Click to jump to signature section
| Source: | Binary string: wkernel32.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2044565028.0000000003B80000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044452857.0000000001570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049279804.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049339606.0000000005240000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2044880063.0000000003D20000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044740464.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049469794.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049729536.0000000005340000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2043293984.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2043886158.0000000003CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048481663.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048670680.0000000005310000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2044130231.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044274415.0000000003CA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048898810.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049044744.00000000052C0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2043293984.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2043886158.0000000003CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048481663.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048670680.0000000005310000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2044130231.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044274415.0000000003CA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048898810.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049044744.00000000052C0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernel32.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2044565028.0000000003B80000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044452857.0000000001570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049279804.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049339606.0000000005240000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2044880063.0000000003D20000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044740464.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049469794.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049729536.0000000005340000.00000004.00000001.00020000.00000000.sdmp |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: unknown | TCP traffic detected without corresponding DNS query: 154.216.18.146 |
| Source: Amcache.hve.7.dr | String found in binary or memory: http://upx.sf.net |
| Source: svchost.exe, 00000002.00000002.2155134707.000000000095C000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2155507884.000000000310C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, fontdrvhost.exe, 00000003.00000002.2514249459.00000208889E0000.00000040.00000001.00020000.00000000.sdmp | String found in binary or memory: https://154.216.18.146:2369/3d58f2f6993b6922/5315d9af.xxavk |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2155507884.000000000310C000.00000004.00000020.00020000.00000000.sdmp, fontdrvhost.exe, 00000003.00000002.2514249459.00000208889E0000.00000040.00000001.00020000.00000000.sdmp | String found in binary or memory: https://154.216.18.146:2369/3d58f2f6993b6922/5315d9af.xxavkkernelbasentdllkernel32GetProcessMitigati |
| Source: svchost.exe, 00000002.00000002.2155134707.000000000095C000.00000004.00000010.00020000.00000000.sdmp | String found in binary or memory: https://154.216.18.146:2369/3d58f2f6993b6922/5315d9af.xxavkx |
| Source: svchost.exe, 00000002.00000003.2084690208.00000000031A3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cloudflare-dns.com/dns-query |
| Source: svchost.exe, 00000002.00000003.2084690208.00000000031A3000.00000004.00000020.00020000.00000000.sdmp | String found in binary or memory: https://cloudflare-dns.com/dns-queryPOSTContent-TypeContent-LengthHostapplication/dns-message%dMachi |
| Source: Yara match | File source: 2.3.svchost.exe.5340000.7.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.3.Iuv2tI4JHh.exe.3d20000.7.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.3.Iuv2tI4JHh.exe.3b00000.6.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 2.3.svchost.exe.5120000.6.raw.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 0.3.Iuv2tI4JHh.exe.3d20000.7.unpack, type: UNPACKEDPE |
| Source: Yara match | File source: 00000002.00000003.2049469794.0000000005120000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000000.00000003.2044880063.0000000003D20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000000.00000003.2044740464.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: 00000002.00000003.2049729536.0000000005340000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match | File source: Process Memory Space: Iuv2tI4JHh.exe PID: 1088, type: MEMORYSTR |
