Jump to content

powershell/psw.coinstealer.b

mohu

By mohu
in Malware Finding and Cleaning

 Share
Go to solution Solved by Marcos,

Recommended Posts

mohu

mohu 0

Posted
Posted

私はこの人と同じ問題を抱えています。
先日、esetをインストールしたらずっとこのポップアップが出ていました(;_;)

原因を取り除くのを手伝ってください。

eis_logs.zip

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

Please provide me with the file C:\WINDOWS\System32\0y0ppope.gv3.

Move it to a separate folder, e.g. create c:\eset, move it there and reboot the machine. Do not delete the file until I confirm receipt.

Link to comment
Share on other sites
mohu

mohu 0

Posted
  • Author
Posted

I moved the specified file and then restarted my pc.
I no longer get the "Current access blocked" message.

Until then, every time I start up my pc
I would monitor the task manager.
PowerShell was starting by itself,
After moving the specified file, PowerShell does not run by itself.
I await your instructions on what to do next.


ps,
Thank you very much for your help.
I would like to learn to find these things so that I can deal with them myself, but what did you see in the log file I gave you at the beginning that made you suspicious?
I would appreciate it if you could let me know.

Translated with www.DeepL.com/Translator (free version)

Link to comment
Share on other sites
mohu

mohu 0

Posted
  • Author
Posted

I've left my pc on for a few hours since then.
I have left the PC on for a few hours since then and there are no notifications, but it looks like there are about 8 PowerShells running in the background.
PowerShells seem to be running in the background.
Is this normal?

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
3 hours ago, mohu said:

PowerShells seem to be running in the background.

If you use Process Explorer, it should show the parent process these child PowerShell processes are running under. This should narrow down the source of the PowerShell process startups.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

Here's another thread on this coin stealer: https://forum.eset.com/topic/32298-powershellpswcoinstealerb/ . In this instance, it was a Win scheduled task starting PowerShell. This would also explain the multiple PowerShell instances. The scheduled task keeps repeating until it successfully runs.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

The script is now detected as @Trojan.PowerShell/Runner.AV. If you run a scan or access the script, it should be detected and cleaned.

Please provide also these files, if exist. Move them to c:\eset like the previous ps1 file and reboot the machine.

C:\WINDOWS\System32\367D3749-2C54-4201-8143-349A5D20E5CC.ps1

C:\WINDOWS\System32\0B0C5764-0946-4C57-BB56-FDF5374B8F6D.ps1

Link to comment
Share on other sites
mohu

mohu 0

Posted
  • Author
Posted

Marcos, I have attached the two files you specified.

A total of 3 files have been isolated as indicated.

I will try to scan and restart my pc to try it out.
Waiting for your instructions on what to do next.

(2).zip

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 52

Posted
  • ESET Staff
Posted (edited)

@mohu

From looking at your logs, I can see 17 scheduled tasks which will start an assortment of wscript or powershell commands.

To quickly clean this up, and to gather samples of all parts of this (including the .ps1 files Marcos asked for) follow these instructions.
 

  1. Open cmd as admin (in the windows search, type "CMD", then hold "CTRL+ Shift" and tap "Enter" while holding those keys)
  2. Paste in the commands at the bottom of this post and press enter (this will make copies of many files to a folder on your desktop named "findRegistryTaskCache"
    1. To paste into the CMD window, simply right click into the window.  This should paste them.
  3. After the commands complete execution (they should complete fairly quickly, ignore any errors), reboot as soon as possible.
  4. After reboot, locate the "findRegistryTaskCache" folder on your desktop, right click, and send to zip and attach in a reply here.

 

Commands to copy: 

