SharpEDRChecker.log

1. ##################################################################
2. [!][!][!] Welcome to SharpEDRChecker by @PwnDexter [!][!][!]
3. [+][+][+] Running as admin, all checks will be performed [+][+][+]
4. ##################################################################
5.  
6. ######################################
7. [!][!][!] Checking processes [!][!][!]
8. ######################################
9.  
10. [-] Suspicious process found:
11. Name: MsMpEng.exe
12. Description: MsMpEng.exe
13. Caption: MsMpEng.exe
14. Binary:
15. Process ID: 6184
16. Parent Process: 1140
17. Process CmdLine:
18. File Metadata:
19. [!] Matched on: msmpeng
20.  
21. [-] Suspicious process found:
22. Name: SecurityHealthService.exe
23. Description: SecurityHealthService.exe
24. Caption: SecurityHealthService.exe
25. Binary:
26. Process ID: 9352
27. Parent Process: 1140
28. Process CmdLine:
29. File Metadata:
30. [!] Matched on: securityhealthservice
31.  
32. ###################################################################
33. [!][!][!] Checking modules loaded in your current process [!][!][!]
34. ###################################################################
35.  
36. [-] Suspicious modload found in your process:
37. Suspicious Module: C:\Windows\SYSTEM32\amsi.dll
38. File Metadata:
39. Product Name: Microsoft® Windows® Operating System
40. Filename: C:\Windows\SYSTEM32\amsi.dll
41. Original Filename: amsi.dll
42. Internal Name: amsi.dll
43. Company Name: Microsoft Corporation
44. File Description: Anti-Malware Scan Interface
45. Product Version: 10.0.19041.746
46. Comments:
47. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
48. Legal Trademarks:
49. [!] Matched on: amsi.dll, anti-malware, malware
50.  
51. [-] Suspicious modload found in your process:
52. Suspicious Module: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MpOav.dll
53. File Metadata:
54. Product Name: Microsoft® Windows® Operating System
55. Filename: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MpOav.dll
56. Original Filename: MpOAV.dll
57. Internal Name: MpOAV
58. Company Name: Microsoft Corporation
59. File Description: IOfficeAntiVirus Module
60. Product Version: 4.18.2011.6
61. Comments:
62. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
63. Legal Trademarks:
64. [!] Matched on: antivirus, defender
65.  
66. ########################################
67. [!][!][!] Checking Directories [!][!][!]
68. ########################################
69.  
70. [-] Suspicious directory found: C:\Program Files\Windows Defender
71. [!] Matched on: defender
72.  
73. [-] Suspicious directory found: C:\Program Files\Wireshark
74. [!] Matched on: wireshark
75.  
76. [-] Suspicious directory found: C:\Program Files (x86)\Windows Defender
77. [!] Matched on: defender
78.  
79. [-] Suspicious directory found: C:\ProgramData\Malwarebytes
80. [!] Matched on: malware
81.  
82. [-] Suspicious directory found: C:\ProgramData\McAfee
83. [!] Matched on: mcafee
84.  
85. #####################################
86. [!][!][!] Checking Services [!][!][!]
87. #####################################
88.  
89. [-] Suspicious service found:
90. Name: mpssvc
91. DisplayName: Windows Defender Firewall
92. Description: Die Windows Defender Firewall trägt zum Schutz des Computers bei, indem der Zugriff durch nicht autorisierte Benutzer auf den Computer über das Internet bzw. ein Netzwerk verhindert wird.
93. Caption: Windows Defender Firewall
94. Binary: C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
95. Status: Running
96. Process ID: 2072
97. File Metadata:
98. Product Name: Betriebssystem Microsoft® Windows®
99. Filename: C:\Windows\system32\svchost.exe
100. Original Filename: svchost.exe.mui
101. Internal Name: svchost.exe
102. Company Name: Microsoft Corporation
103. File Description: Hostprozess f├╝r Windows-Dienste
104. Product Version: 10.0.19041.561
105. Comments:
106. Legal Copyright: ┬® Microsoft Corporation. Alle Rechte vorbehalten.
107. Legal Trademarks:
108. [!] Matched on: defender
109.  
110. [-] Suspicious service found:
111. Name: PolicyAgent
112. DisplayName: IPsec-Richtlinien-Agent
113. Description: IPsec (Internet Protocol Security) unterst├╝tzt die Peerauthentifizierung auf Netzwerkebene, Datenursprungsauthentifizierung, Datenvertraulichkeit (Verschl├╝sselung) und Schutz vor Wiedergabeangriffen. Dieser Dienst erzwingt die IPsec-Richtlinien, die mit dem Snap-In "IP-Sicherheitsrichtlinien" oder mit dem Befehlszeilentool "netsh ipsec" erstellt wurden. Wenn Sie diesen Dienst beenden, k├Ânnen Probleme mit der Netzwerkkonnektivit├ñt auftreten, wenn die Richtlinie IPsec-Verbindungen erfordert. Zudem ist die Remoteverwaltung der Windows Defender Firewall nicht verf├╝gbar, wenn dieser Dienst beendet wird.
114. Caption: IPsec-Richtlinien-Agent
115. Binary: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p
116. Status: Running
117. Process ID: 4284
118. File Metadata:
119. Product Name: Betriebssystem Microsoft® Windows®
120. Filename: C:\Windows\system32\svchost.exe
121. Original Filename: svchost.exe.mui
122. Internal Name: svchost.exe
123. Company Name: Microsoft Corporation
124. File Description: Hostprozess f├╝r Windows-Dienste
125. Product Version: 10.0.19041.561
126. Comments:
127. Legal Copyright: ┬® Microsoft Corporation. Alle Rechte vorbehalten.
128. Legal Trademarks:
129. [!] Matched on: defender
130.  
131. [-] Suspicious service found:
132. Name: SecurityHealthService
133. DisplayName: Windows-Sicherheitsdienst
134. Description: Der Windows-Sicherheitsdienst sorgt für den einheitlichen Geräteschutz und für Integritätsinformationen
135. Caption: Windows-Sicherheitsdienst
136. Binary: C:\Windows\system32\SecurityHealthService.exe
137. Status: Running
138. Process ID: 9352
139. File Metadata:
140. Product Name: Microsoft® Windows® Operating System
141. Filename: C:\Windows\system32\SecurityHealthService.exe
142. Original Filename: SecurityHealthService.exe
143. Internal Name: SecurityHealthService
144. Company Name: Microsoft Corporation
145. File Description: Windows Security Health Service
146. Product Version: 4.18.1907.16384
147. Comments:
148. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
149. Legal Trademarks:
150. [!] Matched on: securityhealthservice
151.  
152. [-] Suspicious service found:
153. Name: WdNisSvc
154. DisplayName: Microsoft Defender Antivirus-Netzwerkinspektionsdienst
155. Description: Sch├╝tzt gegen Eindringversuche bei bekannten und neu erkannten Sicherheitsrisiken von Netzwerkprotokollen.
156. Caption: Microsoft Defender Antivirus-Netzwerkinspektionsdienst
157. Binary: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\NisSrv.exe"
158. Status: Stopped
159. Process ID: 0
160. File Metadata:
161. Product Name: Microsoft® Windows® Operating System
162. Filename: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\NisSrv.exe
163. Original Filename: NisSrv.exe
164. Internal Name: NisSrv.exe
165. Company Name: Microsoft Corporation
166. File Description: Microsoft Network Realtime Inspection Service
167. Product Version: 4.18.2011.6
168. Comments:
169. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
170. Legal Trademarks:
171. [!] Matched on: antivirus, defender, nissrv
172.  
