUCCESS
2836 57.06324768 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility SUCCESS Access: 0x20019
2837 57.06326294 hxdef100.exe:316 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibilityhxdef100 NOT FOUND
2838 57.06327820 hxdef100.exe:316 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionIME Compatibility SUCCESS
2839 57.06339264 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows SUCCESS Access: 0x20019
2840 57.06340790 hxdef100.exe:316 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs SUCCESS ""
2841 57.06343079 hxdef100.exe:316 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionWindows SUCCESS
2842 57.06382751 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsRPCRT4.dll NOT FOUND
2843 57.06385803 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsadvapi32.dll NOT FOUND
2844 57.06389618 hxdef100.exe:316 OpenKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS Access: 0x20019
2845 57.06391144 hxdef100.exe:316 QueryValue HKLMSystemCurrentControlSetControlTerminal ServerTSAppCompat SUCCESS 0x0
2846 57.06392670 hxdef100.exe:316 QueryValue HKLMSystemCurrentControlSetControlTerminal ServerTSUserEnabled SUCCESS 0x0
2847 57.06394196 hxdef100.exe:316 CloseKey HKLMSystemCurrentControlSetControlTerminal Server SUCCESS
2848 57.06396866 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon SUCCESS Access: 0x20019
2849 57.06399155 hxdef100.exe:316 QueryValue HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonLeakTrack NOT FOUND
2850 57.06400299 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon SUCCESS
2851 57.06402588 hxdef100.exe:316 OpenKey HKLM SUCCESS Access: 0x2000000
2852 57.06404114 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionDiagnostics NOT FOUND
2853 57.06406403 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsvcrt.dll NOT FOUND
2854 57.06437302 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsole32.dll NOT FOUND
2855 57.06470871 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2856 57.06472015 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2857 57.06475449 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2858 57.06482697 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS C4 A6 CA BF 60 D5 CF EA ...
2859 57.06484222 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2860 57.06489563 hxdef100.exe:316 OpenKey HKLMSYSTEMCurrentControlSetControlSession Manager SUCCESS Access: 0x20019
2861 57.06491852 hxdef100.exe:316 QueryValue HKLMSYSTEMCurrentControlSetControlSession ManagerCriticalSectionTimeout SUCCESS 0x278D00
2862 57.06493378 hxdef100.exe:316 CloseKey HKLMSYSTEMCurrentControlSetControlSession Manager SUCCESS
2863 57.06495667 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftOle SUCCESS Access: 0x20019
2864 57.06497192 hxdef100.exe:316 QueryValue HKLMSoftwareMicrosoftOleRWLockResourceTimeOut NOT FOUND
2865 57.06498337 hxdef100.exe:316 CloseKey HKLMSoftwareMicrosoftOle SUCCESS
2866 57.06501770 hxdef100.exe:316 OpenKey HKCRInterface SUCCESS Access: 0x20019
2867 57.06502914 hxdef100.exe:316 QueryValue HKCRInterfaceInterfaceHelperDisableAll NOT FOUND
2868 57.06504059 hxdef100.exe:316 QueryValue HKCRInterfaceInterfaceHelperDisableAllForOle32 NOT FOUND
2869 57.06505203 hxdef100.exe:316 QueryValue HKCRInterfaceInterfaceHelperDisableTypeLib NOT FOUND
2870 57.06506348 hxdef100.exe:316 CloseKey HKCRInterface SUCCESS
2871 57.06508636 hxdef100.exe:316 OpenKey HKCRInterface{00020400-0000-0000-C000-000000000046} SUCCESS Access: 0x20019
2872 57.06510162 hxdef100.exe:316 QueryValue HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAll NOT FOUND
2873 57.06511307 hxdef100.exe:316 QueryValue HKCRInterface{00020400-0000-0000-C000-000000000046}InterfaceHelperDisableAllForOle32 NOT FOUND
2874 57.06512833 hxdef100.exe:316 CloseKey HKCRInterface{00020400-0000-0000-C000-000000000046} SUCCESS
2875 57.06516647 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsoleaut32.dll NOT FOUND
2876 57.06520844 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftOLEAUT NOT FOUND
2877 57.06523132 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftOLEAUTUserEra NOT FOUND
2878 57.06524277 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftOLEAUT NOT FOUND
2879 57.06526566 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsntdll.dll NOT FOUND
2880 57.06528473 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionskernel32.dll NOT FOUND
2881 57.06925964 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftRpcPagedBuffers NOT FOUND
2882 57.06929016 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftRpc SUCCESS Access: 0x20019
2883 57.06930923 hxdef100.exe:316 QueryValue HKLMSoftwareMicrosoftRpcMaxRpcSize NOT FOUND
