![]() ![]() System information queried: FirmwareTa bleInforma tion Query firmware table information (likely to detect VMs) Source: C:\Windows \System32\ CompatTelR unner.exe Process created: C:\Windows \System32\ CompatTelR unner.exe C:\Windows \system32\ compattelr unner.exe -m:General Tel.dll -f :RunGenera lTelemetry -cV 5tRG bHj7bEWYDf Oa.1.3 -Se ndFullTele metry -Thr ottleUtc - FullSync Source: C:\Windows \System32\ CompatTelR unner.exe ![]() ![]() Process created: C:\Windows \System32\ CompatTelR unner.exe C:\Windows \system32\ CompatTelR unner.exe -m:apprais er.dll -f: DoSchedule dTelemetry Run -cv:5t RGbHj7bEWY DfOa.1 Process created: C:\Windows \System32\ conhost.ex e C:\Windo ws\system3 2\conhost. Process created: C:\Users\u ser\Deskto p\CompatTe lRunner.ex e "C:\User s\user\Des ktop\Compa tTelRunner. Source: C:\Users\u ser\Deskto p\CompatTe lRunner.ex eĬontains functionality to call native functions Source: C:\Users\u ser\Deskto p\CompatTe lRunner.ex eĬode function: 1_2_00007F F7E500A634 NtQueryVa lueKey,Ĭode function: 1_2_00007F F7E500BA40 NtClose,Z wClose,Ĭode function: 1_2_00007F F7E5004644 Sleep,Loa dLibraryEx W,GetLastE rror,GetPr ocAddress, GetProcAdd ress,GetPr ocAddress, NtCreateEv ent,WaitFo rSingleObj ect,CloseH andle,Free Library,Ĭode function: 1_2_00007F F7E500E68C RtlAlloca teHeap,mem set,RtlAll ocateHeap, memset,Rtl ReAllocate Heap,memcp y,RtlAlloc ateHeap,me mset,RtlRe AllocateHe ap,RtlAllo cateHeap,m emset,RtlR eAllocateH eap,RtlAll ocateHeap, memset,Rtl ReAllocate Heap,RtlAl locateHeap ,memset,Rt lReAllocat eHeap,RtlA llocateHea p,memset,R tlReAlloca teHeap,Rtl AllocateHe ap,memset, RtlReAlloc ateHeap,me mcpy,RtlAl locateHeap ,memset,Rt lReAllocat eHeap,RtlA llocateHea p,memset,R tlReAlloca teHeap,mem cpy,RtlAll ocateHeap, memset,Rtl ReAllocate Heap,RtlAl locateHeap ,memset,Rt lReAllocat eHeap,memc py,RtlFree Heap,RtlAl locateHeap ,memset,Rt lReAllocat eHeap,ZwCl ose,RtlAll ocateHeap, memcpy,Rtl AllocateHe ap,memset, RtlReAlloc ateHeap,me mcpy,RtlAl locateHeap ,memset,Rt lReAllocat eHeap,RtlA llocateHea p,memset,R tlReAlloca teHeap,mem cpy,RtlFre eHeap,RtlA llocateHea p,memset,R tlReAlloca teHeap,Rtl FreeHeap,R tlAllocate Heap,memcp y,RtlFreeH eap,RtlFre eHeap,RtlF reeHeap,Zw Close,Ĭode function: 1_2_00007F F7E500A4D0 RtlInitUn icodeStrin gEx,ZwOpen Key,Ĭode function: 1_2_00007F F7E50144F4 NtQueryLi censeValue ,Ĭode function: 1_2_00007F F7E500CB0C RtlAlloca teHeap,Rtl AllocateHe ap,ZwClose ,RtlFreeHe ap,memset, memset,ZwE numerateKe y,_wcsicmp ,_wcslwr,w csrchr,Rtl FreeHeap,R tlFreeHeap ,RtlFreeHe ap,ZwClose ,ZwClose,Ĭode function: 1_2_00007F F7E5013F50 GetModule HandleW,Ge tProcAddre ss,NtQuery LicenseVal ue,Ĭode function: 1_2_00007F F7E5011B94 RtlInitUn icodeStrin gEx,RtlDos PathNameTo RelativeNt PathName_U ,NtLoadKey Ex,RtlRele aseRelativ eName,RtlN tStatusToD osError,Rt lFreeHeap, RtlFreeHea p,Ĭode function: 1_2_00007F F7E500A580 RtlInitUn icodeStrin gEx,ZwOpen Key,Ĭode function: 1_2_00007F F7E500A7A0 RtlInitUn icodeStrin g,ZwQueryV alueKey,Rt lAllocateH eap,ZwQuer yValueKey, RtlFreeHea p,Ĭode function: 1_2_00007F F7E50143B8 NtQueryLi censeValue ,Ĭode function: 1_2_00007F F7E500F9B8 ZwQuerySy stemInform ation,ZwQu erySystemI nformation , Key opened: HKEY_LOCAL _MACHINE\S OFTWARE\Cl asses\CLSI D\ \TreatAsĭetected potential crypto function Source: C:\Users\u ser\Deskto p\CompatTe lRunner.ex e Creates COM task schedule object (often to register a task for autostart) Source: C:\Users\u ser\Deskto p\CompatTe lRunner.ex e ![]()
0 Comments
Leave a Reply. |