173. [-] Suspicious service found:
174. Name: WinDefend
175. DisplayName: Microsoft Defender Antivirus-Dienst
176. Description: Sch├╝tzt Benutzer vor Schadsoftware und weiterer potenziell unerw├╝nschter Software.
177. Caption: Microsoft Defender Antivirus-Dienst
178. Binary: "C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MsMpEng.exe"
179. Status: Running
180. Process ID: 6184
181. File Metadata:
182. Product Name: Microsoft® Windows® Operating System
183. Filename: C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MsMpEng.exe
184. Original Filename: MsMpEng.exe
185. Internal Name: MsMpEng.exe
186. Company Name: Microsoft Corporation
187. File Description: Antimalware Service Executable
188. Product Version: 4.18.2011.6
189. Comments:
190. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
191. Legal Trademarks:
192. [!] Matched on: antimalware, antivirus, defender, malware, msmpeng
193.  
194. [!] Could not get file info for: C:
195.  
196. [-] Suspicious service found:
197. Name: SDScannerService
198. DisplayName: Spybot-S&D 2 Scanner Service
199. Description: Offers malware scanning services to Spybot-S&D modules
200. Caption: Spybot-S&D 2 Scanner Service
201. Binary: "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe"
202. Status: Running
203. Process ID: 6696
204. File Metadata:
205. Product Name: Spybot - Search & Destroy
206. Filename: C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
207. Original Filename: SDFSSvc.exe
208. Internal Name:
209. Company Name: Safer-Networking Ltd.
210. File Description: Spybot-S&D 2 Scanner Service
211. Product Version: 2.7.64.0
212. Comments:
213. Legal Copyright: ┬® 2009-2018 Safer-Networking Ltd. All rights reserved.
214. Legal Trademarks: Spybot® and Spybot - Search & Destroy® are registered trademarks.
215. [!] Matched on: malware
216.  
217. ####################################
218. [!][!][!] Checking drivers [!][!][!]
219. ####################################
220.  
221. [-] Suspicious driver found:
222. Suspicious Module: WdFilter.sys
223. File Metadata:
224. Product Name: Microsoft® Windows® Operating System
225. Filename: c:\windows\system32\drivers\wd\wdfilter.sys
226. Original Filename: WdFilter.sys
227. Internal Name: WdFilter
228. Company Name: Microsoft Corporation
229. File Description: Microsoft antimalware file system filter driver
230. Product Version: 4.18.2011.6
231. Comments:
232. Legal Copyright: ┬® Microsoft Corporation. All rights reserved.
233. Legal Trademarks:
234. [!] Matched on: antimalware, malware
235.  
236. [!] Could not get file info for: c:\Windows\Sysnative\drivers\dump_diskdump.sys
237.  
238. [!] Could not get file info for: c:\Windows\Sysnative\drivers\dump_iastorac.sys
239.  
240. [!] Could not get file info for: c:\Windows\Sysnative\drivers\dump_dumpfve.sys
241.  
242. ################################
243. [!][!][!] TLDR Summary [!][!][!]
244. ################################
245.  
246. [!] Process Summary:
247. [-] MsMpEng.exe : msmpeng
248. [-] SecurityHealthService.exe : securityhealthservice
249.  
250.  
251. [!] Modload Summary:
252. [-] C:\Windows\SYSTEM32\amsi.dll : amsi.dll, anti-malware, malware
253. [-] C:\ProgramData\Microsoft\Windows Defender\platform\4.18.2011.6-0\MpOav.dll : antivirus, defender
254.  
255.  
256. [!] Directory Summary:
257. [-] C:\Program Files\Windows Defender : defender
258. [-] C:\Program Files\Wireshark : wireshark
259. [-] C:\Program Files (x86)\Windows Defender : defender
260. [-] C:\ProgramData\Malwarebytes : malware
261. [-] C:\ProgramData\McAfee : mcafee
262.  
263.  
264. [!] Service Summary:
265. [-] mpssvc : defender
266. [-] PolicyAgent : defender
267. [-] SecurityHealthService : securityhealthservice
268. [-] WdNisSvc : antivirus, defender, nissrv
269. [-] WinDefend : antimalware, antivirus, defender, malware, msmpeng
270. [-] SDScannerService : malware
271.  
272.  
273. [!] Driver Summary:
274. [-] WdFilter.sys : antimalware, malware
275.  
276. #######################################
277. [!][!][!] EDR Checks Complete [!][!][!]
278. #######################################