Appreciate any thoughts about this.
The fact that google returns zero hits about “MEMEPMShExt” bothers me greatly.
As far as we can tell, the computers are clean and the network is quiet. Has anyone else seen this and if so, any suggestions?
TIA
InsightIDR has reported the following incident for **[name redacted windows 10 laptop]*:*
***ATTACKER BEHAVIOR DETECTED***
Suspicious Process - Potential SLUI.exe UAC Bypass
Part of the full event:
{
"hostname": "[REDACTED]",
"dns_domain": "[REDACTED]",
"os_type": "WINDOWS",
"r7_hostid": "[REDACTED]",
"process": {
"start_time": "2023-06-17T06:47:16.473Z",
"name": "reg.exe",
"pid": 7932,
"r7_id": "{cf0c003a-56f4-648d-4209-000000001600}",
"exe_path": "C:\\Windows\\System32\\reg.exe",
"cmd_line": "C:\\Windows\\system32\\reg.exe DELETE \"HKLM\\SOFTWARE\\Classes\\exefile\\shellex\\ContextMenuHandlers\\MEMEPMShExt\" /f ",
"username": "NT AUTHORITY\\SYSTEM",
"session": 0,
"exe_file": {
"owner": "NT SERVICE\\TrustedInstaller",
"orig_filename": "reg.exe",
"description": "Registry Console Tool",
"product_name": "Microsoft® Windows® Operating System",
"version": "10.0.22621.1 (WinBuild.160101.0800)",
"created": "2022-05-07T05:20:02.683Z",
"last_modified": "2022-05-07T05:20:02.683Z",
"size": 102400,
"internal_name": "reg.exe",
"hashes": {
"md5": "cdb58d0bcabe76afc60428f364834463",
"sha256": "411ae446fe37b30c0727888c7fa5e88994a46dafd41aa5b3b06c9e884549afde",
"sha1": "979f280b1226e064cc79020b25fb8c40d9fb0008"
}
},