�� esetnod32.ru [��: �� uVS, Carberp, �� ]

�� uVS, Carberp, ��

Sat, 11 Nov 2023 06:15:32 +0300

�� uVS, Carberp, ��  � �� .

====quote====
RP55 RP55 ��:
�� : �� ? �� ... �, ��
=============
��, ��
11.11.2023 06:15:32, santy.

�� uVS, Carberp, ��

Thu, 09 Nov 2023 17:51:27 +0300

�� uVS, Carberp, ��  � �� .

====quote====
santy ��:
HJ �� :
=============

��... �� . :)
cyberforum.ru/viruses/thread3138827.html

�� "��" �� ...

O22 - Tasks: BNVT - C:\Users\Computer\AppData\Local\Programs\Python\Python36-32\pythonw.exe C:\Users\Computer\AppData\Local\KEIYY\WJKVQ.py YdzXkne (sign: 'Python Software Foundation')

�� : �� ? �� ... �, �� ;)
09.11.2023 17:51:27, RP55 RP55.

�� uVS, Carberp, ��

Thu, 09 Nov 2023 14:52:30 +0300

�� uVS, Carberp, ��  � �� .

====quote====
RP55 RP55 ��:
Task: {28A5D6E2-3727-427F-BC4E-197B719C56E1} - System32\Tasks\idsTYKIuEeScJ2 => C:\WINDOWS\system32\forfiles.exe [52224 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> /p C:\WINDOWS\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\KpUghsKSmazBhIVB\xKdWkBL.wsf^""
=============

HJ �� :
O22 - Tasks: idsTYKIuEeScJ2 - C:\WINDOWS\system32\forfiles.exe /p C:\WINDOWS\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\KpUghsKSmazBhIVB\xKdWkBL.wsf^"" (sign: 'Microsoft')
�� .
09.11.2023 14:52:30, santy.

�� uVS, Carberp, ��

Wed, 08 Nov 2023 13:55:50 +0300

�� uVS, Carberp, ��  � �� .
�� :)
� �� .
cyberforum.ru/viruses/thread3138376.html

Task: {28A5D6E2-3727-427F-BC4E-197B719C56E1} - System32\Tasks\idsTYKIuEeScJ2 => C:\WINDOWS\system32\forfiles.exe [52224 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> /p C:\WINDOWS\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\KpUghsKSmazBhIVB\xKdWkBL.wsf^""

Task: {36503BAA-F523-477A-B7F7-235DB89E9CDC} - System32\Tasks\JpMmcIagcMrZpWo2 => C:\WINDOWS\system32\rundll32.exe [71680 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> "C:\Program Files (x86)\EOMtMqbsU\zYbGfY.dll",#1 <==== ��

Task: {B8030E0F-2A57-4AC8-9777-D0F79BEFD6CA} - System32\Tasks\LgbpwhkWwbNUgYnUN2 => C:\WINDOWS\system32\rundll32.exe [71680 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> "C:\Program Files (x86)\MlhNYgvbxCfaQqDDSLR\yrxBvjn.dll",#1 <==== ��

Task: {2E35A15A-A915-4138-927C-B12D86067109} - System32\Tasks\lkpLByDsYAZndVnHh2 => C:\WINDOWS\system32\rundll32.exe [71680 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> "C:\Program Files (x86)\osvzUzzULckpsZKDjNR\vtfEPHc.dll",#1 <==== ��

Task: {766772D7-FA5A-4CAB-83AB-15C85659E4AF} - System32\Tasks\vzpaFkmsyDMLNV => C:\WINDOWS\system32\rundll32.exe [71680 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> "C:\Program Files (x86)\DTTEryjdJQWU2\DvxjyCdGyIWab.dll",#1 <==== ��

Task: {C2EABD27-9011-4CFC-9AA5-7F4D56E56A0C} - System32\Tasks\wCLjlCDDptIPuqAiJNn2 => C:\WINDOWS\system32\rundll32.exe [71680 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> "C:\Program Files (x86)\VJFuhfjcXBtpC\AUdaytf.dll",#1 <==== ��

Task: {7B46A91B-FF15-4046-9339-22A88C8F0BCB} - System32\Tasks\xoqaKKiQlDbilCe => C:\WINDOWS\system32\rundll32.exe [71680 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> "C:\Program Files (x86)\cdsQlFJCU\lbqapi.dll",#1 <==== ��

