May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory) Queries disk information (often used to detect virtual machines) Process information set: NOOPENFILE ERRORBOX Process information set: FAILCRITIC ALERRORS | NOGPFAULT ERRORBOX Key value created or modified: HKEY_CURRE NT_USER\So ftware\Mic rosoft\Ide ntit圜RL\I mmersive\p roduction\ Token\ Devic eTicketĭisables application error messsages (SetErrorMode) Process created: C:\Users\u ser\Deskto p\7z.exe ' C:\Users\u ser\Deskto p\7z.exe'īinary string: wkernel32. Key opened: HKEY_CURRE NT_USER\So ftware\Pol icies\Micr osoft\Wind ows\Safer\ CodeIdenti fiersįile read: C:\Windows \System32\ drivers\et c\hosts text IMAGE _SCN_MEM_E XECUTE, IM AGE_SCN_CN T_CODE, IM AGE_SCN_ME M_READ text section and no other executable section Mutant created: \Sessions\ 1\BaseName dObjects\L ocal\WERRe portingFor Process632įile created: C:\Program Data\Micro soft\Windo ws\WER\Tem p\WERFDF.t mp dllĬlassification label: mal48.winE mutexes Section loaded: ext-ms-win -xblauth-c onsole-l1. Source: C:\Windows \SysWOW64\ WerFault.e xe Static PE information: No import functions for PE fil e found Process created: C:\Windows \SysWOW64\ WerFault.e xe C:\Wind ows\SysWOW 64\WerFaul t.exe -u - p 632 -s 2 12
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |