| Source: | Binary string: wkernel32.pdb source: svchost015.exe, 00000001.00000003.961922184.0000000000670000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.962383999.0000000002E11000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969597198.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969663426.0000000005720000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdb source: svchost015.exe, 00000001.00000003.963014386.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.964692172.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969827329.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969991209.0000000005820000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdb source: svchost015.exe, 00000001.00000003.958504876.0000000002F70000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.957439978.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.968846564.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969046386.00000000057F0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdbUGP source: svchost015.exe, 00000001.00000003.959826782.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.961048876.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969442718.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969300942.0000000005600000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdbUGP source: svchost015.exe, 00000001.00000003.958504876.0000000002F70000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.957439978.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.968846564.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969046386.00000000057F0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdb source: svchost015.exe, 00000001.00000003.959826782.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.961048876.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969442718.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969300942.0000000005600000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdbUGP source: svchost015.exe, 00000001.00000003.963014386.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.964692172.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969827329.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969991209.0000000005820000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernel32.pdbUGP source: svchost015.exe, 00000001.00000003.961922184.0000000000670000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.962383999.0000000002E11000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969597198.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969663426.0000000005720000.00000004.00000001.00020000.00000000.sdmp |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 83.217.208.90 |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.cer0Q |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-CodeSigning-RSA-4096-R1.crl0 |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0 |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: http://ocsp.sectigo.com0 |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: http://ocsps.ssl.com0 |
| Source: Amcache.hve.9.dr | String found in binary or memory: http://upx.sf.net |
| Source: tlses(x86).exe, tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: http://www.x-ways.net/order |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: http://www.x-ways.net/order.html-d.htmlS |
| Source: tlses(x86).exe, tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: http://www.x-ways.net/winhex/license |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: http://www.x-ways.net/winhex/license-d-f.htmlS |
| Source: tlses(x86).exe, tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: http://www.x-ways.net/winhex/subscribe |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: http://www.x-ways.net/winhex/subscribe-d.htmlU |
| Source: svchost.exe, 00000002.00000002.1026913008.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1026913008.000000000350C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1025748194.0000000002E8C000.00000004.00000010.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 00000007.00000002.1156407150.0000025415F40000.00000040.00000001.00020000.00000000.sdmp | String found in binary or memory: https://83.217.208.90:8165/4eaee7bb9ded9b9d0e847/kua05kos.r6e74 |
| Source: svchost.exe, 00000002.00000002.1026913008.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1026913008.000000000350C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000007.00000002.1156407150.0000025415F40000.00000040.00000001.00020000.00000000.sdmp | String found in binary or memory: https://83.217.208.90:8165/4eaee7bb9ded9b9d0e847/kua05kos.r6e74kernelbasentdllkernel32GetProcessMiti |