Task: {26E3CB66-C447-46C2-9DD7-FE13EAE7ABD4} - System32\Tasks\YwJpGkkqmEHgH2 => C:\WINDOWS\system32\forfiles.exe [52224 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> /p C:\WINDOWS\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\RiOIlCLDtCdFBbVB\HVYwbuB.wsf^""

Task: {783D9AE4-5670-4045-BE79-AABFE24275BE} - System32\Tasks\zOYapUfeYLvVw2 => C:\WINDOWS\system32\forfiles.exe [52224 2019-12-07] (Microsoft Windows -> Microsoft Corporation) -> /p C:\WINDOWS\system32 /m wscript.exe /c "cmd /C @FNAME ^"C:\ProgramData\ujhWabTdVbexiIVB\nQRsNbJ.wsf^""

Task: {30B5511C-F4AC-46E5-B07E-D6BA7CF9C00C} - System32\Tasks\ZSJMphjpRdLNJLj2 => C:\WINDOWS\system32\rundll32.exe [71680 2023-10-13] (Microsoft Windows -> Microsoft Corporation) -> "C:\Program Files (x86)\bLTyexJvU\vjCGIa.dll",#1 <==== ��
08.11.2023 13:55:50, RP55 RP55.

�� uVS, Carberp, ��

Tue, 10 Oct 2023 16:01:21 +0300

�� uVS, Carberp, ��  � �� .
FRST �� FRST64.exe

====quote====
HKU\S-1-5-21-3788994120-2036808167-1479317438-1001\...\Policies\Explorer\DisallowRun: [16] FRST64.exe => ��
=============

10.10.2023 16:01:21, santy.

�� uVS, Carberp, ��

Sat, 23 Sep 2023 05:57:26 +0300

�� uVS, Carberp, ��  � �� .
� �� .
�� , �� . (�� Microsofthost.exe)
��, ��, �� Google Chrome.
�� , ��

C:\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE

https://www.virustotal.com/gui/file/6e9b3d4db604e79c053e69230ba3fe2981a045796566f729c5dd782322d8ff2b/behavior

====quote====
�� C:\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE
�� UPDATER.EXE
��. ��

��
�� Win64/GenKryptik.GIIA (delall) [�� 64(64), ��. �� 8, �� 64] 2023-08-28

��
��
File_Id 647305189F0000
Linker 2.38
�� 10381312 ��
�� 04.06.2023 � 12:10:53
�� 16.06.2023 � 18:07:21

TimeStamp 28.05.2023 � 07:39:04
EntryPoint +
OS Version 0.0
Subsystem Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL -
IMAGE_FILE_EXECUTABLE_IMAGE +
�� 64-� ��
��. ��

�� 70,0,3538,110
�� Google Chrome
�� Google Inc.

��. ��
SHA1 F646E84DC91A32D2C06CC36E6FC7DF1F6C3D0D87
MD5 CBF41D5AA487E94FE7F1DBF6C1AE2ABB

��
�� C:\WINDOWS\SYSTEM32\TASKS\GOOGLEUPDATETASKMACHINEQC
Task \GoogleUpdateTaskMachineQC

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{88932E95-EB12-423E-8FEB-B562CDB83B62}\Actions
Actions "C:\Program Files\Google\Chrome\updater.exe"
�� 04.06.2023 � 12:10:53
�� 28.08.2023 � 11:14:07
�� 0x0

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{88932E95-EB12-423E-8FEB-B562CDB83B62}\

=============

� �� HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node �� , � �� , �� .

[FILE ID=127894]

23.09.2023 05:57:26, santy.

�� uVS, Carberp, ��

Fri, 08 Sep 2023 04:20:20 +0300

�� uVS, Carberp, ��  � �� .

====quote====
RP55 RP55 ��:
Malwarebytes Free

�� .�. �� . ( �� VPN \ Tor )
=============
�� . �� , �� .
08.09.2023 04:20:20, santy.

�� uVS, Carberp, ��

Fri, 08 Sep 2023 00:07:01 +0300

�� uVS, Carberp, ��  � �� .
Malwarebytes Free

�� .�. �� . ( �� VPN \ Tor )
08.09.2023 00:07:01, RP55 RP55.

�� uVS, Carberp, ��

Sun, 23 Jul 2023 20:44:16 +0300

�� uVS, Carberp, ��  � �� .
�� .

� �.�.

https://habr.com/ru/companies/rvision/articles/
23.07.2023 20:44:16, RP55 RP55.