| Source: Yara match | File source: Process Memory Space: svchost.exe PID: 5628, type: MEMORYSTR |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: C:\Windows\System32\fontdrvhost.exe | Code function: 3_2_00000208889E1AA4 NtAcceptConnectPort,NtAcceptConnectPort, | 3_2_00000208889E1AA4 |
| Source: C:\Windows\System32\fontdrvhost.exe | Code function: 3_2_00000208889E0AC8 NtAcceptConnectPort,NtAcceptConnectPort, | 3_2_00000208889E0AC8 |
| Source: C:\Windows\System32\fontdrvhost.exe | Code function: 3_2_00000208889E15C0 NtAcceptConnectPort, | 3_2_00000208889E15C0 |
| Source: C:\Windows\System32\fontdrvhost.exe | Code function: 3_2_00000208889E1CF4 NtAcceptConnectPort,CloseHandle, | 3_2_00000208889E1CF4 |
| Source: Iuv2tI4JHh.exe | Binary or memory string: OriginalFilename vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2043293984.0000000003C78000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamentdll.dllj% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044452857.0000000001602000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamekernel32j% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044880063.0000000003F01000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameKernelbase.dllj% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044565028.0000000003B80000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000000.2016538182.000000000099C000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameCFF Explorer.exe: vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044130231.0000000003C23000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamentdll.dllj% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044274415.0000000003DCD000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamentdll.dllj% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044740464.0000000003B00000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameKernelbase.dllj% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000002.2046491688.000000000099C000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenameCFF Explorer.exe: vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044452857.0000000001570000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: \[FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2044565028.0000000003BD0000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamekernel32j% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe, 00000000.00000003.2043886158.0000000003E76000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamentdll.dllj% vs Iuv2tI4JHh.exe |
| Source: Iuv2tI4JHh.exe | Binary or memory string: OriginalFilenameCFF Explorer.exe: vs Iuv2tI4JHh.exe |
| Source: C:\Windows\SysWOW64\svchost.exe | Mutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-f7a89210-57dd-cf90e0-aa1194fe432f} |
| Source: C:\Windows\System32\WerFault.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4256 |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
| Source: unknown | Process created: C:\Users\user\Desktop\Iuv2tI4JHh.exe "C:\Users\user\Desktop\Iuv2tI4JHh.exe" | |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe" | |
| Source: C:\Windows\SysWOW64\svchost.exe | Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" | |
| Source: C:\Windows\System32\fontdrvhost.exe | Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 4256 -s 136 | |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Process created: C:\Windows\SysWOW64\svchost.exe "C:\Windows\System32\svchost.exe" | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process created: C:\Windows\System32\fontdrvhost.exe "C:\Windows\System32\fontdrvhost.exe" | Jump to behavior |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Section loaded: apphelp.dll | Jump to behavior |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: amsi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: userenv.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: profapi.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: version.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: uxtheme.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: windows.storage.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wldp.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: sspicli.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: mpr.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: powrprof.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: umpdc.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: devobj.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: msasn1.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: drprov.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: winsta.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: ntlanman.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: davclnt.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: davhlpr.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: wbemcomn.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Section loaded: mswsock.dll | Jump to behavior |