| Source: svchost.exe, 00000002.00000002.1025748194.0000000002E8C000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: https://83.217.208.90:8165/4eaee7bb9ded9b9d0e847/kua05kos.r6e74x |
| Source: svchost.exe, 00000002.00000003.990359897.00000000035A0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cloudflare-dns.com/dns-query |
| Source: svchost.exe, 00000002.00000003.990359897.00000000035A0000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi |
| Source: tlses(x86).exe, tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: https://github.com/tesseract-ocr/tessdata/ |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: https://sectigo.com/CPS0 |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | String found in binary or memory: https://www.ssl.com/repository0 |
| Source: tlses(x86).exe, tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.html |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: https://www.x-ways.net/forensics/x-tensions.htmlf |
| Source: tlses(x86).exe, tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: https://www.x-ways.net/winhex/forum/ |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | String found in binary or memory: https://www.x-ways.net/winhex/forum/www.x-ways.net/winhex/templates/www.x-ways.net/dongle_protection |
| Source: Yara match | File source: 1.3.svchost015.exe.2d80000.5.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 2.3.svchost.exe.5820000.7.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 1.3.svchost015.exe.2fa0000.6.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 2.3.svchost.exe.5600000.6.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 1.3.svchost015.exe.2d80000.5.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 1.0.svchost015.exe.400000.0.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 1.3.svchost015.exe.2d80000.0.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 00000001.00000003.964692172.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000001.00000003.963014386.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000002.00000003.969827329.0000000005600000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000002.00000003.969991209.0000000005820000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: Process Memory Space: tlses(x86).exe PID: 7140, type: MEMORYSTR |
| Source: Yara match | File source: Process Memory Space: svchost015.exe PID: 6240, type: MEMORYSTR |
| Source: Yara match | File source: Process Memory Space: svchost.exe PID: 6308, type: MEMORYSTR |
| Source: Yara match | File source: C:\Users\user\AppData\Local\Temp\svchost015.exe, type: DROPPED |
| Source: tlses(x86).exe | Binary or memory string: OriginalFilename vs tlses(x86).exe |
| Source: tlses(x86).exe, 00000000.00000002.947126020.0000000002770000.00000040.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameFlashDevelop.exer) vs tlses(x86).exe |
| Source: tlses(x86).exe, 00000000.00000002.955347442.0000000003939000.00000004.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameFlashDevelop.exer) vs tlses(x86).exe |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameWINHEX.EXE0 vs tlses(x86).exe |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameFlashDevelop.exer) vs tlses(x86).exe |
| Source: svchost015.exe.0.dr | Binary string: ol, por favorI&taliano, per favore&Portugues, por favorPo&lski*.*.prj.xfcwhxvmem.pos.settings.zip.e01.dd001.ctr.txt.png.mem.memservice_workeredgetmp.tmpemlmsg.jpgheic*.pdf;*.ps;*.tif;*.jpg;*.png;*.gif;*.bmp.htmlhtmlxmlsqlitesqlitedbregistryolk14messageedbsnssevtevtxplistbplist*.xhdTesseractOCRExcireExcire ForensicsExcire.exe.\!imagespst,ost,edb,dbx,pfc,mbox,eml,emlx,mht,mim,msg,olk14msgsource,olk14message,olk14msgattach,olk15msgattach,olk15msgsource,olk15message,oft,mbs,tnefzip,zipx,7z,rar,tar,gz,tgz,bzip,bz2docx,xlsx,pptx,ppsx,odt,ods,odb,odg,odf,odp,key,numbers,pages,xps,oxps,opendoc,sxw,sxg,sxc,stc,sxm,sxi,sxd,std,stw,sxm,hwpxufdr,ova,gbp,odm,a2w,kmz,kpr,pxl2,bbb,idml,cdr,sbb,notebook,mmap,spd,cdmz,mwb,nbak,pez,artx,cmap,sh3d,dpp,snb,dbk,sps,spv,wpp,jnxthmx,war,otp,xap,dwfx,epub,btapp,u3p,nth,ibooks,3dxml,htmlz,cbz,ear,potx,ppam,xltx,xlsm,dotx,docm,dotx,vsdx,gadget,rbf,eftx,gg,ottjar,apk,ipa,appx,crx,cabzxp,ots,wmz,air,accft,vssx,ipcc,ipsw,xpi;*.docx;*.pptx;*.xlsx;*.vsdx;*.vsdm;*.odt;*.odp;*.ods*.xls;*.xlsx;*.odsNEARNTNRFlexFilterANDOR (=offline)XWF_MTX_Alt Gr +Ctrl +Shift +Space +Ctrl+Alt +HeaderBlank line(s) found.Power down after x minutesFallback code page for plain text*\\\\?