From 9ee844dc8aa8aed6c50feeff0a31997a382184cf Mon Sep 17 00:00:00 2001 From: wesmar Date: Mon, 20 Oct 2025 02:33:16 +0200 Subject: [PATCH] Aktualizacja: 2025-10-20 02:33:16 --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 376f30b..a229274 100644 --- a/README.md +++ b/README.md @@ -1484,7 +1484,7 @@ While KVC employs evasion techniques, its operations can still leave forensic ar * **Event ID 4624:** Logon - shows logons associated with Sticky Keys backdoor (`SYSTEM` logon from `winlogon.exe` context). * **File System Artifacts:** * **`kvc.exe`, `kvc_pass.exe`:** The executables themselves. - * **Temporary Driver:** `kvc.sys` briefly present in a system location (likely DriverStore FileRepository or System32\\drivers) during atomic operations. + * **Temporary Driver:** `kvc.sys` is briefly present in `C:\Windows\System32\DriverStore\FileRepository\avc.inf_amd64_XXXXXXXXXXXX\` during atomic operations. This location is dynamically resolved at runtime by querying the actual subdirectory name (e.g., `avc.inf_amd64_12ca23d60da30d59`), which varies per system. Importantly, this directory is protected by ACLs that grant write access only to **TrustedInstaller**, not to standard administrators - KVC must elevate to TI privileges before placing the driver here. * **Hijacked DLL:** `ExplorerFrame.dll` in `C:\Windows\System32` when watermark removal is active. * **Memory Dumps:** `.dmp` files created by `kvc dump` in the specified or default (`Downloads`) location. * **Credential Reports:** `.html`, `.txt`, `.json` files generated by `kvc export secrets` or `kvc bp` in the specified or default (`Downloads`) location.