| Source: | Binary string: wkernel32.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2044565028.0000000003B80000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044452857.0000000001570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049279804.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049339606.0000000005240000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2044880063.0000000003D20000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044740464.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049469794.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049729536.0000000005340000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2043293984.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2043886158.0000000003CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048481663.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048670680.0000000005310000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2044130231.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044274415.0000000003CA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048898810.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049044744.00000000052C0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: ntdll.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2043293984.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2043886158.0000000003CF0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048481663.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048670680.0000000005310000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wntdll.pdb source: Iuv2tI4JHh.exe, 00000000.00000003.2044130231.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044274415.0000000003CA0000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2048898810.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049044744.00000000052C0000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernel32.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2044565028.0000000003B80000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044452857.0000000001570000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049279804.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049339606.0000000005240000.00000004.00000001.00020000.00000000.sdmp |
| Source: | Binary string: wkernelbase.pdbUGP source: Iuv2tI4JHh.exe, 00000000.00000003.2044880063.0000000003D20000.00000004.00000001.00020000.00000000.sdmp, Iuv2tI4JHh.exe, 00000000.00000003.2044740464.0000000003B00000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049469794.0000000005120000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2049729536.0000000005340000.00000004.00000001.00020000.00000000.sdmp |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: .textbss |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: .themida |
| Source: Iuv2tI4JHh.exe | Static PE information: section name: .boot |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_0095FE8F push esi; ret | 0_3_0095FEA1 |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_0095A0F9 push FFFFFF82h; iretd | 0_3_0095A0FB |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_0095D2FB push edi; ret | 0_3_0095D2CC |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_0095B8EC push edi; ret | 0_3_0095B8F8 |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_0095BC39 push ecx; ret | 0_3_0095BC59 |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_0095B1DC push eax; ret | 0_3_0095B1DD |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_0095DD01 push esi; ret | 0_3_0095DD6A |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Code function: 0_3_00959F6A push eax; ret | 0_3_00959F75 |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_00992CB9 push ecx; ret | 2_3_00992CD9 |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_0099225C push eax; ret | 2_3_0099225D |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_00994D81 push esi; ret | 2_3_00994DEA |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_00990FEA push eax; ret | 2_3_00990FF5 |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_00996F0F push esi; ret | 2_3_00996F21 |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_00991179 push FFFFFF82h; iretd | 2_3_0099117B |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_0099437B push edi; ret | 2_3_0099434C |
| Source: C:\Windows\SysWOW64\svchost.exe | Code function: 2_3_0099296C push edi; ret | 2_3_00992978 |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\System32\WerFault.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PnPEntity |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | System information queried: FirmwareTableInformation | Jump to behavior |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | API/Special instruction interceptor: Address: 7FF8C88ED044 |
| Source: C:\Windows\SysWOW64\svchost.exe | API/Special instruction interceptor: Address: 7FF8C88ED044 |