�� uVS, Carberp, ��

Thu, 15 Jun 2023 00:04:16 +0300

�� uVS, Carberp, ��  � �� .
�� : � �� Windows �� , �� EFI-��

�� -�� Windows 10, �� -��. �� Trojan.Clipper.231, �� , �� .

https://news.drweb.ru/show/?lng=ru&i=14712

�� Windows 10 � �� , �� EFI (Extensible Firmware Interface), �� .

https://www.bleepingcomputer.com/news/security/pirated-windows-10-isos-install-clipper-malware-via-efi-partitions/

-----------------

====quote====
�� C:\WINDOWS\INSTALLER\ISCSICLI.EXE
�� ISCSICLI.EXE
��. ��

��
�� Trojan.MulDrop22.7578 [DrWeb] (delall) [�� 64(64), ��. �� 8, �� 64] 2023-06-14

��
��
File_Id 6408C4D3D000
Linker 14.32
�� 91880 ��
�� 15.03.2023 � 15:46:56
�� 08.03.2023 � 20:34:04

TimeStamp 08.03.2023 � 17:24:35
EntryPoint +
OS Version 0.0
Subsystem Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL -
IMAGE_FILE_EXECUTABLE_IMAGE +
�� 64-� ��
��. �� , ��
�� Microsoft Windows

�� iscsicli.exe
�� 10.0.19041.1766 (WinBuild.160101.0800)
�� 10.0.19041.1766
�� iSCSI Discovery tool
�� Microsoft� Windows� Operating System
Copyright � Microsoft Corporation. All rights reserved.
�� Microsoft Corporation

��
�� (�� /��)

��. ��
pid = 5644 DESKTOP-***\****
�� 15:11:01 [2023.05.24]
�� 15:11:07 [2023.05.24]
CmdLine "C:\Windows\Installer\iscsicli.exe"
parentid = 1348 C:\WINDOWS\SYSTEM32\SVCHOST.EXE
SHA1 32C7B6629FABE6254431A558B57D30CD2F2D43D7
MD5 BFEC28E480DFC2814A2C762D0ADEE018

��
�� C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\License Manager\LICENSE VALIDATION
Task \Microsoft\Windows\License Manager\License Validation

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3CD413B8-9C9D-40A2-84D3-E5527D58F091}\Actions
Actions "%SystemDrive%\Windows\Installer\iscsicli.exe"
�� 15.03.2023 � 15:30:18
�� 24.05.2023 � 15:11:01
�� 0x1

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3CD413B8-9C9D-40A2-84D3-E5527D58F091}\

=============

====quote====
�� \DEVICE\HARDDISKVOLUME3\EFI\MICROSOFT\BOOT\KD_08_5E78.DLL
�� KD_08_5E78.DLL
��. �� ?��? �� DLL

��
EFI_DETECT ( ~ \EFI\MICROSOFT\BOOT)(1) [auto (0)]

��
�� DLL

��
�� C:\WINDOWS\SYSTEM32\LSAISO.EXE [7792]

=============

====quote====
�� \DEVICE\HARDDISKVOLUME3\EFI\MICROSOFT\BOOT\RECOVERY.EXE
�� RECOVERY.EXE
��. �� ?��? �� [�� ]

��
EFI_DETECT ( ~ \EFI\MICROSOFT\BOOT)(1) [auto (0)]

��
�� [�� ]

��. ��
pid = 7488 DESKTOP-****\***
�� 15:11:05 [2023.05.24]
�� 15:11:06 [2023.05.24]
CmdLine M:\EFI\Microsoft\Boot\recovery.exe
parentid = 6424 C:\WINDOWS\SYSTEM32\CMD.EXE

=============

15.06.2023 00:04:16, santy.

�� uVS, Carberp, ��

Fri, 14 Apr 2023 15:20:13 +0300

�� uVS, Carberp, ��  � �� .
�� CVE-2022-21894 BlackLotus campaign

https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/
14.04.2023 15:20:13, RP55 RP55.

�� uVS, Carberp, ��

Wed, 12 Apr 2023 04:32:22 +0300

�� uVS, Carberp, ��  � �� .
�� Chrome

�� Chrome

�� -�� JavaScript, �� , �� . �� , �� .

�� Pinata IPFS (InterPlanetary File System), �� , �� , �� .

�� , �� Google Chrome, � �� , �� , �� .

