Wiem że to jest tylko opcjonalne i nie trzeba korzystać, ale mimo wszystko DP naprawdę się postarało :]
Wymieniony w temacie “asystent” traktowany jest przez oprogramowanie AV jako malware. To nie nowość. Ostatnio wrzuciłem do sandbox’a żeby sprawdzić co to dokładnie robi i oto co znalazłem 
Aha, instalacja aplikacji pdfxchange-viewer, ale pewnie dotyczy to każdej innej appki.
Plik został pobrany z tego źródła, DP robi przekierowanie:
://www.takaser-varete.com/lvlrfhrotzvzhi43fquk1zbhjh0wficn4thyxo7d6umdpojq1mprcorx+gp6okneoetcpuhjlc7c7uv2ti8rgm4iiycc25ougjjjimrwjarirpvytexpdfgdogzf2g_tbjyab9+1vtysehargkwtj9h4whiz6uhnkfanbkop9+gqnp_wcmzyezfzw5kojjscshtwuut4ugzhok4ehkhubetgvfuc4gpad1tv16ogpb6wmef54mjiyyt7iepo+desuwyivxp0rxu3szhhxlj3jqpiwf_wy+nr6rjole3ryxf0k_gbop1aiurfdt8hj6bh0wcaslhymgsxgmjvyio9safbumjsplasosmdqhuykm4f6h2yrnrt5paykmqqdwt4lcbwsjdn4apfjvpvsdcm_fmwqmgsu8gw+18czaofndcy_tw4oozkkn5n7humg0ry9u38bz080yjdteadd4dnildv4gbop7eldc0+u4sd15bsbhw9o1bc0zdlhno8tjbenjw44yoc+rc9kbf8ytxbzpwdksh3w7ltyl3dops+h9vel3mzefkxd2ah3h21wo5nhokt1sl35dyyr4c4wcahiy086jd7fnkwlk70e+dtfrce0fjic+hhmpfkht1bgelq4esaarx6-g0iaags3ywwdp0y7orhtiptblkwewsehdl9cyriitmahd4gg7zklnz5s0flwccybzppesacvrys5pk45vkvo0_ljwbod
52.18.157.126
Nawiązywane połączenia oraz zapytania DNS:
support.neruculezredo.com
login.live.com
ocsp.digicert.com
wp.hit.gemius.pl
ocsp.msocsp.com
crl.microsoft.com
13.92.82.125
52.30.18.103
88.221.88.48
131.253.61.102
93.184.220.29
212.77.101.100
104.18.24.243
72.247.176.88
239.255.255.250
://crl.microsoft.com/pki/crl/products/tspca.crl
://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAi4elAbvpzaLRZNPjlRv1U%3D
://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAACKeWuj3CySHT1IAAAAAIp4%3D
://support.neruculezredo.com/
://wp.hit.gemius.pl/dot.gif?id=zIs65ffw72Ioeiz1KpQzu5eADmaU8ObYzjn5j8wauxX.T7
wp.hit.gemius.pl/dot.gif?id=zis65ffw72ioeiz1kpqzu5eadmau8obyzjn5j8wauxx.t7
Zmiany dokonane w systemie po uruchomieniu. W sumie ok 272 zdarzeń, poniżej tylko podejrzane i złośliwe.
| Severity | Type | Description | PID |
|---|---|---|---|
| Malicious | Process opened the file corresponding to its own image | File Path: c:\30b549d3-c4f1-44c3-97ee-d60e3833ea78 | 2732 |
| Malicious | Read from another process’s memory | Process: 2732 | 2732 |
| Malicious | Checked for the presence of a debugger | — | 2732 |
| Malicious | A disk drive was opened for direct access (raw IO) | File Path: \.\pipe\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I | 2732 |
| Malicious | A disk drive was opened for direct access (raw IO) | File Path: \.\pipe\1Q1F1S1C1P1E1C1F1N1C1T1H2UtF1E1I_TEST | 2732 |
| Malicious | A disk drive was opened for direct access (raw IO) | File Path: \.\Nsi | 2732 |
| Malicious | Installed a Windows hook | Hook Id: 7 | 2732 |
| Malicious | Installed a Windows hook | Hook Id: 2 | 2732 |
| Malicious | Enumerated running processes | — | 2732 |
| Malicious | Changed Internet Explorer settings | Reg Path: S-1-5-21-1070138653-2631224532-3904989754-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{8A4EA0B3-A05C-4817-88A6-02015EF9FFC4}\WpadDecisionReason. Data: 1 | 2732 |
| Malicious | Changed Internet Explorer settings | Reg Path: S-1-5-21-1070138653-2631224532-3904989754-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{8A4EA0B3-A05C-4817-88A6-02015EF9FFC4}\WpadDecision. Data: 0 | 2732 |
| Malicious | Changed Internet Explorer settings | Reg Path: S-1-5-21-1070138653-2631224532-3904989754-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad{8A4EA0B3-A05C-4817-88A6-02015EF9FFC4}\WpadNetworkName. Data: Network | 2732 |
| Malicious | Changed Internet Explorer settings | Reg Path: S-1-5-21-1070138653-2631224532-3904989754-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-12-35-02\WpadDecisionReason. Data: 1 | 2732 |
| Malicious | Changed Internet Explorer settings | Reg Path: S-1-5-21-1070138653-2631224532-3904989754-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-54-00-12-35-02\WpadDecision. Data: 0 | 2732 |
| Malicious | Uploaded file | URL: wp.hit.gemius.pl/dot.gif?id=zIs65ffw72Ioeiz1KpQzu5eADmaU8ObYzjn5j8wauxX.T7 | 2732 |
| Malicious | Process opened the file corresponding to its own image | File Path: c:\30b549d3-c4f1-44c3-97ee-d60e3833ea78 | 2604 |
| Malicious | Read from another process’s memory | Process: 2604 | 2604 |
| Malicious | Checked for the presence of a debugger | — | 2604 |
| Malicious | Enumerated running processes | — | 2604 |
I to tyle. Zapewne nic na kompie po skorzystaniu z “asystenta” nie wybuchnie, ale nigdzie nie jest napisane co to robi jak już skorzystasz…
pozdro