Sysinternals
Advanced system utilities to manage, troubleshoot, and diagnose Windows and Linux systems and applications.
1,095 questions
s.exe and chinese characters in sysmon log
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 90%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JT
1
Reputation point
We came across a puzzling process called s.exe and chinese characters in the logs as seen below, which we have never seen before across any system. We use sysmon version 8.4.0.0.
Is this a case of the sysmon driver causing trimming of data or a bug or an actual malicious process ?
Tracing SourceProcessGUID: {C685F637-CD85-5FCF-0300-00109D53EFEB} and SourceProcessId: 1556, I can narrow down sourceImage as "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\Antivirus.OutprocScanner.exe"
Information 12/8/2020 11:18:37 PM Microsoft-Windows-Sysmon 10 Process accessed (rule: ProcessAccess) "Process accessed:
RuleName:
UtcTime: 2020-12-08 19:18:37.051
SourceProcessGUID: {C685F637-CD85-5FCF-0300-00109D53EFEB}
SourceProcessId: 1556
SourceThreadId: 13328
SourceImage: ›႑㰮贅涊吤ῧ园莭傴ᖜឥ衴⁙ࣼ蓅퍶푨⡯칸로僳䒐彣ꆾⲚᖖ현︇萞ㅂ쐑㘨쾔ꑐ鹢훉熫눀雦阤헆᮷쯗↷꽢�ity for Microsoft Exchange Servers\Antivirus.OutprocScanner.exe
TargetProcessGUID: {C685F637-8001-5FB3-0000-0010E19C0200}
TargetProcessId: 608
TargetImage: C:\Windows\system32\winlogon.exe
GrantedAccess: 0x1F1FFF
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+364a|C:\Windows\SYSTEM32\wow64.dll+14ac0|C:\Windows\SYSTEM32\wow64.dll+c363|C:\Windows\system32\wow64cpu.dll+25a7|C:\Windows\SYSTEM32\wow64.dll+c4f6|C:\Windows\SYSTEM32\wow64.dll+b8f5|C:\Windows\SYSTEM32\ntdll.dll+5bd5f|C:\Windows\SYSTEM32\ntdll.dll+5bc96|C:\Windows\SYSTEM32\ntdll.dll+30524(wow64)|C:\Program Files\SentinelOne\Sentinel Agent 3.7.2.45\InProcessClient32.dll+32fb8(wow64)|C:\Windows\SYSTEM32\KERNELBASE.dll+116dc(wow64)|UNKNOWN(0000000011007F2C)|UNKNOWN(000000001103097B)|UNKNOWN(0000000011030C5E)|UNKNOWN(00000000102E980C)|UNKNOWN(00000000102DF728)|UNKNOWN(00000000102EEF4E)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+f4023def(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+f4023def(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+f4023def(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+f4023def(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+f4023def(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+f4023def(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+f4023def(wow64)"
and for SourceImage: s.exe
Information 12/8/2020 11:21:03 PM Microsoft-Windows-Sysmon 10 Process accessed (rule: ProcessAccess) "Process accessed:
RuleName:
UtcTime: 2020-12-08 19:21:03.512
SourceProcessGUID: {C685F637-CD85-5FCF-0300-00109D53EFEB}
SourceProcessId: 1556
SourceThreadId: 13328
SourceImage: s.exe
TargetProcessGUID: {C685F637-8008-5FB3-0000-00103DB10200}
TargetProcessId: 660
TargetImage: C:\Windows\system32\lsass.exe
GrantedAccess: 0x1F1FFF
CallTrace: C:\Windows\SYSTEM32\ntdll.dll+364a|C:\Windows\SYSTEM32\wow64.dll+14ac0|C:\Windows\SYSTEM32\wow64.dll+c363|C:\Windows\system32\wow64cpu.dll+25a7|C:\Windows\SYSTEM32\wow64.dll+c4f6|C:\Windows\SYSTEM32\wow64.dll+b8f5|C:\Windows\SYSTEM32\ntdll.dll+5bd5f|C:\Windows\SYSTEM32\ntdll.dll+5bc96|C:\Windows\SYSTEM32\ntdll.dll+30524(wow64)|C:\Program Files\SentinelOne\Sentinel Agent 3.7.2.45\InProcessClient32.dll+32fb8(wow64)|C:\Windows\SYSTEM32\KERNELBASE.dll+116dc(wow64)|UNKNOWN(0000000011007F2C)|UNKNOWN(0000000011030A1E)|UNKNOWN(0000000010F92E55)|UNKNOWN(0000000010F920F1)|UNKNOWN(000000001102B34D)|UNKNOWN(0000000010F91B26)|UNKNOWN(0000000010F51D81)|UNKNOWN(00000000102FC086)|UNKNOWN(00000000102EAF68)|UNKNOWN(00000000102EEF4E)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+fffffff3(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+fffffff3(wow64)|C:\Program Files (x86)\Kaspersky Lab\Kaspersky Security for Microsoft Exchange Servers\data\bases\av\cache\4fbugcog.41w\kavbase.kdl.cde371b4f87bb411cb11c31a84d13e9f+fffffff3(wow64)"
There are no process termination event.
There is a possibility of Process ID being recycled, but with consistent SourceProcessGUID, my guess is that Sysmon reporting may be inaccurate as sourceimage is not expected to change randomly.
It would be interesting to know what is s.exe. Is it part of Kaspersky suite?
Sysinternals
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 35%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
dstaulcu 351 Reputation points2020-12-18T07:04:02.713+00:00 I've seen odd chars before among trusted processes. With such an old version of Sysmon I doubt you will get new debug level of effort on the matter. Hopefully someone can jump in on discussion and share a reason why such a thing would happen.
Did sysmon capture the hash of s.exe? Have you tried submitting the hash to virustotal for reputation analysis?
I see in the call trace that there is a path to resources of SentinalOne. I have no experience with that product by my spidey-sense says s.exe might have something to do with that.
Sign in to comment