corsec 0 Posted December 8, 2021 Share Posted December 8, 2021 Hi, as mentioned ihere I have the same problem. I tried to find the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28CBB79C-CAFE-44EB-8276-8D73BF358244} but I didn't find it. Is it possible that I should find it under another key? Thanks in advance Claudia Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted December 8, 2021 Administrators Share Posted December 8, 2021 Please provide logs collected with ESET Log Collector using the "Threat detection" template. Link to comment Share on other sites More sharing options...
corsec 0 Posted December 8, 2021 Author Share Posted December 8, 2021 emsx_logs.zip Link to comment Share on other sites More sharing options...
itman 1,746 Posted December 8, 2021 Share Posted December 8, 2021 (edited) 5 hours ago, corsec said: I tried to find the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{28CBB79C-CAFE-44EB-8276-8D73BF358244} but I didn't find it. Is it possible that I should find it under another key? This current infection appears to be WMI based. Most likely a malicious consumer event entry. SysInternals Autoruns: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns might or might not show the malicious WMI event entry. Edited December 8, 2021 by itman Link to comment Share on other sites More sharing options...
corsec 0 Posted December 9, 2021 Author Share Posted December 9, 2021 Hi, thanks, but the sysinternals autoruns doesn't show anything in the section WMI. Link to comment Share on other sites More sharing options...
Recommended Posts