\\\.\\\?\Volume{\Device\HarddiskVolume\Device\CdRom... .. FILEBAAD($MFT) WofCompressedDataIndex Record$EFS.PFILENTFS: EA(EA)NO NAME > 0x100x10 < 0x30Unable to terminate worker thread.X-Ways Decompressed [block hash values] [PhotoDNA] [FuzZyDoc]PhotoDNAFuzZyDoc_newTeamsMessagesDataTeamsMeetingsRecoverable Items\DeletionsTop of Personal FoldersSenRec.dirPasswords.txtSearch Terms.txtNewUsers.dirKeywordsLockSpecial Interest.sectorX-Ways SessionSleep(0) Frequency (0..100)non-existent sector debug info123123|123|1234|12345|123456|1234567|12345678|123456789|987654321|abc123|123abc|121212|000000|666666|qwerty|password|password1|iloveyou|monkey|dragon|qwertyuiop-------- *** ---*** ***nLicID& --> --> .journal.exclude.badblocksFile mode:Sequential #TOCBLOCKVMDBVBLKContainerFILETIMEZone.Identifier[ZoneTransfer]System Volume InformationNot enough space for metadata at offset<html> |
| Source: tlses(x86).exe | String found in binary or memory: If you think that might be the case, please hold the Shift key when interpreting/adding the image again. |
| Source: tlses(x86).exe | String found in binary or memory: remember that you can easily specify the sector size to assume for an image (hold the Shift key while interpreting/adding it). |
| Source: tlses(x86).exe | String found in binary or memory: You can try holding the Shift key when interpreting the image/adding it to the case. |
| Source: tlses(x86).exe | String found in binary or memory: 83ADC/ADD/AND/CMP/OR/SBB/SUB/XOR |
| Source: tlses(x86).exe | String found in binary or memory: 80ADC/ADD/AND/CMP/OR/SBB/SUB/XOR |
| Source: tlses(x86).exe | String found in binary or memory: 81ADC/ADD/AND/CMP/OR/SBB/SUB/XOR |
| Source: tlses(x86).exe | String found in binary or memory: Cannot load driver. Please re-install it by executing Dokan.exe. |
| Source: unknown | Process created: C:\Users\user\Desktop\tlses(x86).exe "C:\Users\user\Desktop\tlses(x86).exe" | |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user~1\AppData\Local\Temp\svchost015.exe | |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe" | |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 576 | |
| Source: C:\Windows\SysWOW64\svchost.exe | Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" | |
| Source: C:\Windows\System32\fontdrvhost.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6088 -s 136 | |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Process created: C:\Users\user\AppData\Local\Temp\svchost015.exe C:\Users\user~1\AppData\Local\Temp\svchost015.exe | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe" | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" | Jump to behavior |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: powrprof.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: umpdc.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: | Binary string: wkernel32.pdb source: svchost015.exe, 00000001.00000003.961922184.0000000000670000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.962383999.0000000002E11000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969597198.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969663426.0000000005720000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdb source: svchost015.exe, 00000001.00000003.963014386.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.964692172.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969827329.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969991209.0000000005820000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdb source: svchost015.exe, 00000001.00000003.958504876.0000000002F70000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.957439978.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.968846564.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969046386.00000000057F0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdbUGP source: svchost015.exe, 00000001.00000003.959826782.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.961048876.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969442718.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969300942.0000000005600000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdbUGP source: svchost015.exe, 00000001.00000003.958504876.0000000002F70000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.957439978.