Curious about a Reg Key set by a plugin

Discussion in 'Software' started by rage, Nov 10, 2022.

  1. rage

    rage Kapellmeister

    Joined:
    Oct 11, 2021
    Messages:
    120
    Likes Received:
    68
    I downloaded a plugin from sanet, and Im curious if anyone knows what this Reg Key it shows in VirusTotal?

    HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\Circular Kernel Context Logger\Status

    It caught my eye, and I don't know enough about that to know if it's something malicious.

    Thanks.
     
  2.  
  3. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    7,540
    Likes Received:
    3,323
    It might help for you to include what plugin this happened after installing.
     
  4. rage

    rage Kapellmeister

    Joined:
    Oct 11, 2021
    Messages:
    120
    Likes Received:
    68
    I didn't install yet. It came up when I ran it through VirusTotal.

    It's Cableguys ShaperBox 3
     
  5. clone

    clone Audiosexual

    Joined:
    Feb 5, 2021
    Messages:
    7,540
    Likes Received:
    3,323
    You could always wait a few days and see if there is a different release to compare it to. People always report problems and it does not always make them valid. I can only read user comments about windows programs to see what people say about them after they get deleted here. Websites like VT will flag lots of false positives. or true ones. ;]
     
    Last edited: Nov 10, 2022
  6. rage

    rage Kapellmeister

    Joined:
    Oct 11, 2021
    Messages:
    120
    Likes Received:
    68
    Yeah Im slightly paranoid about grabbing anything from sites other than the sister site. Even softarchive Im iffy on some stuff. Sister site is like like getting medicine from a slightly sketchy pharmacy, and everywhere else is like hoping whatever you are buying off the guy in an alley isn't really rat poison.
     
  7. soundgen

    soundgen Member

    Joined:
    Aug 11, 2021
    Messages:
    27
    Likes Received:
    9
    I downloaded it before it went offline from sister site.

    You can compare the hashes to see if they are identical.

    CRC32: 841eed9c

    Sha256: 5c1dcf3cc399e0beaec2a529d8c7ae0dad0346515cdbe7787622b50bdba37469

    Sha512: d9c7bdf5d1c00df081ba51dbed57f10f39374ac8bf2a7fa04d53617783e202fccb5441e4ccc26b4d573bba58f6b1620cee2a66f0f07c1b2092559e55a7311314

    Free hash checksum software:

    https://www.nirsoft.net/utils/hash_my_files.html

    Start the software and select the installer .EXE file to calculate the checksum and compare the result with i posted here.
    If the checksums are identical it is the same as posted on sister site.
    If not the installer is tempered (something added/removed).
     
  8. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,668
    Likes Received:
    1,846
    First off, auto loggers track triggered events at boot-up so that would certainly start the alarm bells ringing.

    If you can isolate the potentially offending file (probably will look like a .txt document) upload it here:-

    https://virusscan.jotti.org/


    That site will run several antiviruses. If more than 3 or 4 report a problem then I would say delete it, otherwise treat it as something to keep an eye on.
     
    • Like Like x 1
    • Agree Agree x 1
    • List
  9. rage

    rage Kapellmeister

    Joined:
    Oct 11, 2021
    Messages:
    120
    Likes Received:
    68
    I checked the hash against the hash that soundgen posted in the comment above yours, and it matched, so I decided to chance it. Now you have me second guessing the decision. If its malicious, Im likely already fucked, right? Any idea what I should possibly be looking for to find something off?
     
  10. rage

    rage Kapellmeister

    Joined:
    Oct 11, 2021
    Messages:
    120
    Likes Received:
    68
    And ironically, that jotti site is blacklisted by my antivirus. lol
     
  11. thomas78

    thomas78 Kapellmeister

    Joined:
    Apr 15, 2020
    Messages:
    199
    Likes Received:
    67
    and now you know what your "antivirus" is really good at: fighting the competion! maybe youve bet at the wrong horse?
     
    Last edited: Nov 11, 2022
  12. Sylenth.Will.Fall

    Sylenth.Will.Fall Audiosexual

    Joined:
    Aug 21, 2015
    Messages:
    2,668
    Likes Received:
    1,846
    Not necessarily. I don't know if you've heard of Malwarebytes, but they are a trusted company in the computer security world and they offer a free scanner to detect rookits/ backdoor trojans etc..

    IF your a/v allows it, go here and d/l the free scanner

    https://www.malwarebytes.com/solutions/rootkit-scanner

    AND IF you have indeed installed something vindictive on your machine, this scanner should remove it.

    BUT, as with everything, there are such things as false positives, meaning that even if it does show as a 'nasty' it may not be. That will then become a decision you have to make whether the software is worth the risk. I do however put a lot of trust in the software available on the sister site (and by definition, Sanet in this instance as the hash matches)


    UPDATE:- I forgot to mention.. after the 14 day free trial you no longer have real time protection, but you will still have the free scanner to detect and remove offending software.. You can of course decide you wish to purchase the real time protection from there too.
     