�� Chrome. ��, �� , � �� Chrome.

�� ZIP-�� release.zip�, �� Chrome, �� .

�� ZIP-�� Monero, �� .

�� C:\Program Files\Google\Chrome �� updater.exe�, � �� .

�� VirusTotal, �� BYOVD� (�� ) �� WinRing0x64.sys �� SYSTEM �� .

�� , �� , �� Windows.

�� , �� Windows � �� , �� IP-�� HOSTS. �� .

�� xmr.2miners[.]com � �� Monero (XMR).

�� -�� , NTT ��, �� , �� , �� .

�� , �� , � �� , �� .

https://www.bleepingcomputer.com/news/security/hacked-sites-caught-spreading-malware-via-fake-chrome-updates/
-----------------
https://www.virustotal.com/gui/file/2afdcf74d9dbc5575de919e8d041fc06c15044da0844fe9326b8f1b4bedad291/behavior
https://www.virustotal.com/gui/file/cb1a228b5f9001dd9acf4fc1296c3f60b9014ae487df12bc8bb2fbc639a72290/behavior

-------------

====quote====
�� C:\PROGRAM FILES\GOOGLE\CHROME\UPDATER.EXE
�� UPDATER.EXE
��. �� ?��? ��

��
�� Win64/Kryptik.DQA (delall) [�� 64(64), ��. �� 8, �� 64] 2023-04-05

www.virustotal.com 2023-03-10 23:29 [2023-02-09]
K7AntiVirus Trojan ( 0059bdd61 )
Symantec ML.Attribute.HighConfidence
ESET-NOD32 a variant of Win64/Kryptik.DQA
Kaspersky Trojan.Win32.Agent.xatoxm
BitDefender Trojan.GenericKD.65483364
Avast Win64:Evo-gen [Trj]
DrWeb Trojan.Siggen19.45027
Emsisoft Trojan.GenericKD.65483364 (B)
Microsoft Trojan:Win64/CoinMiner.DC!MTB

��
��
File_Id 63DD6E43398000
Linker 2.38
�� 3738624 ��
�� 03.03.2023 � 05:43:17
�� 03.03.2023 � 05:43:18

TimeStamp 03.02.2023 � 20:27:47
EntryPoint +
OS Version 0.0
Subsystem Windows graphical user interface (GUI) subsystem
IMAGE_FILE_DLL -
IMAGE_FILE_EXECUTABLE_IMAGE +
�� 64-� ��
��. ��

��. ��
SHA1 0BBD1560602ACA4210660580C00B36B3726B0F63
MD5 FB6F76B4F93ACC6FCD026EB66652E939

��
�� C:\WINDOWS\SYSTEM32\TASKS\GOOGLEUPDATETASKMACHINEQC
Task \GoogleUpdateTaskMachineQC

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1BA1EBB6-9C3B-4FF1-9B4A-9889539EB664}\Actions
Actions "C:\Program Files\Google\Chrome\updater.exe"
�� 26.02.2023 � 22:34:55
�� 24.03.2023 � 12:04:26
�� 0x0

�� HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Boot\{1BA1EBB6-9C3B-4FF1-9B4A-9889539EB664}\

=============
--------------
[FILE ID=126495]

+
false proxy
��://34.80.59.191/WIN.PAC

12.04.2023 04:32:22, santy.

�� uVS, Carberp, ��

Fri, 17 Mar 2023 06:06:22 +0300

�� uVS, Carberp, ��  � �� .

====quote====
RP55 RP55 ��:
bFixedName = 1; �� uVS � �� , �� .

��: RP55 RP55 - 14.03.2023 13:04:23
=============
�� , �� bFixedName=0
�� :
�� :
7B666291C6ABD8C367FF250DF205BBF08830CDE3
� �� :
Win32/UniversalVirusSniffer.A
17.03.2023 06:06:22, santy.

�� uVS, Carberp, ��

Tue, 14 Mar 2023 13:02:47 +0300

�� uVS, Carberp, ��  � �� .
�� - �� :

bFixedName = 1
; �� uVS � �� , �� .
14.03.2023 13:02:47, RP55 RP55.

�� uVS, Carberp, ��

Tue, 14 Mar 2023 02:40:36 +0300

�� uVS, Carberp, ��  � �� .
�� "�� " �� , �� start.exe �� Suspicious Object
�� 7B666291C6ABD8C367FF250DF205BBF08830CDE3 � �� .
14.03.2023 02:40:36, santy.

�� uVS, Carberp, ��

Mon, 13 Mar 2023 16:42:45 +0300

�� uVS, Carberp, ��  � �� .

====quote====
santy ��:
ESET �� uVS
=============

� �� ?
�� ...
�� -�� \��. ( ;Suspicious Object )
----
�� SHA1 ( �� V.T ) �� ESET �� :

https://www.virustotal.com/gui/file/544d3f6d678b5f2a9c51fe43df6d58e18104f97009fdf659c79cb6fbc3077448?nocache=1
13.03.2023 16:42:45, RP55 RP55.

�� uVS, Carberp, ��

Mon, 13 Mar 2023 14:14:15 +0300

�� uVS, Carberp, ��  � �� .
ESET �� uVS
��;�� ;�� ;��;��;��;��;��;��;��
13.03.2023 21:10:31;�� ;��;E:\soft\avirus\Universal Virus Sniffer latest\ayedge;Suspicious Object;�� (�� );NT AUTHORITY\��;�� : C:\Windows\System32\SearchProtocolHost.exe (D7F955DF3682F3C9F51F4CE16B4DA8E77EC1C198).;7B666291C6ABD8C367FF250DF205BBF08830CDE3;05.01.2023 12:20:12
13.03.2023 14:14:15, santy.

�� uVS, Carberp, ��

Mon, 12 Dec 2022 16:33:38 +0300

�� uVS, Carberp, ��  � �� .
�� Windows
��, �� -�� . :)
12.12.2022 16:33:38, RP55 RP55.

�� uVS, Carberp, ��

Sun, 25 Sep 2022 11:23:46 +0300

�� uVS, Carberp, ��  � �� .
Operating memory � a variant of Win32/Spy.Agent.QGW trojan

1.
�� ELC:
20.01.2022 9:40:02 Advanced memory scanner file Operating memory � C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll multiple threats deleted 4EC9095A35736DFFE889AC992A4460A6C780972F
20.01.2022 9:39:54 Advanced memory scanner file Operating memory � C:\Users\itc-omn\AppData\Local\Temp\1ca9c872.dll multiple threats deleted F378F3E53FF08A9DF28586DE383A8A4D3B1F35EB

�� ESI:
"�� " = "c:\users\itc-omn\appdata\local\asus giftbox\user data\a3f739aa\vmplayer.exe -us:8 -lznupsl:12" ( 9: �� ) ; ; ;
"�� " = "c:\users\itc-omn\appdata\local\apps\f2238d51\vnplayer.exe /xsqlrl:66576859 /bk /wfu /bziujw:825" ( 9: �� ) ; ; ;
"��" = "c:\users\itc-omn\appdata\local\temp\34a8f4f8.dll" ( 6: �� ) ;
"��" = "c:\users\itc-omn\appdata\local\temp\1ca9c872.dll" ( 6: �� ) ;

uVS:
(!) ��: �� , �� : C:\WINDOWS\SYSWOW64\SVCHOST.EXE [10212]
"C:\Users\itc-omn\AppData\Local\ASUS GIFTBOX\User Data\a3f739aa\vmplayer.exe" -us:8 -lznupsl:12
C:\Users\itc-omn\AppData\Local\Apps\f2238d51\vnplayer.exe /xsqlrl:66576859 /bk /wfu /bziujw:825
---------------------------------------
2.
�� ELC:
03.08.2022 16:21:55 Advanced memory scanner file Operating memory � C:\Users\��\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting E270A42E0B87887376DE25E48312CFF2571DB9A3
03.08.2022 16:21:50 Advanced memory scanner file Operating memory � C:\Users\��\AppData\Local\Temp\28e86510.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 5F66A0781CDCECDF6C65F348E189362EF587274F

�� ESI:
cmd.exe, 3180, COMP-BDA\��, , Windows Command Processor, Microsoft Corporation, "C:\Windows\system32\cmd.exe"
c:\users\��\appdata\roaming\java.exe /pj=9757386 /zgvlo=92 /nbw /mkj=13105, ,

�� uVS:
(!) ��: �� , �� : C:\WINDOWS\SYSWOW64\CMD.EXE [3180]
(!) ��: �� , �� : C:\WINDOWS\SYSWOW64\DLLHOST.EXE [3492]
�� : C:\USERS\��\APPDATA\ROAMING\JAVA.EXE
192.168.11.195:50568 <-> 45.136.51.50:5873
"C:\Users\��\AppData\Roaming\java.exe" /pj=9757386 /zgvlo=92 /nbw /mkj=13105

