jessica

START::
Task: {044C0ECB-D77C-4D85-A7C5-01275585901D} - \Microsoft\Windows\Autochk\Proxy -> Brak pliku <==== UWAGA
U4 dmwappushservice; Brak ImagePath
S4 nvvad_WaveExtensible; \SystemRoot\system32\drivers\nvvad64v.sys [X] 
EmptyEventLogs: 
S3 BraveElevationService; "C:\Program Files\BraveSoftware\Brave-Browser\Application\108.1.46.140\elevation_service.exe" [X]
GroupPolicy: Ograniczenia ? <==== UWAGA
GroupPolicyScripts: Ograniczenia <==== UWAGA
Policies: C:\ProgramData\NTUSER.pol: Ograniczenia <==== UWAGA
EmptyTemp:
END::

START::
HKU\S-1-5-21-1215711077-2401596317-3864324733-1001\...\Run: [AdobeBridge] => [X]
HKU\S-1-5-21-1215711077-2401596317-3864324733-1001\...\Run: [DAEMON Tools Lite Automount] => C:\Program Files\DAEMON Tools Lite\DTAgent.exe [482128 2022-11-19] (AVB Disc Soft, SIA -> Disc Soft Ltd)
S3 MpKsl2ffe3599; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2CC27F99-5C3D-4C65-99FC-C9297CBA55A1}\MpKslDrv.sys [X]
S3 MpKsl7204f4fd; \??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{2CC27F99-5C3D-4C65-99FC-C9297CBA55A1}\MpKslDrv.sys [X]
S3 MSICDSetup; \??\G:\CDriver64.sys [X]
S3 NTIOLib_1_0_C; \??\G:\NTIOLib_X64.sys [X]
EmptyEventLogs: 
EmptyTemp:
END::

Instalacja

Ten trojan szpieg dodaje następujące procesy:

"{ścieżka i nazwa pliku złośliwego oprogramowania}"

%System%\cmd.exe /c "echo %SystemRoot%"

%Windows%\system.exe

"%Windows%\system.exe"

(Uwaga: %Windows% to folder Windows, gdzie zwykle jest to C:\Windows we wszystkich wersjach systemu operacyjnego Windows).

START::
StartRegedit:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"SuperHidden"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"ShowSuperHidden"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden\Policy\DontShowSuperHidden]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"CheckedValue"=dword:00000001
EndRegedit:
S3 SWDUMon; \SystemRoot\system32\DRIVERS\SWDUMon.sys [X]
Task: {B93E0FDD-4D2E-4C25-B09F-E1AAC64BDCD1} - System32\Tasks\ACC => C:\Program Files\DriverSetupUtility\FUB\FUB_Send.bat (Brak pliku)
EmptyEventLogs: 
EmptyTemp:
END::

START::
HKLM\...\cmdfile\DefaultIcon: %SystemRoot%\System32\imageres.dll,-68 <==== UWAGA
SearchScopes: HKU\S-1-5-21-3483495963-2498424976-411220748-1001 -> DefaultScope {2BCBAE31-62F9-45E2-915F-D06D9081FF0E} URL = 
SearchScopes: HKU\S-1-5-21-3483495963-2498424976-411220748-1001 -> {2BCBAE31-62F9-45E2-915F-D06D9081FF0E} URL = 
BHO: Brak nazwy -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> Brak pliku
BHO-x32: Brak nazwy -> {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -> Brak pliku
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -  Brak pliku
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} -  Brak pliku
FirewallRules: [TCP Query User{307B820D-80CE-4DE1-A668-61D81AD4701C}C:\program files (x86)\emule\emule.exe] => (Allow) C:\program files (x86)\emule\emule.exe (hxxps://www.emule-project.net) [Brak podpisu cyfrowego]
FirewallRules: [UDP Query User{146E4A80-CF93-45FF-A9A9-E997B244FFA3}C:\program files (x86)\emule\emule.exe] => (Allow) C:\program files (x86)\emule\emule.exe (hxxps://www.emule-project.net) [Brak podpisu cyfrowego]
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
Task: {A1C6287B-53D5-40E9-A1BD-701A7296317D} - System32\Tasks\McAfee\McAfee Idle Detection Task => {ABCDCA3B-DE6B-5A7C-B132-6D7CBA63E5C5}
Task: {AE661E9C-E862-4257-B637-F8B4C5446158} - System32\Tasks\McAfee\DAD.Execute.Updates => C:\Program Files\Common Files\McAfee\DynamicAppDownloader\DADUpdater.exe (Brak pliku)
Task: {FF4B9707-52D7-4B2E-83FD-DFB4B9C96C5C} - System32\Tasks\McAfee\McAfee Auto Maintenance Task Agent => {ABCECA3B-EA5A-496B-A021-5C6BAB365E5C}
FF Plugin-x32: @mcafee.com/MVT -> C:\Program Files (x86)\McAfee\Supportability\MVT\NPMVTPlugin.dll [Brak pliku]
S3 mfeaack; C:\WINDOWS\System32\drivers\mfeaack.sys [508736 2018-10-04] (McAfee, Inc. -> McAfee, LLC)
S3 mfencrk; C:\WINDOWS\System32\DRIVERS\mfencrk.sys [108840 2018-10-02] (McAfee, Inc. -> McAfee LLC.)
S3 mfeplk; C:\WINDOWS\System32\drivers\mfeplk.sys [117568 2018-10-04] (McAfee, Inc. -> McAfee, LLC)
C:\WINDOWS\System32\drivers\mfeplk.sys
C:\WINDOWS\System32\DRIVERS\mfencrk.sys
C:\WINDOWS\System32\drivers\mfeaack.sys
EmptyEventLogs: 
EmptyTemp:
END::

