Advertisement
opexxx

SharpEDRChecker.log

Jan 15th, 2021
183
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.53 KB | None | 0 0
  1. ##################################################################
  2. [!][!][!] Welcome to SharpEDRChecker by @PwnDexter [!][!][!]
  3. [+][+][+] Running as admin, all checks will be performed [+][+][+]
  4. ##################################################################
  5.  
  6. ######################################
  7. [!][!][!] Checking processes [!][!][!]
  8. ######################################
  9.  
  10. [-] Suspicious process found:
  11. Name: MsMpEng.exe
  12. Description: MsMpEng.exe
  13. Caption: MsMpEng.exe
  14. Binary:
  15. Process ID: 6184
  16. Parent Process: 1140
  17. Process CmdLine:
  18. File Metadata:
  19. [!] Matched on: msmpeng
  20.  
  21. [-] Suspicious process found:
  22. Name: SecurityHealthService.exe
  23. Description: SecurityHealthService.exe
  24. Caption: SecurityHealthService.exe
  25. Binary:
  26. Process ID: 9352
  27. Parent Process: 1140
  28. Process CmdLine:
  29. File Metadata:
  30. [!] Matched on: securityhealthservice
  31.  
  32. ###################################################################
  33. [!][!][!] Checking modules loaded in your current process [!][!][!]
  34. ###################################################################
  35.  
  36. [-] Suspicious modload found in your process:
  37. Suspicious Module: C:\Windows\SYSTEM32\amsi.dll
  38. File Metadata:
  39. Product Name: Microsoft® Windows® Operating System
  40. Filename: C:\Windows\SYSTEM32\amsi.dll
  41. Original Filename: amsi.dll
  42. Internal Name: amsi.dll
  43. Company Name: Microsoft Corporation
  44. File Description: Anti-Malware Scan Interface
  45. Product Version: 10.0.19041.746
  46. Comments:
  47. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
  48. Legal Trademarks:
  49. [!] Matched on: amsi.dll, anti-malware, malware
  50.  
  51. [-] Suspicious modload found in your process:
  52. Suspicious Module: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MpOav.dll
  53. File Metadata:
  54. Product Name: Microsoft® Windows® Operating System
  55. Filename: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MpOav.dll
  56. Original Filename: MpOAV.dll
  57. Internal Name: MpOAV
  58. Company Name: Microsoft Corporation
  59. File Description: IOfficeAntiVirus Module
  60. Product Version: 4.18.2011.6
  61. Comments:
  62. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
  63. Legal Trademarks:
  64. [!] Matched on: antivirus, defender
  65.  
  66. ########################################
  67. [!][!][!] Checking Directories [!][!][!]
  68. ########################################
  69.  
  70. [-] Suspicious directory found: C:\Program Files\Windows Defender
  71. [!] Matched on: defender
  72.  
  73. [-] Suspicious directory found: C:\Program Files\Wireshark
  74. [!] Matched on: wireshark
  75.  
  76. [-] Suspicious directory found: C:\Program Files (x86)\Windows Defender
  77. [!] Matched on: defender
  78.  
  79. [-] Suspicious directory found: C:\ProgramData\Malwarebytes
  80. [!] Matched on: malware
  81.  
  82. [-] Suspicious directory found: C:\ProgramData\McAfee
  83. [!] Matched on: mcafee
  84.  
  85. #####################################
  86. [!][!][!] Checking Services [!][!][!]
  87. #####################################
  88.  
  89. [-] Suspicious service found:
  90. Name: mpssvc
  91. DisplayName: Windows Defender Firewall
  92. Description: Die Windows Defender Firewall trägt zum Schutz des Computers bei, indem der Zugriff durch nicht autorisierte Benutzer auf den Computer über das Internet bzw. ein Netzwerk verhindert wird.
  93. Caption: Windows Defender Firewall
  94. Binary: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
  95. Status: Running
  96. Process ID: 2072
  97. File Metadata:
  98. Product Name: Betriebssystem Microsoft® Windows®
  99. Filename: C:\Windows\system32\svchost.exe
  100. Original Filename: svchost.exe.mui
  101. Internal Name: svchost.exe
  102. Company Name: Microsoft Corporation
  103. File Description: Hostprozess f├╝r Windows-Dienste
  104. Product Version: 10.0.19041.561
  105. Comments:
  106. Legal Copyright: ┬® Microsoft Corporation. Alle Rechte vorbehalten.
  107. Legal Trademarks:
  108. [!] Matched on: defender
  109.  