3.
�� ELC:
22.09.2022 12:56:59 Advanced memory scanner file Operating memory � C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting 3634BFE5E04A47482E02F849D0C5FACA31213B0F
22.09.2022 12:55:09 Advanced memory scanner file Operating memory � C:\Users\igor\AppData\Local\Temp\1a10b5ce.dll a variant of Win32/Spy.Agent.QGW trojan cleaned by deleting B7C9EDF0683C243AD74CA7D2760003A3EC3806A5

�� ESI:
cmd.exe, 11848, DESKTOP-E9NA6G1\igor, , Windows Command Processor, Microsoft Corporation, "C:\Windows\system32\cmd.exe"
dllhost.exe, 14140, DESKTOP-E9NA6G1\igor, , COM Surrogate, Microsoft Corporation, "C:\Windows\system32\dllhost.exe"
c:\users\igor\appdata\roaming\msidb.exe /hxxsx:8484 /om:7 /eqcirph /qdkfh, ,

�� uVS:
(!) ��: �� , �� : C:\WINDOWS\SYSWOW64\CMD.EXE [9684]
(!) ��: �� C:\WINDOWS\SYSWOW64\CMD.EXE [9684], tid=12516
192.168.0.10:51628 <-> 5.45.93.247:5959
"C:\Users\igor\AppData\Roaming\MsiDb.exe" /hxxsx:8484 /om:7 /eqcirph /qdkfh
25.09.2022 11:23:46, santy.

�� uVS, Carberp, ��

Sun, 25 Sep 2022 10:41:39 +0300

�� uVS, Carberp, ��  � �� .

====quote====
Oleg Oleg ��:
� �� Windows 11 ��) �� ? (�� UVS!

=============
�� Windows Defender. �� , �� uVS � ��.
25.09.2022 10:41:39, santy.

�� uVS, Carberp, ��

Mon, 15 Aug 2022 20:32:36 +0300

�� uVS, Carberp, ��  � �� .
��! �� -�� , �� .

�� https://forum.esetnod32.ru/forum6/topic5713/ �� , �� UVS! �� UVS � �� .

�� !

� �� Windows 11 ��) �� ? (�� UVS!
15.08.2022 20:32:36, Oleg Oleg.

�� uVS, Carberp, ��

Thu, 28 Jul 2022 14:00:00 +0300

�� uVS, Carberp, ��  � �� .
�� Powemet. �� .
�� .
https://www.cyberforum.ru/viruses/thread3003231.html
�� (� ��) - �� .
28.07.2022 14:00:00, santy.

�� uVS, Carberp, ��

Sun, 19 Jun 2022 12:50:35 +0300

�� uVS, Carberp, ��  � �� .
PuzzleMedia � �� uVS, (� ��, �� 4.11 �� )

C:\USERS\USER\APPDATA\LOCAL\PROGRAMS\TRANSMISSION\TRANSMISSION-QT.EXE
(!) ��: �� C:\USERS\USER\APPDATA\LOCAL\PROGRAMS\TRANSMISSION\TRANSMISSION-QT.EXE [3948], tid=5508
C:\USERS\DIMA-\APPDATA\LOCAL\PROGRAMS\TRANSMISSION\QT5CORE.DLL
HEUR:Trojan.Win32.Miner.gen [Kaspersky]
C:\WINDOWS\SYSTEM32\DLLHOST.EXE
(!) ��: �� C:\WINDOWS\SYSTEM32\DLLHOST.EXE [1936], tid=8928
C:\ProgramData\PuzzleMedia\print.exe --farm-recheck 1000 --farm-retries 300 -P stratum+tcp://13.51.156.23:80
"C:\ProgramData\PuzzleMedia\print.exe"
19.06.2022 12:50:35, santy.

�� uVS, Carberp, ��

Fri, 03 Jun 2022 13:39:37 +0300

�� uVS, Carberp, ��  � �� .
MS Word Follina Exploit
https://www.bleepingcomputer.com/news/security/new-microsoft-office-zero-day-used-in-attacks-to-execute-powershell/
https://forum.eset.com/topic/32571-ms-word-follina-exploit-not-detected/
03.06.2022 13:39:37, santy.