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.968846564.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969046386.00000000057F0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdb source: svchost015.exe, 00000001.00000003.959826782.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.961048876.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969442718.00000000057A0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969300942.0000000005600000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdbUGP source: svchost015.exe, 00000001.00000003.963014386.0000000002D80000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.964692172.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969827329.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969991209.0000000005820000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernel32.pdbUGP source: svchost015.exe, 00000001.00000003.961922184.0000000000670000.00000004.00000001.00020000.00000000.sdmp, svchost015.exe, 00000001.00000003.962383999.0000000002E11000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969597198.0000000005600000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.969663426.0000000005720000.00000004.00000001.00020000.00000000.sdmp |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E635A push 00406C68h; ret | 0_2_031E6380 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E523C push 00405B48h; ret | 0_2_031E5260 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E7234 push 00407B40h; ret | 0_2_031E7258 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F2244 push 00412B50h; ret | 0_2_031F2268 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E5274 push 00405B80h; ret | 0_2_031E5298 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E6294 push 00406BA0h; ret | 0_2_031E62B8 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E62CC push 00406BD8h; ret | 0_2_031E62F0 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F2100 push ecx; mov dword ptr [esp], ecx | 0_2_031F2105 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F516C push 00415A78h; ret | 0_2_031F5190 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E506C push 0040599Dh; ret | 0_2_031E50B5 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031EA45C push ecx; mov dword ptr [esp], eax | 0_2_031EA460 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F0B04 push 00411410h; ret | 0_2_031F0B28 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F1A30 push 0041233Ch; ret | 0_2_031F1A54 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F0ACC push 004113D8h; ret | 0_2_031F0AF0 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031ECAEC push 0040D3FCh; ret | 0_2_031ECB14 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F0838 push 00411144h; ret | 0_2_031F085C |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F0870 push 0041117Ch; ret | 0_2_031F0894 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F28FC push ecx; mov dword ptr [esp], ecx | 0_2_031F28FF |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F6FA0 push 004178ACh; ret | 0_2_031F6FC4 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E7E36 push 00408744h; ret | 0_2_031E7E5C |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031E2D2C push eax; ret | 0_2_031E2D68 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F5D7E push 0041668Ch; ret | 0_2_031F5DA4 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F2C7E push 0041358Ch; ret | 0_2_031F2CA4 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Code function: 0_2_031F1C74 push 00412580h; ret | 0_2_031F1C98 |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Code function: 1_3_0063525D push es; ret | 1_3_00635264 |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Code function: 1_3_00632C39 push ecx; ret | 1_3_00632C59 |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Code function: 1_3_006328EC push edi; ret | 1_3_006328F8 |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Code function: 1_3_006310F9 push FFFFFF82h; iretd | 1_3_006310FB |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Code function: 1_3_006344F9 push edx; retf | 1_3_006344FC |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Code function: 1_3_00630F6A push eax; ret | 1_3_00630F75 |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Code function: 1_3_00634D5E push esi; ret | 1_3_00634D69 |
| Source: C:\Users\user\Desktop\tlses(x86).exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Users\user\AppData\Local\Temp\svchost015.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: Amcache.hve.9.dr | Binary or memory string: VMware |