  110. [-] Suspicious service found:
  111. Name: PolicyAgent
  112. DisplayName: IPsec-Richtlinien-Agent
  113. Description: IPsec (Internet Protocol Security) unterst├╝tzt die Peerauthentifizierung auf Netzwerkebene, Datenursprungsauthentifizierung, Datenvertraulichkeit (Verschl├╝sselung) und Schutz vor Wiedergabeangriffen. Dieser Dienst erzwingt die IPsec-Richtlinien, die mit dem Snap-In "IP-Sicherheitsrichtlinien" oder mit dem Befehlszeilentool "netsh ipsec" erstellt wurden. Wenn Sie diesen Dienst beenden, k├Ânnen Probleme mit der Netzwerkkonnektivit├ñt auftreten, wenn die Richtlinie IPsec-Verbindungen erfordert. Zudem ist die Remoteverwaltung der Windows Defender Firewall nicht verf├╝gbar, wenn dieser Dienst beendet wird.
  114. Caption: IPsec-Richtlinien-Agent
  115. Binary: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p
  116. Status: Running
  117. Process ID: 4284
  118. File Metadata:
  119. Product Name: Betriebssystem Microsoft® Windows®
  120. Filename: C:\Windows\system32\svchost.exe
  121. Original Filename: svchost.exe.mui
  122. Internal Name: svchost.exe
  123. Company Name: Microsoft Corporation
  124. File Description: Hostprozess f├╝r Windows-Dienste
  125. Product Version: 10.0.19041.561
  126. Comments:
  127. Legal Copyright: ┬® Microsoft Corporation. Alle Rechte vorbehalten.
  128. Legal Trademarks:
  129. [!] Matched on: defender
  130.  
  131. [-] Suspicious service found:
  132. Name: SecurityHealthService
  133. DisplayName: Windows-Sicherheitsdienst
  134. Description: Der Windows-Sicherheitsdienst sorgt für den einheitlichen Geräteschutz und für Integritätsinformationen
  135. Caption: Windows-Sicherheitsdienst
  136. Binary: C:\Windows\system32\SecurityHealthService.exe
  137. Status: Running
  138. Process ID: 9352
  139. File Metadata:
  140. Product Name: Microsoft® Windows® Operating System
  141. Filename: C:\Windows\system32\SecurityHealthService.exe
  142. Original Filename: SecurityHealthService.exe
  143. Internal Name: SecurityHealthService
  144. Company Name: Microsoft Corporation
  145. File Description: Windows Security Health Service
  146. Product Version: 4.18.1907.16384
  147. Comments:
  148. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
  149. Legal Trademarks:
  150. [!] Matched on: securityhealthservice
  151.  
  152. [-] Suspicious service found:
  153. Name: WdNisSvc
  154. DisplayName: Microsoft Defender Antivirus-Netzwerkinspektionsdienst
  155. Description: Sch├╝tzt gegen Eindringversuche bei bekannten und neu erkannten Sicherheitsrisiken von Netzwerkprotokollen.
  156. Caption: Microsoft Defender Antivirus-Netzwerkinspektionsdienst
  157. Binary: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\NisSrv.exe"
  158. Status: Stopped
  159. Process ID: 0
  160. File Metadata:
  161. Product Name: Microsoft® Windows® Operating System
  162. Filename: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\NisSrv.exe
  163. Original Filename: NisSrv.exe
  164. Internal Name: NisSrv.exe
  165. Company Name: Microsoft Corporation
  166. File Description: Microsoft Network Realtime Inspection Service
  167. Product Version: 4.18.2011.6
  168. Comments:
  169. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
  170. Legal Trademarks:
  171. [!] Matched on: antivirus, defender, nissrv
  172.  