�� uVS, Carberp, ��

Tue, 22 Mar 2022 12:40:36 +0300

�� uVS, Carberp, ��  � �� .
�� Lapsus$ ��, �� 37 �� Microsoft
https://www.comss.ru/page.php?id=10310
------------
� �� anti-malware.ru �� ...
22.03.2022 12:40:36, RP55 RP55.

�� uVS, Carberp, ��

Sun, 06 Mar 2022 13:41:09 +0300

�� uVS, Carberp, ��  � �� .
�� , �� �� dll, �� , � ��

[FILE ID=121609]

====quote====
�� C:\PROGRAMDATA\ESETDATA\MCUPDUI.EXE
�� MCUPDUI.EXE
��. ��

��
��
��. � �� The system cannot find the path specified.
��. ��

��
�� HKLM\System\CurrentControlSet\Services\ESETdata\ImagePath
ImagePath "C:\ProgramData\ESETdata\mcupdui.exe" "200"
DisplayName ESETdata
Description ESETdata
ESETdata �� : �� (2)
�� 28.09.2021 � 08:28:23
=============

[FILE ID=121608]

06.03.2022 13:41:09, santy.

�� uVS, Carberp, ��

Wed, 02 Mar 2022 12:05:39 +0300

�� uVS, Carberp, ��  � �� .
...

02.03.2022 12:05:39, RP55 RP55.

�� uVS, Carberp, ��

Tue, 22 Feb 2022 07:25:14 +0300

�� uVS, Carberp, ��  � �� .
#�� :

====quote====
uVS:
C:\Windows\system32\lsass.exe
137.91%:
C:\WINDOWS\SYSTEM32\WININIT.EXE
0.0.0.0:49193
192.168.1.63:49212 <-> 103.124.106.123:443
(!) ��: �� C:\WINDOWS\SYSTEM32\LSASS.EXE [868], tid=3184
=============

====quote====
KVRT ��
=============

TDSSKiller:

====quote====
16:53:47.0899 0x0abc TDSS rootkit removing tool 3.1.0.28 Apr 9 2019 21:11:46
16:53:49.0903 0x0abc ============================================================
16:53:49.0903 0x0abc Current date / time: 2022/02/20 16:53:49.0903
...
16:55:37.0084 0x17d4 ============================================================
16:55:37.0084 0x17d4 Scan finished
16:55:37.0084 0x17d4 ============================================================
16:55:37.0086 0x17c8 Detected object count: 0
16:55:37.0086 0x17c8 Actual detected object count: 0
16:56:12.0805 0x0a0c Deinitialize success
=============

====quote====
CureIt! �� , �� - �� .
=============

FRST:

====quote====

============== FLock ==============================
2022-02-07 21:40 C:\Windows\system32\Drivers\2682j.sys

=============

---------------
fixlog:

====quote====
"C:\Windows\system32\Drivers\2682j.sys" => ��

========================= File: C:\Windows\system32\Drivers\2682j.sys ========================

C:\Windows\system32\Drivers\2682j.sys
��
MD5: <==== �� (�� )
�� : 2022-02-05 19:30 - 2022-02-07 21:40
��: 006891104
��: ----N
�� :
�� :
�� :
��:
��:
�� :
�� :
�� :
VirusTotal: 0-byte

====== �� File: ======

VirusTotal: C:\Windows\system32\Drivers\2682j.sys => <==== �� (�� )

=============
�� WnPE&uVS

[FILE ID=121556]

https://virusinfo.info/showthread.php?t=227658

22.02.2022 07:25:14, santy.

�� uVS, Carberp, ��

Sat, 22 Jan 2022 16:11:05 +0300

�� uVS, Carberp, ��  � �� .
��, �� uVS:
(!) ��: �� , �� : C:\WINDOWS\SYSWOW64\SVCHOST.EXE [10212]

�� :
ESETSysInspector:

[FILE ID=121303]

22.01.2022 16:11:05, santy.

�� uVS, Carberp, ��

Sat, 22 Jan 2022 16:02:12 +0300

�� uVS, Carberp, ��  � �� .

====quote====
RP55 RP55 ��:
�� Avira Antivirus ��...
=============
� ��, ��?!
22.01.2022 16:02:12, santy.

����� esetnod32.ru [����: ���������� � uVS, Carberp, ������� �����]

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

���������� � uVS, Carberp, ������� �����

�� esetnod32.ru [��: �� uVS, Carberp, �� ]

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��

�� uVS, Carberp, ��