START::
Task: {13EE44EB-8134-4D84-9F7E-AA7E6671DF41} - \Mozilla\Firefox Background Update 308046B0AF4A39CB -> Brak pliku <==== UWAGA
Task: {9DC4380D-32E0-485F-81EF-3072237AE0E9} - \Mozilla\Firefox Default Browser Agent 308046B0AF4A39CB -> Brak pliku <==== UWAGA
Task: {E0F10DCF-44AD-40E8-9370-FB5DA59F93FB} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\USO_UxBroker => C:\WINDOWS\system32\MusNotification.exe (Brak pliku)
Task: {E2A2969F-164A-45D0-AFC2-D90E525AFB63} - System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Reboot_AC => C:\WINDOWS\system32\MusNotification.exe /RunOnAC RebootDialog (Brak pliku)
Task: {CCDFC0B8-01A3-4E74-A820-4F13F51D269E} - System32\Tasks\Microsoft\Windows\Mobile Broadband Accounts\MNO Metadata Parser => C:\WINDOWS\System32\MbaeParserTask.exe (Brak pliku)
HKU\S-1-5-21-868864574-754023539-434053955-1003\...\Run: [MicrosoftEdgeAutoLaunch_E3E731D7CBD94975C15B7518EE989668] => "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start /prefetch:5 [3892136 2022-11-27] (Microsoft Corporation -> Microsoft Corporation)
EmptyEventLogs: 
EmptyTemp:
END::

START::
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Ograniczenia <==== UWAGA
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender: Ograniczenia <==== UWAGA
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Ograniczenia <==== UWAGA
HKU\S-1-5-21-2971021265-3917128272-2070174108-1001\...\Run: [CyberGhost] => "C:\Program Files\CyberGhost 8\Dashboard.exe" /autostart /min (Brak pliku)
ShortcutTarget: Peace.lnk -> C:\Program Files\EqualizerAPO\config\Peace.exe (Brak pliku)
GroupPolicy: Ograniczenia ? <==== UWAGA
Policies: C:\ProgramData\NTUSER.pol: Ograniczenia <==== UWAGA
HKU\S-1-5-21-2971021265-3917128272-2070174108-1001\SOFTWARE\Policies\Microsoft\Internet Explorer: Ograniczenia <==== UWAGA
S4 uhssvc; "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe" [X]
S3 wtbt; \??\d:\program files\steam\steamapps\common\super people playtest\engine\binaries\thirdparty\wondertrust\wtdrv64.sys [X]
EmptyEventLogs: 
EmptyTemp:
END::

Error: (11/28/2022 12:32:19 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Nazwa aplikacji powodującej błąd: MEmu.exe, wersja: 7.6.6.0, sygnatura czasowa: 0x08113068
Nazwa modułu powodującego błąd: libmemuqt.dll, wersja: 7.6.6.0, sygnatura czasowa: 0x00000000
Kod wyjątku: 0xc0000005
Przesunięcie błędu: 0x000030b3
Identyfikator procesu powodującego błąd: 0x1e28
Godzina uruchomienia aplikacji powodującej błąd: 0x01d9029674567f01
Ścieżka aplikacji powodującej błąd: D:\Program Files\Microvirt\MEmu\MEmu.exe
Ścieżka modułu powodującego błąd: D:\Program Files\Microvirt\MEmu\libmemuqt.dll