    Last edited: Nov 11, 2022
  13. JMOUTTON

    JMOUTTON Audiosexual

    Joined:
    Jan 10, 2016
    Messages:
    1,099
    Likes Received:
    909
    Location:
    Virginia
    https://learn.microsoft.com/en-us/o...b2-4805-b2ea-e1540d8b0533?redirectedfrom=MSDN

    The logger itself is not malware it is a service that is part of windows. What you need to find is the XML file that defines what the logger is looking for. It's kind of strange that a plugin needs sysinfo especially that early in the OS loading. Could be part of the original DRM, could be anything TBH.

    If you are curious make a sandbox and see what autologer is capturing, could be anything from banal system setting to all keystrokes. Regardless, if it is being used for malevolent reasons that reg key isn't the entire story.
     
    • Agree Agree x 1
    • Interesting Interesting x 1
    • List
  14. illinoise

    illinoise Guest

    i downloaded shaperbox 3 (MOCHA) from sister site installed it but there is no license file in this release also the regged flare releases don't work properly the vst's still asking for license or registration
    im on a user account and installed as administrator maybe thats the problem
    i had the same problem with t-racks and tone2 stuff asking for registration
    the only thing i had to do is run registry as an admin export the local user software t-racks or tone2 registry settings then run the registry as user import the the key under local user account software and that worked
     
  15. Xupito

    Xupito Audiosexual

    Joined:
    Jan 21, 2012
    Messages:
    7,291
    Likes Received:
    4,027
    Location:
    Europe
    What he said, all below WMI is Windows internal stuff.
    FWIW, I checked my Win10 and I have that entry with "Status" set to 0. Kaspersky doesn't detect anything malware.
     
  16. rage

    rage Kapellmeister

    Joined:
    Oct 11, 2021
    Messages:
    120
    Likes Received:
    68
    Where would I even look for that XML? I sandboxed it before I installed it to see if I saw anything funny, but I barely know what Im looking for, so I don't know how much help that was. I didn't see any XML anywhere in Sandboxie though. Would a Boot-time scan with my antivirus possibly find anything malicious that is happening in this case?
     
  17. JMOUTTON

    JMOUTTON Audiosexual

    Joined:
    Jan 10, 2016
    Messages:
    1,099
    Likes Received:
    909
    Location:
    Virginia
    It's been a while since I messed with Windows on that level but the Event Viewer will let you list all logs and should trace back to the requesting file. For a more granular and real-time deep dive TraceView along with EnableTraceEx2 ( >win8) or EntableTraceEx (Win7-NT) will give you more info. The trace target is going to be pointed to by either regkey or requested by service or app on run but it will be enumerated none the less in a regkey. Event Viewer is a useful tool for when a system takes a dump or drivers misbehave as a trouble shooting tool. Windows might deny access and if it does then you'll have to check it from the console/shell with TraceView or setup an RT Trace with EnableTraceEx(Y).

    Default size I think is 100MB so if there a logger going and it is banal the worst thing that can happen is wastes space on your drive. This can be increased though so if the cracker is trying to enforce a buy it if you like it model and you run that plugin for years they might be wasting you diskspace as punishment. It's that kind of world.

    Office365 sets an autologger key as well but as it integrates with services like MS_Account & OneDrive and has call home DRM that is trying to check net status and availably as soon as the driver loads and before a DRM Server EMUs are loaded. The problem is this leads to a who can load first war.

    It doesn't look too malicious to me but I just don't understand why it's necessary for a plugin outside of making a syscall part of a DRM stack. Some applications do some strange rootkit type stuff for DRM reasons and MS lets it happen, they even do it themselves in Office365.

    I am sure there is stuff on MSDN and the Googles about how to use those commands and the Event Viewer can opened from the Windows prompt by searching for it or started with the run command < eventvwr >.
     
    Last edited: Nov 11, 2022
    • Like Like x 1
    • Interesting Interesting x 1
    • List
  18. rage

    rage Kapellmeister

    Joined:
    Oct 11, 2021
    Messages:
    120
    Likes Received:
    68
    Thats really helpful, thank you. On the plus side of all this, Im learning shit about Windows I had no idea about.
     
  19. Lois Lane

    Lois Lane Audiosexual

    Joined:
    Jan 16, 2019
    Messages:
    4,850
    Likes Received:
    4,768
    Location:
    Somewhere Over The Rainbow
    It's literally rage against the machine.
     
  20. nopenopeaudio

    nopenopeaudio Ultrasonic

    Joined:
    Oct 15, 2022
    Messages:
    62
    Likes Received:
    30
    Windows Defender Offline Scan also attempts to detect rootkits
     
Loading...
Loading...