Technical Information
- [<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Microsoft Encrypting File System (EFS)' = '%LOCALAPPDATA%\GFIR\wininit-svc.exe'
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%LOCALAPPDATA%\GFIR\wininit-svc.exe" "Microsoft Encrypting File System (EFS)" ENABLE
- %LOCALAPPDATA%\gfir\wininit-svc.exe
- %LOCALAPPDATA%\gfir\systemsvc.exe
- 'microsoft.com':80
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
- DNS ASK ma####qwesta.com
- DNS ASK ex####onstars.com
- DNS ASK microsoft.com
- '%LOCALAPPDATA%\gfir\wininit-svc.exe'
- '%LOCALAPPDATA%\gfir\systemsvc.exe'
- '%LOCALAPPDATA%\gfir\wininit-svc.exe' ' (with hidden window)
- '%WINDIR%\syswow64\netsh.exe' firewall add allowedprogram "%LOCALAPPDATA%\GFIR\wininit-svc.exe" "Microsoft Encrypting File System (EFS)" ENABLE' (with hidden window)