Emotet: Variants...Has anyone dealt with any strange stuff?


  1. Posts : 3
    Win10
       #1

    Emotet: Variants...Has anyone dealt with any strange stuff?


    Hey guys, I am new here, I have joined a couple forums over the last few days, trying to get some information.
    I just cleaned out a crazy persistent emotet infection, and I am having some trouble figuring out a baseline now. I need to know if you guys have named pipes set to allow anonymous shares configured by svchost with scTbePrivelege normally, ideally immediately following clean install. The information can be found in event viewer under Application and service logs/microsoft/windows/smb server and also SMB client path. That was the ingress point and after cleaning the infection with nuke and pave the pipes are set back to that same setting with activity from untrackable processes. So I bought a new laptop just to check it out, and strangely, there was one entry in event logs from last year, where a pipe was set to allow anonymous users and then configured as a netBT endpoint. Terminal server logs show the pipe used in + out once . To me, this is very odd. Can anyone enlighten me? Win10 19042, also saw behavior on 20h
      My Computer

  2. Jacee's Avatar
    Posts : 1,605
    Win 10 home 20H2 19042.1110
       #2

    Is this report useful?: Emotet Malware | CISA
      My Computers


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 20:14.
Find Us




Windows 10 Forums