| Source: C:\Windows\SysWOW64\svchost.exe | API/Special instruction interceptor: Address: 53EB83A |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: HOOKEXPLORER.EXE |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OLLYDBG.EXE |
| Source: Iuv2tI4JHh.exe | Binary or memory string: ORIGINALFILENAMECFF EXPLORER.EXE: |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: EXEAUTORUNS.EXEDUMPCAP.EXEDE4DOT.EXEHOOKEXPLORER.EXEILSPY.EXELORDPE.EXEDNSPY.EXEPETOOLS.EXEAUTORUNSC.EX |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: X64DBG.EXE |
| Source: Iuv2tI4JHh.exe | Binary or memory string: CFF EXPLORER.EXE |
| Source: Iuv2tI4JHh.exe | Binary or memory string: INTERNALNAMECFF EXPLORER.EXE |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: AUTORUNS.EXE |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: PETOOLS.EXE |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: WINDUMP.EXE |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: DUMPCAP.EXE |
| Source: svchost.exe, 00000002.00000002.2155507884.0000000003100000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: DDLER.EXEIDA.EXEIDA64.EXEIMMUNITYDEBUGGER.EXEWINDUMP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEP |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: VBoxGuest | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: C:\Windows\SysWOW64\vboxservice.exe | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: C:\Windows\SysWOW64\vboxtray.exe | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: C:\Windows\SysWOW64\drivers\VBoxMouse.sys | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: VBoxTrayIPC | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: C:\Windows\SysWOW64\drivers\VBoxSF.sys | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: C:\Windows\SysWOW64\vboxhook.dll | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosDate | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: \pipe\VBoxTrayIPC | Jump to behavior |
| Source: C:\Users\user\Desktop\Iuv2tI4JHh.exe | Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: C:\Windows\SysWOW64\drivers\VBoxVideo.sys | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: VBoxMiniRdrDN | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | File opened / queried: C:\Windows\SysWOW64\drivers\VBoxGuest.sys | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion | Jump to behavior |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
| Source: C:\Windows\SysWOW64\svchost.exe | WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor |
| Source: Iuv2tI4JHh.exe, 00000000.00000002.2047373822.000000000163E000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__ |
| Source: Amcache.hve.7.dr | Binary or memory string: VMware |
| Source: Amcache.hve.7.dr | Binary or memory string: VMware Virtual USB Mouse |
| Source: svchost.exe, 00000002.00000002.2155489840.0000000003085000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: @Microsoft-Windows-DistributedCOM@Microsoft-Windows-WMPNSS-ServiceHMicrosoft-Windows-Devices-BackgroundJMicrosoft-Windows-Fault-Tolerant-HeapJMicrosoft-Windows-GPIO-ClassExtension@Microsoft-Windows-EventCollector>Microsoft-Windows-FilterManagerHMicrosoft-Windows-Hyper-V-Hypervisor@Microsoft-Windows-DiskDiagnosticFApplication Management Group PolicyDMicrosoft-Windows-IsolatedUserModeDMicrosoft-Windows-BitLocker-Driver>Microsoft-Windows-DHCPv6-ClientBMicrosoft-Windows-WLAN-AutoConfigHMicrosoft-Antimalware-ShieldProvider>Microsoft-Windows-BitLocker-APIFMicrosoft-Windows-LanguagePackSetupJMicrosoft-Windows-ResourcePublication>Microsoft-Windows-OverlayFilter@Microsoft-Windows-Kernel-GeneralHMicrosoft-Windows-SPB-ClassExtension@Microsoft-Windows-Spell-Checking>Microsoft-Windows-StartupRepair>Microsoft-Windows-USB-MAUSBHOST<Microsoft-Windows-OfflineFiles>Microsoft-Windows-TaskSchedulerJMicrosoft-Windows-Power-Meter-Polling<Microsoft-Windows-Kernel-Power>Microsoft-Windows-NetworkBridge>Microsoft-Windows-SetupPlatform<Microsoft-Windows-SpellChecker<Microsoft-Windows-Time-ServiceBMicrosoft-Windows-WLAN-AutoConfigJMicrosoft-Windows-WindowsUpdateClient |
| Source: svchost.exe, 00000002.00000002.2155405832.0000000003012000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: CFKSZD8B VMCI Bus Device |
| Source: Amcache.hve.7.dr | Binary or memory string: vmci.syshbin |
| Source: Amcache.hve.7.dr | Binary or memory string: VMware, Inc. |
| Source: svchost.exe, 00000002.00000002.2155405832.0000000003012000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Win32_PnPEntityCFKSZD8B VMCI Bus Device{4d36e97d-e325-11ce-bfc1-08002be10318}System.String[]Win32_PnPEntityATG8WX1S VMCI Bus DevicePCI\_NHKVPOB&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FSystem.String[]VMware, Inc.LG_713SL VMCI Bus DeviceSystemPCI\TB34OKE5&DEV_0740&SUBSYS_074015AD&REV_10\3&61AAA01&0&3FvmciOKWin32_ComputerSystemuser-PC |
| Source: Amcache.hve.7.dr | Binary or memory string: VMware20,1hbin@ |