MKDIR "%UserProfile%\Desktop\findRegistryTaskCache"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{236BB709-E2AF-4247-9C7E-57914DEE2329}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{236BB709-E2AF-4247-9C7E-57914DEE2329}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\B717FB2E-1486-499A-AB34-9CFBE6036FED" /f /q
copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\06892F7F-5E7E-46F1-8BE6-EAFC65B2BFBD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\31510FF6-8D8E-4394-9A40-C44009BC2BFC.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_1_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EDCA282-2EB6-4AAA-952E-C56A9583A995}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2EDCA282-2EB6-4AAA-952E-C56A9583A995}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\F6280D7D-C236-4422-B339-22DA703CA116" /f /q
copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\D4A3F8CD-4E7A-49AB-9064-1508D4EA5A6A" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\65978E5F-8827-48F0-820A-8EB8709650AF.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_2_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F725CEF-48E1-4654-8D76-285E86CFE030}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3F725CEF-48E1-4654-8D76-285E86CFE030}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ZngJ1z\2ADA3B78-80C2-4186-991B-6624EDB475FA" /f /q
copy /Y /B "C:\Windows\System32\QJTZngJ\3D83AE2B-6318-4D11-BD2D-2E39A341CCC3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\zzcSFeCHTT\4515CFF0-D014-44F2-BABD-8EA2C1F816CE.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_3_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AB6E1CC-84CE-4E81-9A00-873FB08D7DAA}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6AB6E1CC-84CE-4E81-9A00-873FB08D7DAA}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\WindowsUpdate\Scheduled StartjQgByaOl3" /f /q
copy /Y /B "C:\WINDOWS\System32\367D3749-2C54-4201-8143-349A5D20E5CC.ps1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_4_TASK_2022.11.11_07.18.41.4500_ps1.pwsh"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7448EF08-93CA-48A1-83F0-96B6F59F99C8}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{7448EF08-93CA-48A1-83F0-96B6F59F99C8}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\R1hjrhU\34A198CE-4B75-4D02-AC4D-E5A7FF71E0E4" /f /q
copy /Y /B "C:\Windows\System32\wpUR1hjr\80307A32-6C94-463A-9BFD-AC3DE71A2D78" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\USxC3zQm\7CBD8B3A-B1DB-4932-8A2C-4541F2D4E1A9.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_5_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83941100-FCF4-47DA-BEFE-0049AC97DE42}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{83941100-FCF4-47DA-BEFE-0049AC97DE42}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\C73681BE-B8AA-43D0-9F49-FE51DF358A49" /f /q
copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\9DB814C8-0DF0-4C12-854E-EAFE3CFD9C7C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\1A62C9DE-33AF-4706-9D23-E134B115A644.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_6_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{853E2F39-0932-4CA3-A794-C93850DEEE0E}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{853E2F39-0932-4CA3-A794-C93850DEEE0E}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Customer Experience Improvement Program\UsbCeiprGIAcA1h" /f /q
copy /Y /B "C:\WINDOWS\System32\0B0C5764-0946-4C57-BB56-FDF5374B8F6D.ps1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_7_TASK_2022.11.11_07.18.41.4500_ps1.pwsh"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97E480C4-D23C-4064-8EC6-4BC175CD54D1}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{97E480C4-D23C-4064-8EC6-4BC175CD54D1}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\26779417-AFA6-4DAE-AA1A-44AA0FD74A84" /f /q
copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\6DE19372-27A2-4E43-9C1A-65A9C832D499" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\9EF6C255-3AC6-4342-9E31-12BDC6CF6897.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_8_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A6010F4-0C5D-4B57-978D-975F94E223F1}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{9A6010F4-0C5D-4B57-978D-975F94E223F1}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\49F2093E-007D-41BA-BEE9-01B95D44D16C" /f /q
copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\E35D66F9-22B6-49BE-8CB6-117714CE782A" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\70742B98-5E81-4BFC-BF92-3C29CC0F0AA3.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_9_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE54911A-0034-4FC0-9029-D0429C8B87EF}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{AE54911A-0034-4FC0-9029-D0429C8B87EF}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Plug and Play\Sysprep Generalize Drivers RoNGUDy" /f /q
copy /Y /B "C:\WINDOWS\System32\0y0ppope.gv3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_10_TASK_2022.11.11_07.18.41.4500_gv3.pwsh"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B83E53D6-349E-4E6B-8442-A8A595BC0A3C}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B83E53D6-349E-4E6B-8442-A8A595BC0A3C}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\ll5p0b\1DBA922B-EA59-4033-B613-AB25BAB3F5FB" /f /q
copy /Y /B "C:\Windows\System32\3pVll\71900321-1D34-44C1-911F-2BBA328E0C99" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\p0bTx07Y\219FA918-B3BA-4354-A48D-E82802A4AE4D.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_11_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA0BA5A1-E541-4F72-89F4-D81A46A737D3}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{BA0BA5A1-E541-4F72-89F4-D81A46A737D3}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\zs2trQF69\6B03865C-9D57-4514-8164-4A866CAFF3B1" /f /q
copy /Y /B "C:\Windows\System32\rAQBc8Wsa1\E184E7F9-EAD9-4967-9A4B-C93407F62B41" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\VPfvJcrgRY\D8DEA230-186E-47C9-A8B6-07A816746A19.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_12_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDFB972E-DCC2-49AB-A72A-9EA8C0794823}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{CDFB972E-DCC2-49AB-A72A-9EA8C0794823}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\sszCx\568614B6-D4F7-4CD5-B465-A09FD7BBFA1B" /f /q
copy /Y /B "C:\Windows\System32\aHSss\43A5FAE3-33E7-4982-8684-B8065FCFA006" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\Cxu3rz\08DF9DFB-F4A3-47FE-992F-8287FCF6BDAF.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_13_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8464CE5-A81C-4140-9B9B-59B939988C24}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{D8464CE5-A81C-4140-9B9B-59B939988C24}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\FHquEokFN6\AEA353D3-B46C-43D7-880E-40B48A9CAA43" /f /q
copy /Y /B "C:\Windows\System32\RGxFHquE\921B6482-0991-4094-9EB7-ADE85548C4E3" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\kFN64\6A082BD8-7372-4A26-B6CA-2347EDACF01F.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_14_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1B38B8D-AF08-45D0-A77F-1DAA99606315}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E1B38B8D-AF08-45D0-A77F-1DAA99606315}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\O5kUNFdpt6\96D6023F-A7C8-4CDB-85D6-8B3E0DCAE1BD" /f /q
copy /Y /B "C:\Windows\System32\ax7O5kUNFd\60160BA7-3B5C-4B57-A5DF-E1F69A7B7685" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\t6vhpw\E2B41A56-2C45-458E-957A-B86F057CAF95.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_15_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EA281A96-9880-404A-B496-988804DC23EB}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EA281A96-9880-404A-B496-988804DC23EB}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\9fksTdrJh\A7B9F301-80AE-4323-BD41-540D693A9615" /f /q
copy /Y /B "C:\Windows\System32\6iE9f\54418D46-F18D-437C-9E28-C5D08A24C95D" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\sTdrJhGqL\3673DF21-9DB2-4277-A18F-8D8AFE4FD671.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_16_TASK_2022.11.11_07.18.41.4500_sys.Script"

REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F42C9D05-58DA-4AD7-8CC6-14C6EC247CD4}" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F42C9D05-58DA-4AD7-8CC6-14C6EC247CD4}" /f
REG EXPORT "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TREE_2022.11.11_07.18.41.4500.reg"
REG DELETE "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" /f
copy /Y /B "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500.file"
DEL "C:\Windows\System32\Tasks\Microsoft\Windows\Management\Provisioning\d0LVX\E35939A6-6C63-4F8A-8621-0106AE97D8CD" /f /q
copy /Y /B "C:\Windows\System32\fP2d0LVXW\0D819F39-E78C-400C-B916-D26D34F7D0B5" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500_exe.pwsh"
copy /Y /B "C:\Windows\System32\drivers\uhNaua8twc\82655E2E-718D-49A1-AF54-4256D82E5096.sys" "%UserProfile%\Desktop\findRegistryTaskCache\ID_17_TASK_2022.11.11_07.18.41.4500_sys.Script"

 

Edited by JamesR
Corrected order of some commands
Link to comment
Share on other sites
mohu

mohu 0

Posted
  • Author
Posted

Mr. Marcos.
I deleted the specified file and completed the reboot.
I will wait for the next instructions.
I really appreciate your quick response.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted
2 hours ago, JamesR said:

I can see 17 scheduled tasks which will start an assortment of wscript or powershell commands.

This just might set the record for malicious scheduled tasks.

Also with so many suspected drivers installed, would not a reform and reinstall be advisable?

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,070

Posted
  • Administrators
Posted

Please run a full registry scan via the on-demand scanner, we've added some detections in the mean time. Afterwards reboot the machine and collect fresh logs.

Link to comment
Share on other sites
mohu

mohu 0

Posted
  • Author
Posted

Mr. itman.
We would like to reinstall the OS as a last resort (;_;)
Sorry.

Mr. Marcos
I would appreciate it if you could tell me the procedure for on-demand scanner.

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 52

Posted
  • ESET Staff
Posted

@itman

7 minutes ago, itman said:

Also with so many suspected drivers installed, would not a reform and reinstall be advisable?

They were not drivers.  They were text files containing PowerShell scripting and saved as .sys files.  Just a simple technique to try and hide on a system.  I always advise against relying on a file name and/or file path to decide what a file contains or is.

In this case, the malware is reading the contents of the .sys files, and converting them to UTF8 to get PowerShell code to execute.  Here is a snip it of the command being executed to read from the file, prior to executing the contents.
image.png

Link to comment
Share on other sites
  • ESET Staff
JamesR

JamesR 52

Posted
  • ESET Staff
Posted

"What you should do next" comes down to:

  • Are you still seeing new detected threats by ESET?
  • Are you still seeing PowerShell processes start?

If the answer is "No" to both of the above, you are all cleaned up, and I would recommend re-running scans for the next few days...just to ensure your computer stays clean.

 

If the answer is "Yes" to any of the above, we will need a fresh set of logs to see how behavior has changed.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...