START::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
C:\Users\Browar\AppData\Local\Roblox — skrót .lnk
C:\Users\Browar\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox — kopia.lnk
S3 netprotection_network_filter2; System32\drivers\netprotection_network_filter2.sys [X]
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3: <==== UWAGA (Ograniczenia - Zones)
Tcpip\..\Interfaces\{58ED39E0-90C8-475C-BE8A-4543D940BC53}: [NameServer] 127.0.0.1
Task: {D740E2E2-A4F9-475F-AF67-4D696DC78E50} - \Microsoft\Windows\Setup\EOSNotify -> Brak pliku <==== UWAGA
Task: {70D41DB6-0309-43EF-B59D-420CC1BFFF47} - System32\Tasks\AviraSystemSpeedupVerify => C:\Program Files (x86)\Avira\System Speedup\setup\avira_speedup_setup.exe [31903744 2022-09-29] () [Brak podpisu cyfrowego]
Task: {87BF67AA-2623-4E00-8D26-2B3EBC0A2B58} - System32\Tasks\Microsoft\Windows\End Of Support\Notify1 => C:\WINDOWS\system32\sipnotify.exe -LogonOrUnlock (Brak pliku)
Task: {50AB374C-8B1F-404E-BB64-49F5813761F4} - \Microsoft\Windows\Setup\EOSNotify2 -> Brak pliku <==== UWAGA
GroupPolicy-Firefox: Ograniczenia <==== UWAGA
HKU\S-1-5-21-2675937309-2342803569-238252381-1000\...\Run: [] => [X]
HKU\S-1-5-21-2675937309-2342803569-238252381-1000\...\Policies\system: [shell] explorer.exe <==== UWAGA
HKLM\...\Run: [] => [X]
HKLM-x32\...\Run: [ATKOSD2] => C:\Program Files (x86)\ASUS\ATK Package\ATKOSD2\ATKOSD2.exe [5732992 2010-08-17] (ASUSTeK Computer Inc. -> ASUS)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [IJNetworkScannerSelectorEX2] => C:\Program Files (x86)\Canon\IJ Network Scanner Selector EX2\CNMNSST2.exe /FORCE (Brak pliku)
HKLM\...\Policies\Explorer: [NoInstrumentation] 1
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Ograniczenia <==== UWAGA
HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Ograniczenia <==== UWAGA
EmptyEventLogs: 
EmptyTemp:
END::

START::
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Ograniczenia <==== UWAGA
Unlock: HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

StartRegedit:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001
EndRegedit:

END::

START::
S3 mracsvc; C:\WINDOWS\System32\mracsvc.exe [26030880 2022-09-27] (My.Com B.V. -> My.com B.V.)
S3 mracdrv; C:\WINDOWS\System32\drivers\mracdrv1.sys [25266488 2022-09-27] (My.Com B.V. -> My.com B.V.)
C:\WINDOWS\System32\mracsvc.exe
C:\WINDOWS\System32\drivers\mracdrv1.sys
FirewallRules: [{04D4F7AA-B85A-418D-8C93-2103F893A556}] => (Allow) C:\gry\Tom Clancy's Rainbow Six Siege\rainbowsix_be.exe => Brak pliku
FirewallRules: [{F0CEB31B-FDB5-4A86-BA2D-B2A9EC45DD8C}] => (Allow) C:\gry\Tom Clancy's Rainbow Six Siege\rainbowsix_be.exe => Brak pliku
FirewallRules: [{31318534-3C4F-4F30-A13C-0A1A39CC2638}] => (Allow) C:\gry\Tom Clancy's Rainbow Six Siege\RainbowSix.exe => Brak pliku
FirewallRules: [{6CBCBF26-2A24-408A-B85F-3939CA20D7CB}] => (Allow) C:\gry\Tom Clancy's Rainbow Six Siege\RainbowSix.exe => Brak pliku
WMI:subscription\__FilterToConsumerBinding->CommandLineEventConsumer.Name=\"BVTConsumer\"",Filter="__EventFilter.Name=\"BVTFilter\"::
WMI:subscription\__EventFilter->BVTFilter::[Query => SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99]
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate: Ograniczenia <==== UWAGA
HKU\S-1-5-21-3308613058-3076913746-2055097149-1003\...\Run: [Sidebar] => C:\Program Files\Windows Sidebar\sidebar.exe /autoRun (Brak pliku)
HKU\S-1-5-21-3308613058-3076913746-2055097149-1003\...\RunOnce: [Delete Cached Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\Moooooniś\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" (Brak pliku)
HKU\S-1-5-21-3308613058-3076913746-2055097149-1003\...\RunOnce: [Delete Cached Standalone Update Binary] => C:\WINDOWS\system32\cmd.exe /q /c del /q "C:\Users\Moooooniś\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" (Brak pliku)
HKU\S-1-5-21-3308613058-3076913746-2055097149-1003\...\RunOnce: [Uninstall 22.176.0821.0003] => C:\WINDOWS\system32\cmd.exe /q /c rmdir /s /q "C:\Users\Moooooniś\AppData\Local\Microsoft\OneDrive\22.176.0821.0003" (Brak pliku)
GroupPolicy: Ograniczenia - Edge <==== UWAGA
Policies: C:\ProgramData\NTUSER.pol: Ograniczenia <==== UWAGA
Task: {6F21A14F-E74D-4CE5-91F6-C19EE4E4A1FB} - System32\Tasks\{9282AF07-BB5B-49D7-AA72-6AEC522CB43A} => C:\Windows\system32\pcalua.exe -a C:\Users\LukeMike\Downloads\XboxInstaller.exe -d C:\Users\LukeMike\Downloads
2021-12-23 14:43 - 2021-12-23 14:43 - 000005222 _____ () C:\Users\LukeMike\AppData\Local\2636042875
2022-07-20 00:47 - 2022-09-21 20:08 - 000005190 _____ () C:\Users\LukeMike\AppData\Local\4096968421
2022-11-08 01:37 - 2022-11-08 01:37 - 000004670 _____ () C:\Users\LukeMike\AppData\Local\93759642671
EmptyEventLogs: 
EmptyTemp:
END::