| Source: Amcache.hve.7.dr | Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563 |
| Source: svchost.exe, 00000002.00000002.2155405832.0000000003012000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: ATG8WX1S VMCI Bus Device |
| Source: Amcache.hve.7.dr | Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: Amcache.hve.7.dr | Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys |
| Source: svchost.exe, 00000002.00000002.2155379797.0000000003000000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW |
| Source: Amcache.hve.7.dr | Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
| Source: svchost.exe, 00000002.00000002.2155405832.0000000003012000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: LG_713SL VMCI Bus Device |
| Source: Amcache.hve.7.dr | Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev |
| Source: Amcache.hve.7.dr | Binary or memory string: c:/windows/system32/drivers/vmci.sys |
| Source: Amcache.hve.7.dr | Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000 |
| Source: svchost.exe, 00000002.00000002.2155446471.000000000305C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: JMicrosoft-Windows-GPIO-ClassExtensionHMicrosoft-Windows-Hyper-V-HypervisorHMicrosoft-Windows-Devices-BackgroundHMicrosoft-Antimalware-ShieldProvider |
| Source: Amcache.hve.7.dr | Binary or memory string: vmci.sys |
| Source: Amcache.hve.7.dr | Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0 |
| Source: Amcache.hve.7.dr | Binary or memory string: vmci.syshbin` |
| Source: Amcache.hve.7.dr | Binary or memory string: \driver\vmci,\driver\pci |
| Source: svchost.exe, 00000002.00000002.2155446471.000000000305C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: NSHyper-V RAW |
| Source: svchost.exe, 00000002.00000002.2155405832.0000000003012000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Hyper-V RAW(@ |
| Source: svchost.exe, 00000002.00000002.2155446471.0000000003077000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: Microsoft-Windows-Hyper-V-Hypervisor |
| Source: Amcache.hve.7.dr | Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000 |
| Source: svchost.exe, 00000002.00000003.2049729536.0000000005340000.00000004.00000001.00020000.00000000.sdmp | Binary or memory string: DisableGuestVmNetworkConnectivity |
| Source: svchost.exe, 00000002.00000002.2155446471.000000000305C000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: rosoft-Windows-PersistentMemory-PmemDiskMicrosoft-Windows-Power-Meter-PollingMicrosoft-Windows-Power-TroubleshooterMicrosoft-Windows-ReFSMicrosoft-Windows-ReFS-v1Microsoft-Windows-ResetEngMicrosoft-Windows-Resource-Exhaustion-DetectorMicrosoft-Windows-ResourcePublicationMicrosoft-Windows-SCPNPMicrosoft-Windows-Serial-ClassExtensionMicrosoft-Windows-Serial-ClassExtension-V2Microsoft-Windows-ServicingMicrosoft-Windows-SetupMicrosoft-Windows-SetupPlatformMicrosoft-Windows-SPB-ClassExtensionMicrosoft-Windows-SPB-HIDI2CMicrosoft-Windows-Spell-CheckingMicrosoft-Windows-SpellCheckerMicrosoft-Windows-StartupRepairMicrosoft-Windows-Subsys-SMSSMicrosoft-Windows-TaskSchedulerMicrosoft-Windows-TerminalServices-LocalSessionManagerMicrosoft-Windows-TerminalServices-RemoteConnectionManagerMicrosoft-Windows-Time-ServiceMicrosoft-Windows-TPM-WMIMicrosoft-Windows-USB-CCIDMicrosoft-Windows-USB-MAUSBHOSTMicrosoft-Windows-USB-USBHUB3Microsoft-Windows-USB-USBXHCIMicrosoft-Windows-UserModePowerServiceMicrosoft-Windows-UserPnpMicrosoft-Windows-WHEA-LoggerMicrosoft-Windows-Windows Firewall With Advanced SecurityMicrosoft-Windows-WindowsToGo-StartupOptionsMicrosoft-Windows-WindowsUpdateClientMicrosoft-Windows-WininitMicrosoft-Windows-WinlogonMicrosoft-Windows-WLAN-AutoConfigMicrosoft-Windows-WMPNSS-Servicemlx4_busmouclassmouhidmrxsmbMsBridgeMSDTC GatewayMSDTC WS-AT ProtocolmshidumdfMSiSCSIMTConfigMupmvumisNdisImPlatformNdisImPlatformSysEvtProviderNdisWanndiswanlegacyNetBIOSNetBTNetJoinNetlogonNtfsnvdimmnvstorP2PIMSvcParportpartmgrpcmciapercsas2ipercsas3ipmemPNPMEMPNRPSvcPowerPptpMiniportPrintPrintFilterPipelineSvcProcessorRasAutoRasCfgRasmanRasSstprdbssRemoteAccessRetailDemoRFCOMMrhproxyrspndrSAMsbp2portSCardSvrSchannelscmbussercxsercx2SerialsermouseServerService Control ManagerSiSRaid2SiSRaid4SmartSAMDSMSvcHost 3.0.0.0SMSvcHost 4.0.0.0SNMPTRAPspaceportspbcxSrvstexstorStillImagestorahcistornvmeTcpipTcpip6TCPMonTermServiceTPMtsusbflttsusbhubtunnelUASPStorUmRdpServiceusbaudio2usbehciusbserUser32VDS Basic ProviderVDS Dynamic ProviderVDS Virtual Disk ProviderVirtual Disk ServicevmcivolmgrVolsnapvpcivsmraidVSTXRAIDW32TimeWacomPenWalletServicewdf01000wecsvcWin32kWinDefendWindows Disk DiagnosticWindows Script HostWinHttpAutoProxySvcWinNatWinRMWMIxWDMWMPNetworkSvcWorkstationWPDClassInstallerC:\Windows\System32\Winevt\Logs\System.evtx20231003095556.787652+120user-PCC:\Windows\System32\Winevt\Logs\System.evtxc:c:\windows\system32\winevt\logs\system~1.e |
Edit tour
Iuv2tI4JHh.exe (PID: 1088 cmdline: 
svchost.exe (PID: 5628 cmdline: 
WerFault.exe (PID: 1784 cmdline: 