| Source: tlses(x86).exe, tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | Binary or memory string: ParallelsVirtualMachine |
| Source: Amcache.hve.9.dr | Binary or memory string: VMware Virtual USB Mouse |
| Source: Amcache.hve.9.dr | Binary or memory string: vmci.syshbin |
| Source: Amcache.hve.9.dr | Binary or memory string: VMware, Inc. |
| Source: Amcache.hve.9.dr | Binary or memory string: VMware20,1hbin@ |
| Source: Amcache.hve.9.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
| Source: Amcache.hve.9.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: Amcache.hve.9.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
| Source: svchost.exe, 00000002.00000002.1026273949.0000000003400000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
| Source: Amcache.hve.9.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
| Source: svchost.exe, 00000002.00000002.1026309096.0000000003412000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW( |
| Source: Amcache.hve.9.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
| Source: Amcache.hve.9.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
| Source: Amcache.hve.9.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: svchost.exe, 00000002.00000002.1026559029.000000000345C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAWMSAFD L2CAP [Bluetooth] |
| Source: Amcache.hve.9.dr | Binary or memory string: vmci.sys |
| Source: Amcache.hve.9.dr | Binary or memory string: vmci.syshbin` |
| Source: Amcache.hve.9.dr | Binary or memory string: \driver\vmci,\driver\pci |
| Source: tlses(x86).exe, 00000000.00000002.953576894.00000000031E0000.00000040.00001000.00020000.00000000.sdmp, svchost015.exe, 00000001.00000000.944663254.0000000000401000.00000020.00000001.01000000.00000004.sdmp | Binary or memory string: xmlphpvlczpl wpl xpacketimport hrefXML:NAMESPACEaid DOCTYPE ELEMENT ENTITY -- <mdb:mork:zAFDR aom saved from url=(-->xmlns=jobwmlRDFnzbsvgkmlgpxCaRxslJDFrssRSStagTAGXMIlmxloclogIMGtmxosmX3DVERCFLRCCncxxbkSCFrtcpseSDOmapnviofcasxdivLogopmlsmilrootpgmlxfdfXFDLBASEtei2xbeljnlpdgmlfeedFEEDinfobeancasevxmlsesxnotesitetasklinkxbrlGAEBXZFXFormqgisSMAIHDMLjsonpsplbodyheadmetadictdocuembedplistTEI.2xliffformsQBXMLTypeseaglehtml5myapptablestyleentrygroupLXFMLwindowdialogSchemaschemacommonCanvaslayoutobjectFFDataReporttaglibARCXMLgnc-v2modulerobloxXDFV:4Xara3DLayoutRDCManattachwidgetreportSchemewebbuyloaderdeviceRDF:RDFweb:RDFoverlayprojectProjectabiwordxdp:xdpsvg:svgCOLLADASOFTPKGfo:rootlm:lmxarchivecollagelibraryHelpTOCpackagesiteMapen-noteFoundryweblinkReportssharingWebPartTestRunpopularsnippetwhpropsQBWCXMLcontentkml:kmlSDOListkDRouteFormSetactionslookupssectionns2:gpxPaletteCatalogProfileTreePadMIFFileKeyFilepayloadPresetsstringsdocumentDocumentNETSCAPEmetalinkresourcenewsItemhtmlplusEnvelopeplandatamoleculelicensesDatabasebindingsWorkbookPlaylistBookFileTimeLinejsp:rootbrowsersfotobookMTSScenemessengercomponentc:contactr:licensex:xmpmetadiscoveryERDiagramWorksheetcrickgridHelpIndexWinampXMLrecoIndexTomTomTocen-exportAnswerSetwinzipjobmuseScorePHONEBOOKm:myListsedmx:EdmxYNABData1workspacePlacemarkMakerFileoor:itemsscriptletcolorBookSignaturexsd:schemadlg:windowFinalDraftVirtualBoxTfrxReportVSTemplateWhiteboardstylesheetBurnWizarddictionaryPCSettingsRedlineXMLBackupMetaxbrli:xbrlFontFamilys:WorkbookFictionBookdia:diagramdefinitionsNmfDocumentSnippetRootSEC:SECMetanet:NetfileCustSectionDieCutLabelPremierDataUserControljsp:includess:Workbookapplicationjsp:useBeancfcomponentparticipantSessionFilejasperReporthelpdocumentxsl:documentxsl:templatePremiereDataSettingsFileCodeSnippetsFileInstancetpmOwnerDataDataTemplateProject_DataTfrReportBSAnote:notepadFieldCatalogUserSettingsgnm:WorkbookLIBRARY_ITEMDocumentDatamso:customUIpicasa2albumrnpddatabasepdfpreflightrn-customizecml:moleculemuveeProjectRelationshipsVisioDocumentxsl:transformD:multistatusKMYMONEY-FILEBackupCatalogfile:ManifestPocketMindMapDiagramLayoutannotationSetLEAPTOFROGANSpublic:attachsoap:EnvelopepersistedQuerymx:ApplicationOverDriveMediaasmv1:assemblyHelpCollectionQvdTableHeaderSCRIBUSUTF8NEWw:wordDocumentPADocumentRootConfigMetadataBorlandProjectDTS:ExecutableMMC_ConsoleFilelibrary:libraryglade-interfacerg:licenseGroupdisco:discoveryAdobeSwatchbookaudacityprojectoff |
Edit tour
tlses(x86).exe (PID: 7140 cmdline: 
svchost015.exe (PID: 6240 cmdline: 
svchost.exe (PID: 6308 cmdline: 
WerFault.exe (PID: 5448 cmdline: 
