Sysinspector.esil

[safety 8]

Dear colleagues,

is there a detailed description of the functions of the ESETSysinspector version for working with the new SysInspector.esil log format?

Were the functions of creating and executing a script to clean up the system preserved?

[Marcos 5,074]

ESI v2 doesn't support service scripts. It basically allows only collecting and viewing logs with advanced filtering options not present in ESI v1.

[safety 8]

Will a separate v2 utility be released to work with the esil format? Or v1 will continue to be updated and developed?

[Marcos 5,074]

ESIL logs can be opened with ESI2. No other tool to work with ESIL logs is planned.

[safety 8]

The first impression - is that it is unusual to work with the new version, but due to the speed of work and advanced search, it compares favorably with version 1.

. I would very much like the mechanism for creating a script in the new version to be revised and added in the future to work with the new format.

[safety 8]

ESI v1 will gradually go away, as more and more users switch to new versions of products, and then ESI v2 will become the main utility.

[safety 8]

Hi,

Question: Why are processes marked with state 6 if all loaded modules are clean and have state 1?

cmd.exe, 3180, COMP-BDA\Дмитрий, , Windows Command Processor, Microsoft Corporation, "C:\Windows\system32\cmd.exe"

dllhost.exe, 3492, COMP-BDA\Дмитрий, , COM Surrogate, Microsoft Corporation, "C:\Windows\system32\dllhost.exe"

SysInspector.esil.log

Edited August 4, 2022 by safety

[Marcos 5,074]

From the look of it I assume the log was generated during installation of a particular sofware and two dlls in the temp folder were already removed when ESI attempted to gather details about them. Try to generate another log when not installing software.

[safety 8]

 

You may be right, because the antivirus deletes the dll all the time

03.08.2022 16:21:50    Advanced memory scanner    file    Operating memory » C:\Users\Дмитрий\AppData\Local\Temp\28e86510.dll    a variant of Win32/Spy.Agent.QGW trojan    cleaned by deleting            E270A42E0B87887376DE25E48312CFF2571DB9A3   

But she is recovering.

08/03/2022 04:21:55 PM Advanced memory scanner file Operating memory » C:\Users\Dmitry\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 5F66A0781CDCECDF6C65F348E189362EF587274F

Here, either the image of the executable file is being replaced, or threads are embedded in these processes.

The initiator here is, oddly enough, a clean file. I can send you the log

 

eis_logs.zip

[safety 8]

The problem is most likely related to this task:

c:\windows\system32\tasks\java

c:\users\Dmitry\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, ,

I have quarantined files that I assume are related to running the task.

ZOO_2022-08-04_12-31-02.rar

[Marcos 5,074]

1 hour ago, safety said:

c:\users\Dmitry\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, ,

It's a legitimate java.exe file, digitally signed and popular.

Please provide a Procmon boot log. After a reboot, stop logging after the threat has been detected. Then compress the log and provide it along with fresh ELC logs.

[safety 8]

Dear Marcos,

unfortunately, in this case, this is no longer possible. The system was cleared, the detection stopped. The launch chain of the malicious dll could not be understood.

Quote

It's a legitimate java.exe file, digitally signed and popular.

Microsoft Defender (MpCmdRun.exe) is also legitimate, but sometimes it loads malicious modules.

 

Edited August 5, 2022 by safety