JSntgRvr Posted April 15 ID:1630230 Share Posted April 15 -Log Details- Scan Date: 15/04/2024 Scan Time: 11:36 pm Log File: 703608f8-fb1c-11ee-ac20-b42e998b91bb.json -Software Information- Version: 5.1.2.109 Components Version: 1.0.1214 Update Package Version: 1.0.83471 License: Free -System Information- OS: Windows 10 (Build 19045.4291) CPU: x64 File System: NTFS User: TigerPC\Rapto -Scan Summary- Registry Key: 3 Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microsoft\Windows\NetFramework\Microsoft .NET Framework, No Action By User, 491, 1221292, 1.0.83471, , ame, , , Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TASKS\{2C334533-126D-4677-9AD5-CD8F7DBED8C6}, No Action By User, 491, 1221292, 1.0.83471, , ame, , , Trojan.BitCoinMiner, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\LOGON\{2C334533-126D-4677-9AD5-CD8F7DBED8C6}, No Action By User, 491, 1221292, 1.0.83471, , ame, , , File: 1 Trojan.BitCoinMiner, C:\WINDOWS\SYSTEM32\TASKS\Microsoft\Windows\NetFramework\Microsoft .NET Framework, No Action By User, 491, 1221292, 1.0.83471, , ame, , 40978B8211B8AA6FAC56163D5227FEE0, A8D9EAD432F952FB686324E764E9568A50DF6C24469B27252F50ADEE01C1BA72 Link: https://forums.malwarebytes.com/topic/310804-microsoftnet-framework-and-other-microsoft-files-listed-as-trojan-viruses/ Link to post Share on other sites More sharing options...
Staff lcorazzi Posted April 15 Staff ID:1630234 Share Posted April 15 This one doesn't seems to be a False positive. The rule is detecting a scheduled task which calls an executable with a coinmining domain as argument. I'll ask the user to upload the executable that the scheduled task is calling. 1 Link to post Share on other sites More sharing options...
JSntgRvr Posted April 15 Author ID:1630267 Share Posted April 15 mscorsvw.exe does not exist in his computer, neither does in my computer. Link to post Share on other sites More sharing options...
David H. Lipman Posted April 15 ID:1630287 Share Posted April 15 I have it on Win7 and Win11 Example: Win7 - v4.8.3761.0 - C:\Windows\Microsoft.NET\Framework\v4.0.30319 Win11- Multiple versions, C:\windows\Microsoft.NET\Framework Link to post Share on other sites More sharing options...
Staff lcorazzi Posted April 16 Staff ID:1630448 Share Posted April 16 I asked for that file since the hash of the scheduled task on VT seemed to call that executable https://www.virustotal.com/gui/file/a8d9ead432f952fb686324e764e9568a50df6c24469b27252f50adee01c1ba72 <Command>C:\Windows\Microsoft.NET\Framework\v3.5\mscorsvw.exe</Command> <WorkingDirectory>C:\Windows\Microsoft.NET\Framework\v3.5</WorkingDirectory> <Arguments>-pool us1.ethermine.org:4444 -pool2 us2.ethermine.org:4444 -wal 0x4F0e95dC520AA6d96B20c594e87285994C94A82B.MyRig -proto 3</Arguments> Would be nice for us to have the file that the scheduled task is calling. Link to post Share on other sites More sharing options...
JSntgRvr Posted April 16 Author ID:1630514 Share Posted April 16 Will be on the look-out. Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now