2884 57.06933594 hxdef100.exe:316 CloseKey HKLMSoftwareMicrosoftRpc SUCCESS
2885 57.06936264 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionshxdef100.exeRpcThreadPoolThrottle NOT FOUND
2886 57.06941605 hxdef100.exe:316 OpenKey HKLMSoftwarePoliciesMicrosoftWindows NTRpc NOT FOUND
2887 57.06949234 hxdef100.exe:316 OpenKey HKLMSystemCurrentControlSetControlSession Manager SUCCESS Access: 0x1
2888 57.06950760 hxdef100.exe:316 QueryValue HKLMSystemCurrentControlSetControlSession ManagerSafeDllSearchMode NOT FOUND
2889 57.06952667 hxdef100.exe:316 CloseKey HKLMSystemCurrentControlSetControlSession Manager SUCCESS
2890 57.06982422 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2891 57.06983948 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2892 57.06987762 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2893 57.06995392 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS ED 87 5D 3F FE 16 5C FE ...
2894 57.06996536 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2895 57.07006836 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2896 57.07007980 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2897 57.07011032 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2898 57.07014847 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 56 44 A2 F4 64 E1 D2 9B ...
2899 57.07015991 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2900 57.07024384 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2901 57.07025528 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2902 57.07029343 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2903 57.07032776 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 58 A5 42 11 F2 45 97 82 ...
2904 57.07033920 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2905 57.07042313 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2906 57.07043457 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2907 57.07046890 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2908 57.07050323 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS AD AB 74 2A A0 93 EB D0 ...
2909 57.07051468 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2910 57.07059860 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2911 57.07061005 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2912 57.07064056 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2913 57.07067871 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS C4 E3 E0 45 C8 08 91 93 ...
2914 57.07069016 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2915 57.07077408 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2916 57.07078171 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2917 57.07081604 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2918 57.07085037 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 8E A6 50 1B 0D 04 05 2A ...
2919 57.07086182 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2920 57.07094574 hxdef100.exe:316 OpenKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0xF003F
2921 57.07095718 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2922 57.07098770 hxdef100.exe:316 CreateKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS Access: 0x2
2923 57.07102585 hxdef100.exe:316 SetValue HKLMSOFTWAREMicrosoftCryptographyRNGSeed SUCCESS 39 89 79 D2 B7 E4 03 BF ...
2924 57.07103729 hxdef100.exe:316 CloseKey HKLMSOFTWAREMicrosoftCryptographyRNG SUCCESS
2925 57.07201004 hxdef100.exe:316 OpenKey HKLMSystemCurrentControlSetControlServiceCurrent SUCCESS Access: 0x1
2926 57.07203293 hxdef100.exe:316 QueryValue HKLMSystemCurrentControlSetControlServiceCurrent(Default) SUCCESS 0x19
2927 57.07205200 hxdef100.exe:316 CloseKey HKLMSystemCurrentControlSetControlServiceCurrent SUCCESS
2928 57.07570267 hxdef100.exe:316 OpenKey HKLMSystemCurrentControlSetControlComputerName SUCCESS Access: 0x20019
2929 57.07580948 hxdef100.exe:316 OpenKey HKLMSystemCurrentControlSetControlComputerNameActiveComputerName SUCCESS Access: 0x20019
2930 57.07582855 hxdef100.exe:316 QueryValue HKLMSystemCurrentControlSetControlComputerNameActiveComputerNameComputerName SUCCESS "OEM-TDYOG7RCYK7"
2931 57.07585526 hxdef100.exe:316 CloseKey HKLMSystemCurrentControlSetControlComputerNameActiveComputerName SUCCESS
2932 57.07587433 hxdef100.exe:316 CloseKey HKLMSystemCurrentControlSetControlComputerName SUCCESS
2933 57.07940292 hxdef100.exe:316 OpenKey HKLMSOFTWARENetwork AssociatesTVDShared ComponentsOn Access ScannerBehaviourBlocking NOT FOUND
2934 57.08078766 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsWS2HELP.dll NOT FOUND
2935 57.08081436 hxdef100.exe:316 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Optionsws2_32.dll NOT FOUND
All created keys are not shown: we need to monitor APIs for more investigations.
And if we dump the registry with a Somarsoft free tool like DumpReg, we can see that there's something wrong with some keys:
3.MONITORING APIs:
we can see in the different screeshots the hooking of ntdll, the creation of service and driver registry keys, the start of the service etc.
Now we're going to monitor the driver:
***IRP TRACKING:
A complete list of HxDef driver communications can be found here (with IRPTrace).
4.ROOTKIT DETECTION WITH WINDOWS and system utilities:
-integrity check of Windows files (sigverif.exe): no change is detected.
- searching the process with the Task Manager: nothing;
-service and drivers:
On a command line with "sc query" or "net start" for a list of running service: Hackerdefender service is not listed.
The same result is find on the control panel (mmc.exe).
If we try to check the system for unsigned drivers (verifer.exe): nothing.
If we take a look at hidden peripherals (devmgmt.msc): HackerDefender driver is not on the list:
If we use some system tools:
-a basic integrity checkers like Sentinel: nothing is suspected:
-with an advanced integrity checkers such as XIntegrity Pro, no change is detected from the clean Service Database:
-If we try to catch the process again with utilities such as Process Explorer or RegMon (once HxDef is launched):
HackerDefender acts as a Man-In-The-Middle attack: each time we query the system for running application for instance, HxDef returns a Status Invalid Parameter.
As i'm not a programmer, i've asked some questions to Ivo Ivanov from Infoprocess
about what APIs are really necessary in our case.
and here's his answer:
"The key point of hiding a process is that it allows an attacker to create an
undetectable backdoor that cannot be discovered using standard process tools
like Process Explorer or Windows Task Manager or even Anti-rootkit software.
Hacker Defender rootkit installs hidden backdoors, registers as hidden
system service and installs hidden system driver.
There are two well-known methods of hiding processes:
1.Hooking ZwQuerySystemInformation() native API. It is an easy way to
control the access to the process list (i.e. what you see in Task Manager
for example).
A call to ZwQuerySystemInformation(SystemInformationClass) will return a
container with all process records. What an attacker can do is to hook this
API and remove a specific process record before this function returns to its
caller.
2.As an alternative the attacker can employ a lower-level approach and hide
a process by modifying EPROCESS kernel data structures. This is a very
robust technique. It is interesting that it doesn’t prevent the process from
being allocated a time slot in which to execute, due to the fact that
Windows scheduler works with threads. That’s it – the threads are being
scheduled to run, not the processes."
undetectable backdoor that cannot be discovered using standard process tools
like Process Explorer or Windows Task Manager or even Anti-rootkit software.
Hacker Defender rootkit installs hidden backdoors, registers as hidden
system service and installs hidden system driver.
There are two well-known methods of hiding processes:
1.Hooking ZwQuerySystemInformation() native API. It is an easy way to
control the access to the process list (i.e. what you see in Task Manager
for example).
A call to ZwQuerySystemInformation(SystemInformationClass) will return a
container with all process records. What an attacker can do is to hook this
API and remove a specific process record before this function returns to its
caller.
2.As an alternative the attacker can employ a lower-level approach and hide
a process by modifying EPROCESS kernel data structures. This is a very
robust technique. It is interesting that it doesn’t prevent the process from
being allocated a time slot in which to execute, due to the fact that
Windows scheduler works with threads. That’s it – the threads are being
scheduled to run, not the processes."
In order to understand some explanations, it can be needful to take a look at MSD library.
We have seen with the most popular rootkit example that a rootkit:
-does not create new files, but only hides its own files;
-does not alter the integrity of the system (no modification of files),
-patches the system by hooking system functions and unliking its own service from the module list.
Windows and efficient system utilities like Process Explorer are not able to detect the presence of a rootkit: specialized detectors are required.
par kareldjag
publié dans :
LINE DEFENSE