  173. [-] Suspicious service found:
  174. Name: WinDefend
  175. DisplayName: Microsoft Defender Antivirus-Dienst
  176. Description: Sch├╝tzt Benutzer vor Schadsoftware und weiterer potenziell unerw├╝nschter Software.
  177. Caption: Microsoft Defender Antivirus-Dienst
  178. Binary: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MsMpEng.exe"
  179. Status: Running
  180. Process ID: 6184
  181. File Metadata:
  182. Product Name: Microsoft® Windows® Operating System
  183. Filename: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MsMpEng.exe
  184. Original Filename: MsMpEng.exe
  185. Internal Name: MsMpEng.exe
  186. Company Name: Microsoft Corporation
  187. File Description: Antimalware Service Executable
  188. Product Version: 4.18.2011.6
  189. Comments:
  190. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
  191. Legal Trademarks:
  192. [!] Matched on: antimalware, antivirus, defender, malware, msmpeng
  193.  
  194. [!] Could not get file info for: C:
  195.  
  196. [-] Suspicious service found:
  197. Name: SDScannerService
  198. DisplayName: Spybot-S&D 2 Scanner Service
  199. Description: Offers malware scanning services to Spybot-S&D modules
  200. Caption: Spybot-S&D 2 Scanner Service
  201. Binary: "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe"
  202. Status: Running
  203. Process ID: 6696
  204. File Metadata:
  205. Product Name: Spybot - Search & Destroy
  206. Filename: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
  207. Original Filename: SDFSSvc.exe
  208. Internal Name:
  209. Company Name: Safer-Networking Ltd.
  210. File Description: Spybot-S&D 2 Scanner Service
  211. Product Version: 2.7.64.0
  212. Comments:
  213. Legal Copyright: ┬® 2009-2018 Safer-Networking Ltd. All rights reserved.
  214. Legal Trademarks: Spybot® and Spybot - Search & Destroy® are registered trademarks.
  215. [!] Matched on: malware
  216.  
  217. ####################################
  218. [!][!][!] Checking drivers [!][!][!]
  219. ####################################
  220.  
  221. [-] Suspicious driver found:
  222. Suspicious Module: WdFilter.sys
  223. File Metadata:
  224. Product Name: Microsoft® Windows® Operating System
  225. Filename: c:\windows\system32\drivers\wd\wdfilter.sys
  226. Original Filename: WdFilter.sys
  227. Internal Name: WdFilter
  228. Company Name: Microsoft Corporation
  229. File Description: Microsoft antimalware file system filter driver
  230. Product Version: 4.18.2011.6
  231. Comments:
  232. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
  233. Legal Trademarks:
  234. [!] Matched on: antimalware, malware
  235.  
  236. [!] Could not get file info for: c:\Windows\Sysnative\drivers\dump_diskdump.sys
  237.  
  238. [!] Could not get file info for: c:\Windows\Sysnative\drivers\dump_iastorac.sys
  239.  
  240. [!] Could not get file info for: c:\Windows\Sysnative\drivers\dump_dumpfve.sys
  241.  
  242. ################################
  243. [!][!][!] TLDR Summary [!][!][!]
  244. ################################
  245.  
  246. [!] Process Summary:
  247. [-] MsMpEng.exe : msmpeng
  248. [-] SecurityHealthService.exe : securityhealthservice
  249.  
  250.  
  251. [!] Modload Summary:
  252. [-] C:\Windows\SYSTEM32\amsi.dll : amsi.dll, anti-malware, malware
  253. [-] C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MpOav.dll : antivirus, defender
  254.  
  255.  
  256. [!] Directory Summary:
  257. [-] C:\Program Files\Windows Defender : defender
  258. [-] C:\Program Files\Wireshark : wireshark
  259. [-] C:\Program Files (x86)\Windows Defender : defender
  260. [-] C:\ProgramData\Malwarebytes : malware
  261. [-] C:\ProgramData\McAfee : mcafee
  262.  
  263.  
  264. [!] Service Summary:
  265. [-] mpssvc : defender
  266. [-] PolicyAgent : defender
  267. [-] SecurityHealthService : securityhealthservice
  268. [-] WdNisSvc : antivirus, defender, nissrv
  269. [-] WinDefend : antimalware, antivirus, defender, malware, msmpeng
  270. [-] SDScannerService : malware
  271.  
  272.  
  273. [!] Driver Summary:
  274. [-] WdFilter.sys : antimalware, malware
  275.  
  276. #######################################
  277. [!][!][!] EDR Checks Complete [!][!][!]
  278. #######################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement