Edit tour

Windows Analysis Report
w6ZM6tS22n.exe

Overview

General Information

Sample Name:	w6ZM6tS22n.exe
Original Sample Name:	25654_71745077_c4471ac3272ce62f341bec8b18819c7320538563acce29f2c44e9d2c0aa5d47d_repmgr.exe
Analysis ID:	1310728
MD5:	3327d9e161d54f8f48b3125055f91040
SHA1:	d0765df58aaed552dbbca44f55ebc2b0c3a323ce
SHA256:	c4471ac3272ce62f341bec8b18819c7320538563acce29f2c44e9d2c0aa5d47d
Infos:

Detection

Score:	18
Range:	0 - 100
Whitelisted:	false
Confidence:	20%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates a DirectInput object (often for capturing keystrokes)

AV process strings found (often used to terminate AV products)

Installs a raw input device (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains sections with non-standard names

Sample execution stops while process was sleeping (likely an evasion)

Creates or modifies windows services

Creates a process in suspended mode (likely to inject code)

Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service

Sample may be VM or Sandbox-aware, try analysis on a native machine

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook

Process Tree

System is w10x64

cmd.exe (PID: 6184 cmdline: cmd /c sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe" >> C:\servicereg.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6280 cmdline: sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe" MD5: 24A3E2603E63BCB9695A2935D3B24695)

cmd.exe (PID: 6468 cmdline: cmd /c sc start FhZxY >> C:\servicestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6488 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

sc.exe (PID: 6588 cmdline: sc start FhZxY MD5: 24A3E2603E63BCB9695A2935D3B24695)

w6ZM6tS22n.exe (PID: 6636 cmdline: C:\Users\user\Desktop\w6ZM6tS22n.exe MD5: 3327D9E161D54F8F48B3125055F91040)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74EA39000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_941f3713-a

Source: w6ZM6tS22n.exe

Static PE information: certificate valid

Source: w6ZM6tS22n.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: netutils.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernelbase.pdbRSDS5V source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: iphlpapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: userenv.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcrypt.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ucrtbase.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ucrtbase.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wldap32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcrt.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: gdi32full.pdbRSDSd source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: mintdh.pdbRSDS! source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shlwapi.pdbRc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdb+d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: winhttp.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: advapi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ucrtbase.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcp_win.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdbXc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Kernel.Appcore.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdbRSDSVY source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbgcore.pdbGCTL source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: profapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ^.pdbThe path is not availableThe debugger SYMSRV client could not find a UNC store specified source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sspicli.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wevtapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msasn1.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shcore.pdb@c source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shlwapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcrt.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wkscli.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: win32u.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shell32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdb,d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: secur32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dsrole.pdbRSDSk source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: fltLib.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: mintdh.pdbGCTL source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ws2_32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netapi32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: iphlpapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: iphlpapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernelbase.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcrt.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: powrprof.pdbRSDS# source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dpapi.pdbRSDS" source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: advapi32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: winhttp.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dsrole.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: powrprof.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: powrprof.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ole32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: version.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: version.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: setupapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msasn1.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: advapi32.pdbRSDSGR& source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcp_win.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Unable to locate the .pdb file in this location source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: cfgmgr32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\x64\Release\RepMgr.pdb source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: combase.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Windows.Storage.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: profapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netapi32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: psapi.pdbRSDS\ source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernel32.pdbRSDS8 source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: .pdberror out of memory loading %ls source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: or you do not have access permission to the .pdb location. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: secur32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dpapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wldap32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernel32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcryptprimitives.pdbRSDS0p source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dsrole.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netutils.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernelbase.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wevtapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msasn1.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wkscli.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dpapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: win32u.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: rpcrt4.pdbRSDSD source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shcore.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcrypt.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: *.pdb.dbg.rdatantdll.dbg.mpd source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: fltLib.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wevtapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: normaliz.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: fltLib.pdbRSDS]\| source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shell32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sspicli.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: StorageFileStartExperience_GetUserFileStreamForReadAsUserAsyncWindows.UI.Xaml.Interop.Marshal.IMarshalPropertyChangedEventArgsWindows.UI.Xaml.Interop.Marshal.IMarshalCustomPropertyProviderWindows.UI.Xaml.Interop.Marshal.IMarshalCustomPropertyinternal\sdk\inc\usermodelptc.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.honecoreuap\shell\inc\storagetelemetry.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000 source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: oleaut32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: userenv.pdbQc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcp_win.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sechost.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: cfgmgr32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wldap32.pdbKc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: rpcrt4.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: normaliz.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: setupapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ws2_32.pdbRSDSml source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: winhttp.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: psapi.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: combase.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sspicli.pdb d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: user32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: mintdh.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Windows.Storage.pdbRSDSw source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wkscli.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: cfgmgr32.pdbWc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcrypt.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: gdi32full.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: gdi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: profapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netutils.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sechost.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shcore.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shlwapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ntdll.pdbRSDSCb source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: win32u.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbLc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: secur32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: version.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Windows.Storage.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbgcore.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdbRSDSq source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Kernel.Appcore.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\x64\Release\RepMgr.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: user32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Kernel.Appcore.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: user32.pdbRSDS=; source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\x64\Release\RepMgr.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netapi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shell32.pdbFc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: The module signature does not match with .pdb signature. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcryptprimitives.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ntdll.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdbEc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: oleaut32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ws2_32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbgcore.pdb&d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr

Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://169.254.169.254/latest/meta-data/instance-id
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://169.254.169.254/latest/meta-data/instance-id/services/registration//services/vdiregistration/
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ac.economia.gob.mx/cps.html0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ac.economia.gob.mx/last.crl0G
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv1.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraizv2.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ca.mtin.es/mtin/DPCyPoliticas0g
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ca.mtin.es/mtin/crl/MTINAutoridadRaiz03
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ca.mtin.es/mtin/ocsp0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://certificates.starfieldtech.com/repository/1604
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://certs.oati.net/repository/OATICA2.crt0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crl
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://certs.oaticerts.com/repository/OATICA2.crt08
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://cps.siths.se/sithsrootcav1.html0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.certigna.fr/certignarootca.crl01
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.defence.gov.au/pki0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.dhimyotis.com/certignarootca.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.oces.trust2408.com/oces.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.pki.wellsfargo.com/wsprca.crl0
Source: w6ZM6tS22n.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0t
Source: w6ZM6tS22n.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.ssc.lt/root-a/cacrl.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.ssc.lt/root-c/cacrl.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
Source: w6ZM6tS22n.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#
Source: w6ZM6tS22n.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlSoftware
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://eca.hinet.net/repository/CRL2/CA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://http.fpki.gov/fcpca/caCertsIssuedByfcpca.p7c0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://json-schema.org/schema#
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ocsp.accv.es0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ocsp.eca.hinet.net/OCSP/ocspG2sha20
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ocsp.ncdc.gov.sa0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ocsp.pki.gva.es0
Source: w6ZM6tS22n.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://ocsp.suscerte.gob.ve0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://pki.digidentity.eu/validatie0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://pki.registradores.org/normativa/index.htm0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://postsignum.ttc.cz/crl/psrootqca2.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcacomb1.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://web.ncdc.gov.sa/crl/nrcaparta1.crl
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.acabogacia.org/doc0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.acabogacia.org0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.accv.es/legislacion_c.htm0U
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.accv.es00
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.agesic.gub.uy/acrn/acrn.crl0)
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.agesic.gub.uy/acrn/cps_acrn.pdf0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.ancert.com/cps0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.anf.es
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.anf.es/es/address-direccion.html
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
Source: w6ZM6tS22n.exe	String found in binary or memory: http://www.carbonblack.com0/
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.cert.fnmt.es/dpcs/0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certplus.com/CRL/class1.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certplus.com/CRL/class3.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.chambersign.org1
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.comsign.co.il/cps0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.datev.de/zertifikat-policy-int0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.datev.de/zertifikat-policy-std0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.defence.gov.au/pki0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.disig.sk/ca0f
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.dnie.es/dpc0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.e-me.lv/repository0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.e-szigno.hu/RootCA.crl
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.e-szigno.hu/RootCA.crt0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.e-szigno.hu/SZSZ/0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.ecee.gov.pt/dpc0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.eme.lv/repository0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.firmaprofesional.com/cps0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.globaltrust.info0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.globaltrust.info0=
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.oaticerts.com/repository.
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_21_1.pdf0:
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.pki.gva.es/cps0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.pki.gva.es/cps0%
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy-G20
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.postsignum.cz/crl/psrootqca2.crl02
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.quovadis.bm0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.rcsc.lt/repository0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.sk.ee/cps/0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.ssc.lt/cps03
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.suscerte.gob.ve/dpc0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.suscerte.gob.ve/lcr0#
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.uce.gub.uy/acrn/acrn.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: http://www2.postsignum.cz/crl/psrootqca2.crl01
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://%s.pinrules.crt/%sendTraceLogca1.3.6.1.4.1.311.10.8.11.3.6.1.4.1.311.10.11.1.3.6.1.4.1.311.1
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://%s:%hu%s:%huhttp:https:Passport1.4Negotiate2SupportedIfbasicdigestrealm
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://attack.mitre.org/techniques/T1218/010/
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://bugzilla.eng.vmware.com/show_bug.cgi?id=2962550:
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDS
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://curl.se/docs/hsts.html
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://deploymentresearch.com/psscriptpolicytest-script-gets-blocked-by-applocker-in-the-event-log-
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://eca.hinet.net/repository0
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.md
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/co
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/do
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://gitlab.bit9.local/cbprotection/appcontrol-rules/-/merge_requests/4/diffs
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://http://FileAssociationKillListSearchProtocolHost.exeAlwaysShowExtNeverShowExtNoStaticDefault
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://rca.e-szigno.hu/ocsp0-
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://repository.luxtrust.lu0
Source: w6ZM6tS22n.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://web.certicamara.com/marco-legal0Z
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://www.anf.es/AC/ACTAS/789230
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://www.anf.es/address/)1(0&
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://www.catcert.net/verarrel
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://www.catcert.net/verarrel05
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://www.netlock.hu/docs/
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://www.netlock.net/docs
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	String found in binary or memory: https://wwww.certigna.fr/autorites/0m

Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr

Binary or memory string: DirectInput8Create

memstr_e16f998d-e

Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr

Binary or memory string: GetRawInputData

memstr_c01238d0-6

Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74EA39000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: NtRenameKeyCompanyNameFileDescriptionLegalCopyrightLegalTrademarksOriginalFilenameOLESelfRegisterx vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74EA39000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74EA39000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: version_info["CompanyName"]version_info["ProductName"]version_info["InternalName"]version_info["LegalCopyright"]version_info["LegalTrademarks"]version_info["FileDescription"]version_info["FileVersion"]version_info["Comments"]version_info["OriginalFilename"]version_info["ProductDescription"]version_info["PrivateBuild"]version_info["SpecialBuild"]version_info["ProductVersion"]version_info_lang_idversion_info_charset_idmachine8 vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363409700.000001B01EED8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBGCORE.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354762318.00007FF74F858000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRepMgr.exeT vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBGCORE.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: FileResourceOriginalFilename vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "ExternalModuleCallArguments":"pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "ExternalModuleCallArguments": "pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Parent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "TargetParent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Target", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "Description": "Tag process as script host based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "Description": "Tag process as PDF readers based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "Description": "Tag process as Lua based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363449879.000001B01EF45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000003.363277358.000001B01EF44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000003.363219395.000001B01EF43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: FileResourceOriginalFilename vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "ExternalModuleCallArguments":"pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "ExternalModuleCallArguments": "pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Parent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "TargetParent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: { "Actor": "Target", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "Description": "Tag process as script host based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "Description": "Tag process as PDF readers based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "Description": "Tag process as Lua based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDBGCORE.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000003.363332234.000001B01EF45000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe, 00000006.00000003.363263527.000001B01EF43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: FileResourceOriginalFilename vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "ExternalModuleCallArguments":"pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "ExternalModuleCallArguments": "pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: { "Actor": "Parent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: { "Actor": "TargetParent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: { "Actor": "Target", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "Description": "Tag process as script host based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "Description": "Tag process as PDF readers based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "Description": "Tag process as Lua based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: NtRenameKeyCompanyNameFileDescriptionLegalCopyrightLegalTrademarksOriginalFilenameOLESelfRegisterx vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: version_info["CompanyName"]version_info["ProductName"]version_info["InternalName"]version_info["LegalCopyright"]version_info["LegalTrademarks"]version_info["FileDescription"]version_info["FileVersion"]version_info["Comments"]version_info["OriginalFilename"]version_info["ProductDescription"]version_info["PrivateBuild"]version_info["SpecialBuild"]version_info["ProductVersion"]version_info_lang_idversion_info_charset_idmachine8 vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe	Binary or memory string: OriginalFilenameRepMgr.exeT vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameDBGCORE.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: version_info["OriginalFilename"] vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamefilterLib.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamentdll.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamews2_32.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameadvapi32.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamesechost.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameuser32j% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamekernel32j% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameSHCORE.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameCOMBASE.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameWindows.Storage.dll.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameSHLWAPI.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameuserenv.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamePOWRPROF.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameOLE32.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamebcrypt.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamewevtapi.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenametdh.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameiphlpapi.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamewinhttp.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamemintdh.dll.muij% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: FileResourceOriginalFilename vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "ExternalModuleCallArguments":"pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "ExternalModuleCallArguments": "pe.version_info[\"OriginalFilename\"]", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "AttributeId":"FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: { "Actor": "Parent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: { "Actor": "TargetParent", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: { "Actor": "Target", "AttributeId": "FileResourceOriginalFilename" }, vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Description": "Tag process as script host based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Description": "Tag process as PDF readers based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Description": "Tag process as Lua based on FileResourceOriginalFilename (yara)", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "AttributeId": "FileResourceOriginalFilename", vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: NtRenameKeyCompanyNameFileDescriptionLegalCopyrightLegalTrademarksOriginalFilenameOLESelfRegisterx vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: version_info["CompanyName"]version_info["ProductName"]version_info["InternalName"]version_info["LegalCopyright"]version_info["LegalTrademarks"]version_info["FileDescription"]version_info["FileVersion"]version_info["Comments"]version_info["OriginalFilename"]version_info["ProductDescription"]version_info["PrivateBuild"]version_info["SpecialBuild"]version_info["ProductVersion"]version_info_lang_idversion_info_charset_idmachine8 vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameRepMgr.exeT vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameDBGHELP.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamemsi.dllX vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: Triage dumps cannot contain PII. 0x%xDump type requires streaming but output provider does not support streamingWrite.Start failed, 0x%08xkernel32.dllOpenThreadThread32FirstThread32NextModule32FirstModule32NextModule32FirstWModule32NextWCreateToolhelp32SnapshotGetLongPathNameAGetLongPathNameWGetProcessTimesGetTimeZoneInformationGetThreadSelectorEntryGetThreadTimesIsProcessorFeaturePresentFindResourceAGetCachedSigningLevelSetCachedSigningLevelGetEnabledXStateFeaturesInitializeContextkernelbase.dllapi-ms-win-core-processthreads-l1-1-0.dllapi-ms-win-core-file-l1-1-0api-ms-win-core-timezone-l1-1-0.dllapi-ms-win-core-kernel32-legacy-l1-1-0.dllapi-ms-win-security-base-l1-2-0.dllapi-ms-win-security-base-l1-1-0.dllapi-ms-win-core-processsecurity-l1.dllapi-ms-win-core-versionansi-l1-1-0.dllapi-ms-win-core-version-l1-1-0.dllapi-ms-win-core-xstate-l2-1-0.dllapi-ms-win-core-toolhelp-l1-1-0.dllapi-ms-win-core-kernel32-private-l1-1-0.dllBaseSetLastNTErrorapi-ms-win-downlevel-kernel32-l2-1-0.dllapi-ms-win-core-processthreads-l1-1-2.dllSoftware\Microsoft\Windows NT\CurrentVersionBuildLabExSoftware\Microsoft\Windows NT\CurrentVersionCurrentTypechecked\syswow64sysarm32sychpe32system32MINIDUMP_AUXILIARY_PROVIDER\StringFileInfo\040904b0\OriginalFilenameSoftware\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDllsSoftware\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDllsCLRDataCreateInstancepowrprof.dllCallNtPowerInformationverifier.dllVerifierEnumerateResourcepsapi.dllapi-ms-win-core-psapi-obsolete-l1-1-0.dllK32EnumProcessModulesK32GetModuleFileNameExWK32GetProcessMemoryInfoEnumProcessModulesGetModuleFileNameExWGetProcessMemoryInfoversion.dllGetFileVersionInfoSizeExAGetFileVersionInfoExAVerQueryValueAGetFileVersionInfoSizeAGetFileVersionInfoSizeWGetFileVersionInfoAGetFileVersionInfoW vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamesecur32.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameVERSION.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamewinhttp.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameNetApi32.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamewevtapi.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameWKSCLI.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameDSROLE.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamewtsapi32.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamemintdh.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenametdh.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamedpapi.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameiphlpapi.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameNETUTILS.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamebcrypt.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameuserenv.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamesspicli.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamePOWRPROF.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamefilterLib.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamekernel.appcore.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamemsasn1.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamePROFAPI.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameWindows.Storage.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamegdi32j% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameCRYPT32.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenamemsvcp_win.dllj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: .DefaultHashDigestLength*SiSiPolicyVersionSiPolicyUpdateSignersSystem32\CodeIntegrity\SiPolicy.p7bSiPolicy.p7bKernel_SiStatusRvkSiRvkSiPolicyVersionRvkSiPolicyUpdateSignersSystem32\CodeIntegrity\RvkSiPolicy.p7bRvkSiPolicy.p7bKernel_RvkSiStatusSkuSiSkuSiPolicyVersionSkuSiPolicyUpdateSigners\Boot\SkuSiPolicy.p7bSkuSiPolicy.p7bKernel_SkuSiStatusSystem32\CodeIntegrity\UpdateSiPolicy.p7bUpdateSiPolicy.p7bSystem32\CodeIntegrity\UpdateRvkSiPolicy.p7bUpdateRvkSiPolicy.p7b\Boot\UpdateSkuSiPolicy.p7bUpdateSkuSiPolicy.p7bWinSiWinSiPolicyVersionWinSiPolicyUpdateSignersBoot\EFI\WinSiPolicy.p7bWinSiPolicy.p7bKernel_WinSiStatusBoot\EFI\UpdateWinSiPolicy.p7bUpdateWinSiPolicy.p7bATPSiATPSiPolicyVersionATPSiPolicyUpdateSignersSystem32\CodeIntegrity\ATPSiPolicy.p7bATPSiPolicy.p7bKernel_ATPSiStatusSystem32\CodeIntegrity\UpdateATPSiPolicy.p7bUpdateATPSiPolicy.p7bEntRevokeSiEntRevokeSiPolicyVersionEntRevokeSiPolicyUpdateSignersSystem32\CodeIntegrity\EntRevokeSiPolicy.p7bEntRevokeSiPolicy.p7bKernel_EntRevokeSiStatusSystem32\CodeIntegrity\UpdateEntRevokeSiPolicy.p7bUpdateEntRevokeSiPolicy.p7bInternalNameProductNameOriginalFileName\StringFileInfo\%04x%04x\ vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: OriginalFilenameWINTRUST.DLLj% vs w6ZM6tS22n.exe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: StridableBroadcastIs_ProtectedIs_TrustedSignature_NameHasAudioHasImageHasScriptHasVideoCurrentBitrateOptimalBitrateHasAttachedImagesCan_Skip_BackwardCan_Skip_ForwardNumberOfFramesFileSizeHasArbitraryDataStreamHasFileTransferStreamWM/ContainerFormatTitleTitleSortAuthorAuthorSortDescriptionRatingCopyrightUse_DRMDRM_FlagsDRM_LevelUse_Advanced_DRMDRM_KeySeedDRM_KeyIDDRM_ContentIDDRM_SourceIDDRM_IndividualizedVersionDRM_LicenseAcqURLDRM_V1LicenseAcqURLDRM_HeaderSignPrivKeyDRM_LASignaturePrivKeyDRM_LASignatureCertDRM_LASignatureLicSrvCertDRM_LASignatureRootCertWM/AlbumTitleWM/AlbumTitleSortWM/TrackWM/PromotionURLWM/AlbumCoverURLWM/GenreWM/YearWM/GenreIDWM/MCDIWM/ComposerWM/ComposerSortWM/LyricsWM/TrackNumberWM/ToolNameWM/ToolVersionIsVBRWM/AlbumArtistWM/AlbumArtistSortBannerImageTypeBannerImageDataBannerImageURLCopyrightURLAspectRatioXAspectRatioYASFLeakyBucketPairsNSC_NameNSC_AddressNSC_PhoneNSC_EmailNSC_DescriptionWM/WriterWM/ConductorWM/ProducerWM/DirectorWM/ContentGroupDescriptionWM/SubTitleWM/PartOfSetWM/ProtectionTypeWM/VideoHeightWM/VideoWidthWM/VideoFrameRateWM/MediaClassPrimaryIDWM/MediaClassSecondaryIDWM/PeriodWM/CategoryWM/PictureWM/Lyrics_SynchronisedWM/OriginalLyricistWM/OriginalArtistWM/OriginalAlbumTitleWM/OriginalReleaseYearWM/OriginalFilenameWM/PublisherWM/EncodedByWM/EncodingSettingsWM/EncodingTimeWM/AuthorURLWM/UserWebURLWM/AudioFileURLWM/AudioSourceURLWM/LanguageWM/ParentalRatingWM/BeatsPerMinuteWM/InitialKeyWM/MoodWM/TextWM/DVDIDWM/WMContentIDWM/WMCollectionIDWM/WMCollectionGroupIDWM/UniqueFileIdentifierWM/ModifiedByWM/RadioStationNameWM/RadioStationOwnerWM/PlaylistDelayWM/CodecWM/DRMWM/ISRCWM/ProviderWM/ProviderRatingWM/ProviderStyleWM/ContentDistributorWM/SubscriptionContentIDWM/WMADRCPeakReferenceWM/WMADRCPeakTargetWM/WMADRCAverageReferenceWM/WMADRCAverageTargetWM/StreamTypeInfoWM/PeakBitrateWM/ASFPacketCountWM/ASFSecurityObjectsSizeWM/SharedUserRatingWM/SubTitleDescriptionWM/MediaCreditsWM/ParentalRatingReasonWM/OriginalReleaseTimeWM/MediaStationCallSignWM/MediaStationNameWM/MediaNetworkAffiliationWM/MediaOriginalChannelWM/MediaOriginalBroadcastDateTimeWM/MediaIsStereoWM/VideoClosedCaptioningWM/MediaIsRepeatWM/MediaIsLiveWM/MediaIsTapeWM/MediaIsDelayWM/MediaIsSubtitledWM/MediaIsPremiereWM/MediaIsFinaleWM/MediaIsSAPWM/ProviderCopyrightWM/ISANWM/ADIDWM/WMShadowFileSourceFileTypeWM/WMShadowFileSourceDRMTypeWM/WMCPDistributorWM/WMCPDistributorIDWM/SeasonNumberWM/EpisodeNumberEarlyDataDeliveryJustInTimeDecodeSingleOutputBufferSoftwareScalingDeliverOnReceiveScrambledAudioDedicatedDeliveryThreadEnableDiscreteOutputSpeakerConfigDynamicRangeControlAllowInterlacedOutputVideoSampleDurationsStreamLanguageEnableWMAProSPDIFOutputDeinterlaceModeInitialPatternForInverseTelecineJPEGCompressionQualityWatermarkCLSIDWatermarkConfigInterlacedCodingFixedFrameRate_SOURCEFORMATTAG_ORIGINALWAVEFORMAT_EDL_COMPLEXITYEX_DECODERCOMPLEXITYPROFILEReloadIndexOnSeekStreamNumIndexObjectsFailSeekOnErrorPermitSeeksBeyondEndOfStreamUsePacketAtSeekPointSourceBuffer

Source: w6ZM6tS22n.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\sc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe" >> C:\servicereg.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe"
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c sc start FhZxY >> C:\servicestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start FhZxY
Source: unknown	Process created: C:\Users\user\Desktop\w6ZM6tS22n.exe C:\Users\user\Desktop\w6ZM6tS22n.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start FhZxY	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5352:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6488:120:WilError_01

Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr

Binary or memory string: AppExplorer.AssocActionId.BurnSelectionJscriptLDAPResrloginFileIehistoryIerssJavascriptExplorer.BurnSelectionExplorer.CloseSessionExplorer.EraseDiscExplorer.ZipSelectionExplorer.AssocActionId.CloseSessionExplorer.AssocActionId.EraseDiscExplorer.AssocActionId.ZipSelectionExplorer.AssocProtocol.search-ms.appref-ms.asp.bas.cnt.ade.adp.app.applicationwindowsmediacenterappwindowsmediacentersslwindowsmediacenterwebWMP11.AssocProtocol.MMSStickyNotestelnettn3270Vbscript.ins.isp.its.jse.hlp.hme.hpj.hta.csh.fxp.gadget.grp.cpf.crd.crds.crt.mcf.mda.mde.mdt.mat.mau.mav.maw.mam.maq.mar.mas.ksh.mad.maf.mag.pl.plg.prf.prg.mshxml.mst.ops.pcd.msh1.msh1xml.msh2.msh2xml.mdw.mdz.msc.msh.rdp.rgu.scf.scr.pvw.plsc.rb.rbw.psc2.py.pyc.pyo.printerexport.provxml.ps2.ps2xml.wsh.xaml.xdp.xip.vsw.webpnp.ws.wsc.vb.vbe.vbp.vsmacros.shb.shs.theme.tsk.xnkENDEJAKOPLRUCSPTFIHUNOELITNLSVDATWCNFRBRsr-BA-Latnsr-Cyrl-BAsr-BA-Cyrliu-Latn-CAsr-SP-Latnsr-Cyrl-CSsr-SP-Cyrlsr-Latn-BAHEEUISsr-Latn-CSTRSKSLARzh-CHSbs-BA-Latnzh-Hantzh-CHTzh-Hansiu-CA-Latnbs-Cyrl-BAbs-BA-Cyrlbs-Latn-BAbgcacsdaarnlplptrmisitjakofifrhehudeelenesetlvlttgurukbeslsqsvthtrroruhrskzuafkafotstnvexheuhsbmkstfavihyazbnpaguorswtkuzttyimskkkyhimtsegamyglkokmnibocykmloasmrsamntateknmldvbinffhanefypsfiliuamtzmkssdsyrsichrhawlasoiikromtignbalbkligibbyoquznsowoprsgdkugswsahqucrwugmioccopaparnmohbrhe-ILhu-HUis-ISit-ITen-USes-ES_tradnlfi-FIfr-FRcs-CZda-DKde-DEel-GRar-SAbg-BGca-ESzh-TWsv-SEth-THtr-TRur-PKru-RUhr-HRsk-SKsq-ALpl-PLpt-BRrm-CHro-ROja-JPko-KRnl-NLnb-NOeu-EShsb-DEmk-MKst-ZAfa-IRvi-VNhy-AMaz-Latn-AZet-EElv-LVlt-LTtg-Cyrl-TJid-IDuk-UAbe-BYsl-SIms-MYkk-KZky-KGsw-KEhi-INmt-MTse-NOyi-001zu-ZAaf-ZAka-GEfo-FOts-ZAtn-ZAve-ZAxh-ZAmr-INsa-INmn-MNbo-CNte-INkn-INml-INas-INpa-INgu-INor-INta-INtk-TMuz-Latn-UZtt-RUbn-INam-ETtzm-Arab-MAks-Arabne-NPsyr-SYsi-LKchr-Cher-USiu-Cans-CAgl-ESkok-INmni-INsd-Deva-INcy-GBkm-KHlo-LAmy-MMlb-LUkl-GLig-NGkr-NGyo-NGquz-BOnso-ZAba-RUbin-NGff-NGha-Latn-NGibb-NGfy-NLps-AFfil-PHdv-MVmi-NZoc-FRco-FRgsw-FRarn-CLmoh-CAbr-FRug-CNla-001so-SOii-CNpap-029om-ETti-ETgn-PYhaw-USde-CHen-GBes-MXfr-BEqps-plocaar-IQca-ES-valenciazh-CNprs-AFgd-GBku-Arab-IQqps-plocsah-RUquc-Latn-GTrw-RWwo-SNga-IEms-BNuz-Cyrl-UZbn-BDaz-Cyrl-AZdsb-DEtn-BWse-SEro-MDru-MDsv-FIur-INit-CHnl-BEnn-NOpt-PTar-EGzh-HKde-ATen-AUquz-ECti-ERqps-Latn-x-shqps-plocmtzm-Latn-DZks-Deva-INne-INff-Latn-SNpa-Arab-PKta-LKmn-Mong-CNsd-Arab-PKhr-BAsmj-NOtzm-Tfng-MAar-DZde-LUen-CAes-GTfr-CHdz-BTquz-PEar-LYzh-SGes-ESfr-CAse-FImn-Mong-MNen-ZAes-DOfr-029sma-SEes-PAfr-MCsma-NOar-TNfr-LUsmj-SEar-MAen-IEzh-MOde-LIen-NZes-CRen-BZes-PEfr-SNsr-Cyrl-RSfr-CDsr-Latn-RSsmn-FIar-SYsms-FIar-YEen-029es-COar-OMen-JMes-VEfr-REes-CLfr-MLar-AEen-IDfr-CIsr-Cyrl-MEar-KWen-PHsr-Latn-MEar-LBen-ZWes-ECar-JOen-TTes-ARfr-CMes-HNes-NIes-PRes-USes-BOen-MYes-SVen-SGes-PYfr-HTar-QAen-INes-UYfr-MAar-BHen-HKaz-Latnsmauz-Cyrlmn-Cyrlsmszhnnbssr-Cyrlsr-Latnsmnaz-Cyrles-419es-CUbs-Cyrlbs-Latniu-Latntzm-Latnff-Latnha-Latnpa-Arabmn-Mongsd-Arabchr-Chertg-Cyrldsbsmjuz-Latniu-Canstzm-Tfngnbsrquc-Latnku-A

Source: w6ZM6tS22n.exe	String found in binary or memory: HashObjectMap::PrimeHashLoadDuration(ms)HashObjectMap::PruneHashObjectsDuration(ms)HashObjectMap::PruneHashObjectsFilesPrunedHashObjectMap::NumHashObjectsHashObjectMap::HashObjectsAllFileNamesCountHashObjectMap::HashObjectsAllFileNamesMemUsageBytesd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\common\repmgr\HashObjectMap.cppCHashObjectMap::GetOrCreateHashObjectCHashObjectMap::GetOrCreateHashObject: Empty hash for filename[%ls]CHashObjectMap::GetOrCreateHashObject: New hash already in cache for hash[0x%02x%02x%02x%02x] filename[%ls] siErr[%d]CHashObjectMap::GetOrCreateHashObject: unable to alloc new hash object for hash [0x%02x%02x%02x%02x], filename %lsCHashObjectMap::GetOrCreateHashObject: forcing signer details to be queried for hash[0x%02x%02x%02x%02x] filename [%ls].CHashObjectMap::GetOrCreateHashObject: unable to retrieve or create hash object for hash [0x%02x%02x%02x%02x], filename %lspContext != NULLFindPrimingCandidateFindPrimingCandidate: Reached max priming capacity[%u]CHashObjectMap::SaveHashesForPriming: Searching for hashes to mark for priming!AlreadySavedHashesForPriming()CHashObjectMap::SaveHashesForPrimingCHashObjectMap::SaveHashesForPriming: Found %u priming candidatesCHashObjectMap::SaveHashesForPriming: Successfully marked %u hashes for primingCHashObjectMap::SaveHashesForPriming: Failed to mark %u hashes for priming: %uCHashObjectMap::PrimeHashesThread: BeginRepGlobals::s_pHashObjectMap != NULLCHashObjectMap::PrimeHashesThreadhashes.size() <= RepGlobals::s_pHashObjectMap->GetMaxSize()hashes.size() <= RepGlobals::s_Config.GetIniFile().GetMaxHashesToPrime()CHashObjectMap::PrimeHashesThread: No records to primeCHashObjectMap::PrimeHashesThread: Failed to load primed hashes: %uCHashObjectMap::PrimeHashesThread: Primed[%u of %u hashes] AlreadyPrimed[%u] Elapsed[%u ms]CHashObjectMap::PrimeHashesThread: Failed to prime Hash[0x%02x%02x%02x%02x] Error[%u]CHashObjectMap::PrimeHashesThread: Shutdown detectedCHashObjectMap::PrimeHashesThread: Priming Complete Primed[%u of %u hashes] AlreadyPrimed[%u] Result[%u] Duration[%u ms]0 == (apHo->GetInternalFlags() & HO_INTERNAL_FLAGS_IN_MEMORY_CACHE)CHashObjectMap::InsertCHashObjectMap::AddFilenameToHash: Started PruneFilenamesUnsafe() for hash 0x%02x%02x%02x%02x, filename [%ls]CHashObjectMap::AddFilenameToHash: Another thread re-added hash 0x%02x%02x%02x%02x, filename %lsCHashObjectMap::AddFilenameToHashHashObjectOneMinuteTimer: HashObjectMap max size %d, size %d (%u total), inserts %d, deletes %d, purges %d
Source: w6ZM6tS22n.exe	String found in binary or memory: "GUID": "56695A16-7F4A-4B32-ADD8-4489C04830BD",
Source: w6ZM6tS22n.exe	String found in binary or memory: "Description": "Tamper protect against altering sensor related keys under HKLM using restore/replace/load key registry ops",
Source: w6ZM6tS22n.exe	String found in binary or memory: "GUID": "8163573F-7E1C-4227-ADD8-9C030D2A7CEA",
Source: w6ZM6tS22n.exe	String found in binary or memory: mType == TypeFileZipItem::GetOnDiskFilepath%hs: Disabling elevated-memory-usage alarming.%hs : Re-enabled elevated-memory-usage alarmingDiagUtil::SetupKernelTracing: Level[%u] Flags[%016llX] MaxFileSizeMb[%u] FilePath[%ls]DiagUtil::SetupKernelTracing: Failed to setup kernel tracing. Level[%u] Flags[%016llX] MaxFileSizeMb[%u] FilePath[%ls]DiagUtil::ListDirectories: FindFirstFileW() failed for directory %ls - Error Code 0x%08XDiagUtil::CreateZipList: Including File[%ls] in ziplistDiagUtil::CreateZipList: Unable to locate File[%ls]RepUx.exe.dmpRepWAV.exe.dmp.dmpDiagUtil::CollectDumpFiles: Sensor dump: file detected : [%ls] DiagUtil::CollectDumpFiles: Searching for dump files in SystemProfile[%ls]\scannerBlades\LiveQuery\Blades\LiveQuery\Exts\DiagUtil::CollectDumpFiles: Looking to see if any of the %u dump files found are for any of the %u CB executablesDiagUtil::CollectDumpFiles: Dump file[%ls]Windows\ServiceProfiles\LocalService\AppData\Local\Temp\DiagUtil::CollectDumpFiles: skip %ls, opted out of capturing system dump.DiagUtil::CollectDumpFiles: skip %ls, minimal reportingDiagUtil::CollectDumpFiles: skip %ls, failed to get file size - WinErr[%lu]DiagUtil::CollectDumpFiles: skip %ls, file size exceeds max - size[%u MB] max[%u MB]memory.dmpDiagUtil::CollectAndZipDumpFiles: No memory dumps found.DiagUtil::CollectAndZipDumpFiles: %u crash dump file(s) discovered. Compressing...DiagUtil::CollectAndZipDumpFiles: Created crash dump Zip[%ls] Success[%ls] (%d) Name[%ls] Value[%ls] Default[%ls]Current Usermode ConfigProps:Current Kernel ConfigProps:Unknown Error[%d].backupDiagUtil::CollectSpecifiedLogsDeleteAlways: CopyFileW failed. Error[%d] Src[%ls] Dest[%ls]w+bFile[%ls] OpenError[%d]File[%ls] WriteError[%u-%u]cb-installerconfer-temp.log\Events\psc_minibatch_psc_eventbatch_*archives\cblr.logconfer.logNetTrace.logPerfStats.logAmsiEvents.logHbfwEvents.logSensorAlarms.logLiveQuery.logCbOsqExt.logLiveResponse.logscanhost.logvhostcomms.logupd.logscanner\scanner.iniReputation.csvWebRequest.logmsi.logmsi-FromConferDir.logWebRequest.etlContent\manifestContent\manifestDiagUtil::CollectSensorLogs: could not retrieve content paths, segments will be excluded from capture for file %lsd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\DiagnosticCaptureUtils.cppDiagUtil::CollectSensorLogsCbRepWSC.logdb_msg.changeui\db_msg.backupDiagUtil::CollectSensorLogs: Error backing up DB %lsdb_msgBlades\LiveQuery\LiveQueryExtensions.loadLiveQueryExtensions.loaddb_rep.backupdb_repdb_eve.backupdb_evedb_cfg.backupdb_cfgdb_diag.backupdb_diagHyperscanGenerator.loguser\CbRepWAV.loguser\CbRepWAV.logRepUx.logRepUx.log.backupuser\RepUx.logWindows\ServiceProfiles\LocalService\AppData\Local\Temp\CbRepWAV.logCbRepWAV.log.backupCbDefenseevtxWindowsEventLogs\logonSessions.txtwfpfilters.xmlC:\windows\system32\:\windows\system32\DiagUtil::SaveWfpFilterInfo: Failed gettng system directory, constructed path:[%ls]netsh.exenetsh.exe wfp show filters verbose=on DiagUtil::SaveWfp
Source: w6ZM6tS22n.exe	String found in binary or memory: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\EtwSession.cppCbEtwSession::AllocateTracePropertiesCbEtwSession::AllocateTraceProperties: Min buffer size for session [%ls] is [%lu] bytes. This exceeds expected maximum of [%lu] bytes. Allocating the minimum required.CbEtwSession::CheckIfSessionExists: Session [%ls] is not yet runningCbEtwSession::CheckIfSessionExists: ControlTrace(query) failed with [%lu] on session [%ls]NULL == m_StartSessionHandle && NULL != m_pTracePropertiesCbEtwSession::StartSessionCbEtwSession::StartSession: Started ETW Trace Session[%ls]CbEtwSession::StartSession: Failed to enable providers for Session[%ls]Already existsFailed to startCbEtwSession::StartSession: %ls, Session[%ls], Status[0x%08X]CbEtwSession::StartSession: Failed EventAccessControl for session[%ls], err [%lu]CbEtwSession::StartSession: Failed to get SYSTEM SID while changing security for session[%ls]NULL != m_pTracePropertiesCbEtwSession::StopSessionCbEtwSession::StopSession: Session[%ls] does not exist or is marked as non-stoppableCbEtwSession::StopSession: Failed to disable providers for Session[%ls]Failed to stopCbEtwSession::StopSession: %ls tracing for Session[%ls], Status[0x%08X]m_pSessionDefCbEtwSession::CommonSetupm_pSessionDef->GetProviderDefinitions().Count() != 0CbEtwSession::CompareTo: session definition from PSC document was changed, ETW session [%ls], session GUID [%ls]CbEtwSession::FlushEventBuffers: Unable to flush buffers for Session[%ls] Error[0x%08X]CbEtwSession::DisableProviders: No handle available, unable to disable providers for Session[%ls]CbEtwSession::IsSessionStartedCbEtwSession::IsSessionStarted: Failed QueryTraceW on session [%ls], error [%lu]
Source: w6ZM6tS22n.exe	String found in binary or memory: Tried to set it to: %lluLiveQuery::LiveQueryLiaison::SendResult: Query %hs will be re-added to the Completed Query Queue (to be sent later).LiveQuery::LiveQueryLiaison::Enqueue: unexpected action value of %d for %hsLiveQuery::LiveQueryLiaison::Enqueue: LQL worker thread has not been started. Launching thread...LiveQuery::LiveQueryLiaison::Enqueue: %lsLiveQuery::LiveQueryLiaison::WorkerLoop: Worker thread start. (mContinueWork == %d)LiveQuery::LiveQueryLiaison::WorkerLoop: Worker thread end. (mContinueWork == %d)LiveQuery::LiveQueryLiaison::GetAndPopFrontCompletedQuery: EmptyLiveQuery::LiveQueryLiaison::GetAndPopFrontCompletedQuery: Wait to resend %hsLiveQuery::LiveQueryLiaison::EnqueueCompletedQuery: discard canceled query (id %hs)LiveQuery::LiveQueryLiaison::ProcessQuery: Processing query (id %hs)LiveQuery::LiveQueryLiaison::ProcessQuery: Query %hs successfully processedwill retrywill not retryLiveQuery::LiveQueryLiaison::ProcessQuery: Query %hs failed - %ls: Error Code %dLiveQuery::LiveQueryLiaison::TryEnqueueForRetry: discard canceled query (id %hs)ExecuteCancelUnknownAction
Source: w6ZM6tS22n.exe	String found in binary or memory: --install-dir
Source: w6ZM6tS22n.exe	String found in binary or memory: mpScanner != nullptrd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\av\avatar\AvManagerAvatar\AvScannerIpcServer.cppavAvatar::AvScannerIpcServer::AvScannerIpcServermhPreStopEvent != NULL && mhMsgEvent != NULLpCtx != nullptravAvatar::AvScannerIpcServer::SocketDataCallbacksocket != NULLpBuffer != nullptrbufferLength > 0Av.Avt.Scanner.Ipc: Stopped, reject new connectionAv.Avt.Scanner.Ipc: Message is too small, reset connectionAv.Avt.Scanner.Ipc: Out bound connect is already created, reject new connectionAv.Avt.Scanner.Ipc: In bound connect is already created, reject new connectionAv.Avt.Scanner.Ipc: Unexpected initial connection request: %dAv.Avt.Scanner.Ipc: Start listening scanner request from 0x%llxAv.Avt.Scanner.Ipc: Error while waiting for out bound messages. socket 0x%llx error %dAv.Avt.Scanner.Ipc: Stop out bound listening per request. Socket 0x%llxAv.Avt.Scanner.Ipc: Failed to send message on socket 0x%llx, reset out bound connectionAv.Avt.Scanner.Ipc: Start listening scanner response from 0x%llxAv.Avt.Scanner.Ipc: Error while waiting for in bound messages on socket 0x%llx. Timeout[%d]Av.Avt.Scanner.Ipc: Stopped waiting for in bound messages on socket 0x%llx. Timeout[%d]Av.Avt.Scanner.Ipc: Stop in bound listening per request socket 0x%llxMessage Type: avAvatar::AvScannerIpcServer::HandleInBoundSocketProcbug/unexpectedMsgType 0 0Av.Avt.Scanner.Ipc: Failed to cast to generic error message, Error Codes: , Sub Type : runtime, Error Type: Av.Avt.Scanner.Ipc: Scanner reports a generic runtime error, %hs:%hs:%hsAv.Avt.Scanner.Ipc: Clean up outbound queue. New %u, waiting %uAv.Avt.Scanner.Ipc: Got a timeout while waiting on request, type %dAv.Avt.Scanner.Ipc: Have an error while waiting for completion of queued IPC request, type %d, error %uAv.Avt.Scanner.Ipc: Got pre-stop eventmWaitTimeout > 0avAvatar::AvScannerIpcServer::WaitReplyMessageAv.Avt.Scanner.Ipc: Got a timeout while waiting on request (extra pre-stop wait), type %dAv.Avt.Scanner.Ipc: scanner is not ready, discard message, type %d, id %uavAvatar::AvScannerIpcServer::QueueIpcRequestAndWaitbug/unexpectedMsgType, 0, 0Av.Avt.Scanner.Ipc: Failed to cast to error message for request %d/%hs, Error Type: Av.Avt.Scanner.Ipc: Scanner reports an error for request %d/%hs, error %hs:%hs:%hsAv.Avt.Scanner.Ipc: Got an invalid message type back (%d, expected %d) for %hsAv.Avt.Scanner.Ipc: Notify scanner to initinitAv.Avt.Scanner.Ipc: Got an invalid message reply type (%d, expected %d) for initAv.Avt.Scanner.Ipc: Notify scanner to shutdownShutdownAv.Avt.Scanner.Ipc: Got an invalid message reply type (%d, expected %d) for ShutdownAv.Avt.Scanner.Ipc: Notify scanner to reload engineReloadEngineAv.Avt.Scanner.Ipc: Got an inavlid message reply type (%d, expected %d) for ReloadEngineAv.Avt.Scanner.Ipc: Notify scanner to set scan options [%ls]SetScanOptionsAv.Avt.Scanner.Ipc: Got an invalid message reply type (%d, expected %d) for SetScanOptionsAv.Avt.Scanner.Ipc: Notify scanner to set apc ris
Source: w6ZM6tS22n.exe	String found in binary or memory: <Address></Address>
Source: w6ZM6tS22n.exe	String found in binary or memory: <InstallDate></InstallDate>
Source: w6ZM6tS22n.exe	String found in binary or memory: <InstallDirectory>Default</InstallDirectory>
Source: w6ZM6tS22n.exe	String found in binary or memory: <InstalledFor></InstalledFor>
Source: w6ZM6tS22n.exe	String found in binary or memory: <InstalledFor>All-Users</InstalledFor>
Source: w6ZM6tS22n.exe	String found in binary or memory: </InstallComponents><DiskDrives>
Source: w6ZM6tS22n.exe	String found in binary or memory: cb-installer-3.9.2.2698.log
Source: w6ZM6tS22n.exe	String found in binary or memory: cb-installer-3.9.2.2698.logIsServiceProtected: Failed to query service protection status Service[%ls] Error[%d]wscsvcCheckAndStartService: Failed to open service to check status Service[%ls] Error[%d]CheckAndStartService: Failed to query service status Service[%ls]CheckAndStartService: Protected Service[%ls] was stopped. Attempting to startCheckAndStartService: Failed to start Service[%ls] Error[%d]CheckAndStartService: Service[%ls] State[%d] Running[%d]install_utils::CheckIsAdmin: IsProcessRunningElevated(%lu) %ls returned err[%u]install_utils::Registerinstall_utils::Register failed: %lsinstall_utils::Register succeededinstall_utils::GetDialogOptionscompany codeuser codeDecodeRegisterCode: DecodeRegistrationCode as %ls failedinstall_utils::DecodeRegisterCode ERROR: detected old company_code format that is invalid for sensor 3.x and later, please get the new company_code from the backend.DecodeRegisterCode: DecodeRegistrationCode as %ls succeeded

Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \Device\HarddiskVolume4\Users\user\Desktop\w6ZM6tS22n.exe0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \device\harddiskvolume4
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \Device\S
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: v\Dfs\Device\LanmanRedirector\;\Device\WinDfs\A
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: {%08lx-%04x-%04x-%02x%02x-%02x%02x%02x%02x%02x%02x}\Device\PcwDrv
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: [None]\Device\NameResTrk\Record
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: System\advapi32.dllI_QueryTagInformation%S\DEVICE\TCPIP_System\CurrentControlSet\Services\NcbService\NCBRtcBaseSystemSlotNumber
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \device\mup\
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \device\
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: x-noneAllowDevelopmentWithoutDevLicense\Registry\Machine\SOFTWARE\Policies\Microsoft\Windows\Appx\Registry\Machine\SOFTWARE\Microsoft\Windows\CurrentVersion\AppModelUnlockEnumerateStateContainerItems\REGISTRY\A\\Device\NamedPipe\Control Panel\International\GeoNation\Device\MUPe
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: sps\\?\%s%s\Device\V
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: DefaultConnectionSettingsSoftware\Microsoft\windows\CurrentVersion\Internet Settings\ConnectionsSOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet SettingsProxySettingsPerUserWinHttpAutoProxySvcSoftware\Microsoft\Windows\CurrentVersion\Internet Settings\WpadWpadDetectedUrlWpadDnsWpadDhcpWpadDecisionReasonWpadDecisionTimeWpadDecision%02x-00-00-00-00-00-00%02xloopbacklocalhostWinHttpSetTimeoutsWinHttpSetOptionWinHttpResetAutoProxyWinHttpSetStatusCallbackWinHttpOpenWinHttpCloseHandleWinHttpFreeProxyResultExWinHttpGetProxyResultExWinHttpGetProxyForUrlEx2WinHttpCreateProxyResolverwinhttp.dllGlobal\F932B6C7-3A20-46A0-B8A0-8894AA421973ProxyDllFileSYSTEM\CurrentControlSet\Services\WinHttpAutoProxySvc\Parameters\DEVICE\%s
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: %s%s_%I64u{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}%s%s\DEVICE\NETBT_TCPIP_{%08lX-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X}DhcpDomainDomainRegisterAdapterNameRegistrationEnabledSYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\ProfileNameServerNameServerDhcpNameServerSearchListDhcpRACoexistenceEnabledDhcpDomainSearchListfec0:0:0:ffff::1 fec0:0:0:ffff::2 fec0:0:0:ffff::3dhcpcsvc.DLLdhcpcsvc6.DLLDNSAPI.dllNSI.dll
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: TransientLangId%ws\%ld\AppContainerNamedObjects\%wsControl Panel\International\User Profile%ws\%ld\AppContainerNamedObjects\Input\Output\Reference\Device\ConDrv\Server\??\%s\system32\conhost.exe 0xffffffff -ForceV1\Sessions%ws\%ld%ws\Connecthotkey.dde.WilError_01\WindowsBASEDLL!TMPBACKUPINIFINDGMEMLMEMENVRESVDMControl Panel\Internationalfile//localhost!x-sys-default-locale(
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \device\cdrom0
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: UserLibraryFolder\Device\Mup\onecore\windows\hvsi\hvsifiletrustlib\hvsifiletrust.cpp\hvsifiletrustfilterport
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: targetSystem\CurrentControlSet\Control\Hvsisspicli.dllLogonUser APIncalrpclsasspirpcSSPICLICommentNameTokenSizeTypeVersionRpcIdCapabilitiesSystem\CurrentControlSet\Control\Lsa\SspiCache ,SecurityProvidersSystem\CurrentControlSet\Control\SecurityProvidersSystem\CurrentControlSet\Control\SecurityProviders\SaslProfilesSpUserModeInitialize\SECURITY\LSA_AUTHENTICATION_INITIALIZED\Device\KsecDDNegotiateMICROSOFT_AUTHENTICATION_PACKAGE_V1_0TimeProtectedUserLevelSystem\CurrentControlSet\Control\LsaInitSecurityInterfaceAInitSecurityInterfaceWCRYPTBASE.dllapi-ms-win-security-lsalookup-l1-1-0.dllSspipProcessSecurityContext: Extra buffers with NULL input
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \device\lanmanredirector\
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \Device\MupH
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \Device\NDIS
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \device\lanmanredirector\Q
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: ProviderHandleObjectLengthHashDigestLengthIsKeyedHashHashBlockLengthMDMEnabledFipsAlgorithmPolicy\Registry\Machine\System\CurrentControlSet\Control\LsaEnabled\Registry\Machine\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Device\KsecDDPaddingSchemesCAPIPRIVATEBLOBCAPIPUBLICBLOBCAPIDHPRIVATEBLOBCAPIDHPUBLICBLOBV2CAPIDSAPRIVATEBLOBV2CAPIDSAPUBLICBLOBCAPIDSAPRIVATEBLOBCAPIDSAPUBLICBLOBRSAFULLPRIVATEBLOBStatusonecore\ds\security\cryptoapi\ncrypt\crypt\base.cRSAPRIVATEBLOBGetHashInterfaceGetSecretAgreementInterfaceGetCipherInterfaceGetRngInterfacebcrypt.dllGetAsymmetricEncryptionInterfaceGetSignatureInterfaceGetKeyDerivationInterface
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \netbios.dllNetbiosLanmanWorkstationLanmanServerNetWkstaSetInfoWORKSTATIONSERVERBROWSERMESSENGERNETRUNSPOOLERALERTERNETLOGONNETPOPUPSQLSERVERREPLICATORREMOTEBOOTTIMESOURCEAFPUPSXACTSRVTCPIPWrLehDzzWrLehDzDzDzDDDzB16zB16BBDzzDDDzB16BBDzJJJWWzWWWWWWWB21BzWWWWWWWWWWWWWWWWWWWWWWzzDDDzGGGDXzDDDDDDDzDzDDDDDDDDDDDDDDDDDDDDDDzB16BBDzDDDWWzWWWWWWWB21BzWWWWWWWWWWWWWWWWWWWWWWzB16BBDzJJJWWzWWWWWWWB21BzWWWWWWWWWWWWWWWWWWWWWWzDWzzDDDzGGGDXzDDDDDDDzDzDDDDDDDDDDDDDDDDDDDDDDzDDzB16BBDzDDDWWzWWWWWWWB21BzWWWWWWWWWWWWWWWWWWWWWWzDWz\IPC$\PIPE\LANMANSMB1TRUEYESFALSENO0x0123456789ParametersSystem\CurrentControlSet\Services\\Device\LanmanRedirector\;:[:]TransportSmbProtocolTypeRSDS
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \IPC$\Device\LanmanRedirector\;:[:]TypeRSDS
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: WDzzzzBBDWDWWWWWWWWWWWWWWWWWWWzzWDDzzzzDDDDDDDDDDDDDDDDDDDDDDDDzzDWDzzzzBBDWDWWWWWWWWWWWWWWWWWWWzzWzzWDDzzzzDDDDDDDDDDDDDDDDDDDDDDDDzzDzzDzzzBBzzzzzDDzzDzzDDDzzDDzDzzDDzDDDDDDDDDDDDDDDDDDzDzDDDDDDDDDDDDDDDDDDzDDDDDDDDDDDDDDDDDDDDBBBBBBBBBBBBBBWrLh\IPC$\PIPE\LANMANSMB1\Device\LanmanRedirector\;:[:]TransportSmbProtocolTypeRSDSk
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: ERROR: CPolicyEng::GetRuleId: rule id for rule %d is not an integerERROR: CPolicyEng::GetUserGroups: user groups for rule %d is not an arrayERROR: CPolicyEng::GetUserGroups: user group for rule %d is not a string\device\policyTimeStampERROR: CPolicyEng::BuildSensorRuleSet: no policy nameCPolicyEng::BuildSensorRuleSet: new policy name: %lsERROR: CPolicyEng::BuildSensorRuleSet: no policy timestampCPolicyEng::BuildSensorRuleSet: new policy timestamp: %lluERROR: CPolicyEng::GetApplication: application for rule %d is not an objectERROR: CPolicyEng::GetApplication: application type for rule %d is not an intERROR: CPolicyEng::GetApplication: application value for rule %d is not a string14131210976543ERROR: CPolicyEng::GetApplication: application value for rule %d is not valid: %hs : ERROR: application pattern for rule %d is not valid: %hsERROR: application pattern %hs for rule %d is not valid
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: \\\device\mup\\device\lanmanredirector\\??\unc\\??\SystemRoot\systemrootSystemDrive%swindows\windows%sdocuments and settings\\documents and settings\%sprogram files\program files
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: Software\Classes\Local Settings\MuiCache%x%s\%s\%sStringCacheGeneration\Registry\Machine\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettingsLanguageList%ws\%ld\BaseNamedObjects\BaseNamedObjects\Device\NamedPipe%ws%ws\%wsRPC Controlwinnlsres.dll\RPC ControlDynamic DSTMUI_StdMUI_DltTZISOFTWARE\Microsoft\Windows NT\CurrentVersion\Time ZonesLastEntryFirstEntry%u-%u-%u-%u\??\AppData\Settings\roaming.lockVersion%hsonecore\base\appmodel\identity\lib\packageidentity.cppDisplayNameQueryStateContainerItemInfo\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\\%s.pckgdep.NO1TRUEYES.exeRtlAreLongPathsEnabled..\..\Settings\settings.datOSMaxVersionTested_Classes\Local Settingsnetmsg.dll /C \SharedLocal%s%sSoftware\Policies\Microsoft\Control Panel\International\Registry\Machine\onecore\base\appmodel\statemanager\apiset\lib\statespace.cppDevelopmentMode\PSRReadStateContainerValueonecore\base\appmodel\statemanager\apiset\lib\statecontainer.cppOpenStateExplicitonecore\base\appmodel\runtime\src\extensionprogids.cppCreateStateSubcontainer%s\%u-%u-%u-%uFullTrustComSpec.bat.cmd /c"mferror.dll?\UNC{
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: %ls: Failed to copy file to: %ls, error %u%ls: Failed to find next file, error %uSiUtilRemoveMultiLevelPath: error %d removing directory %ls (level = %d)SiUtilRemoveMultiLevelPath: too few "%ls" in path to remove %d directory levels.SiUtilMkdir\/SiUtilMkdir: ERROR: CreateDirectoryA(%hs): %u\Device\UpperFiltersSYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}SiUtilGetDiskUpperFiltersAsStringListbRet is installed properly. No drivers present in UpperFilters keypartmgr. Repair is needed to prevent crash on next reboot.Key[PartMgr was not found in UpperFilters prior to Partmgr was not found in UpperFilters. Repair is needed to prevent crash on next reboot. Key[ was not found in UpperFilters. Repair is needed to prevent crash on next reboot. Key[SYSTEM\CurrentControlSet\Services\DeleteFlagSiUtilCheckAndRepairDiskUpperFilters: Checking UpperFilters key for corruptionSiUtilCheckAndRepairDiskUpperFilters: NumDiskDriversFound[%u] Bytes[%lu] UpperFilters[%ls] ReadStatus[%lu]SiUtilCheckAndRepairDiskUpperFilters: Detected DSEN-18585 corruption in RegistryKey[%ls]LastKnownGoodSYSTEM\SelectSiUtilCheckAndRepairDiskUpperFilters: Unable to find LastKnownGood control set. Cannot repairSYSTEM\ControlSet%03u\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}SiUtilCheckAndRepairDiskUpperFilters: LastKnownReg[%ls] NumDiskDriversFound[%u] Bytes[%lu] UpperFilters[%ls] ReadStatus[%lu]SiUtilCheckAndRepairDiskUpperFilters: Unable to find LastKnownGood UpperFilters. Cannot repairSiUtilCheckAndRepairDiskUpperFilters: LastKnownGood not valid. Cannot repair. Error[%hs].SiUtilCheckAndRepairDiskUpperFilters: Found deleted service[%ls]. Removing from repair listErrorSiUtilCheckAndRepairDiskUpperFilters: Current[%ls] LastKnownGoodUpperFilters[%ls] RepairedUpperFilters[%ls]SiUtilCheckAndRepairDiskUpperFilters: Unable to convert string list to buffer.SiUtilCheckAndRepairDiskUpperFilters: Unable to write repaired list to registry.SiUtilCheckAndRepairDiskUpperFilters: Repair Successful! UpperFilters Old[%ls]->New[%ls]SiUtilEnablePrivilege: %ls: AdjustTokenPrivileges failed: WinErr (%lu)SiUtilEnablePrivilege: %ls: LookupPrivilegeValueW failed: WinErr (%lu)SiUtilEnablePrivilege: %ls: OpenProcessToken failed: WinErr (%lu)SiUtilGetDataFilesDirc:\ProgramData\CarbonBlack\DataFilesDataFilesSiUtilGetUserDataFilesDirc:\ProgramData\CarbonBlack\UserDataFilesUserDataFilespPathSiUtilGetPscDataFolderSiUtilGetPscDataFolder: SHGetKnownFolderPath failed, HRESULT = %ldCarbonBlackadvapi32.dllSiUtilGetServiceNameFromServiceTag: Failed to get module handle - Module[%ls] WinErr[%lu]I_QueryTagInformationSiUtilGetServiceNameFromServiceTag: Failed to get proc address - Func[%hs] WinErr[%lu]SiUtilGetServiceNameFromServiceTag: %ls: SCM query subprocess tag routine returned NULL buffer for nameSiUtilGetServiceNameFromServiceTag!serviceName.empty()SiUtilGetServiceNameFromServiceTag: ERROR: SCM tag query routine failed, return code %lu, %ls, service tag %luSOFTWARE\Microsoft\Win
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary string: valid_wfp_pathunexpanded_dre_macro_pathunexpanded_drive_letter_pathunexpanded_dos_device_pathunexpanded_environment_variable_pathonly_basename_pathinvalid_characters_in_pathinvalid_path_formatvalidation_not_done\device\\\?\<>"\|?*d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\common\user_driver_utils\HbfwUtils.cppHbfwFilePathValidator::ValidatePathCharsm_ValidationResult != PATH_VALIDATION_RESULT::VALIDATION_RESULT_UNKNOWNHbfwFilePathValidator::IsPathValidForWFPHbfwFilePathValidator::IsPathValidationErrorFatal.in.out.errGetLastError() == ERROR_NO_MORE_FILESd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\Blade\BladeRunner\InOutFileComms.cppInOutFileComms::FindAllIOFilesProcess Monitoring Rate: %llu ms

Source: classification engine

Classification label: clean18.evad.winEXE@9/4@0/0

Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74EA39000.00000002.00000001.01000000.00000003.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74EA39000.00000002.00000001.01000000.00000003.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);

Source: w6ZM6tS22n.exe

Static file information: File size 48998088 > 1048576

Source: w6ZM6tS22n.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: w6ZM6tS22n.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: w6ZM6tS22n.exe

Static PE information: certificate valid

Source: w6ZM6tS22n.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x153c200
Source: w6ZM6tS22n.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0xfefc00
Source: w6ZM6tS22n.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x76ca00

Source: w6ZM6tS22n.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: w6ZM6tS22n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: w6ZM6tS22n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: w6ZM6tS22n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: w6ZM6tS22n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: w6ZM6tS22n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: w6ZM6tS22n.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: w6ZM6tS22n.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: w6ZM6tS22n.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: netutils.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernelbase.pdbRSDS5V source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: iphlpapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: userenv.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcrypt.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ucrtbase.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ucrtbase.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wldap32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcrt.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: gdi32full.pdbRSDSd source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: mintdh.pdbRSDS! source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shlwapi.pdbRc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdb+d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: winhttp.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: advapi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ucrtbase.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcp_win.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdbXc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Kernel.Appcore.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdbRSDSVY source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbgcore.pdbGCTL source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: profapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ^.pdbThe path is not availableThe debugger SYMSRV client could not find a UNC store specified source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sspicli.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wevtapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msasn1.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shcore.pdb@c source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shlwapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcrt.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msasn1.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wkscli.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: win32u.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shell32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdb,d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: secur32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dsrole.pdbRSDSk source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: fltLib.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fltLib.pdbGCTL source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: mintdh.pdbGCTL source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ws2_32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netapi32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: iphlpapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: iphlpapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernelbase.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ole32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcrt.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: powrprof.pdbRSDS# source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dpapi.pdbRSDS" source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: advapi32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: winhttp.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dsrole.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: powrprof.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: powrprof.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ole32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: version.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: version.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: setupapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msasn1.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: advapi32.pdbRSDSGR& source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcp_win.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Unable to locate the .pdb file in this location source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: cfgmgr32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\x64\Release\RepMgr.pdb source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: combase.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Windows.Storage.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: profapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netapi32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: psapi.pdbRSDS\ source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernel32.pdbRSDS8 source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: .pdberror out of memory loading %ls source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: or you do not have access permission to the .pdb location. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: secur32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dpapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wldap32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernel32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcryptprimitives.pdbRSDS0p source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dsrole.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netutils.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: kernelbase.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wevtapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msasn1.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wkscli.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dpapi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: win32u.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msi.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: rpcrt4.pdbRSDSD source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shcore.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcrypt.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: *.pdb.dbg.rdatantdll.dbg.mpd source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: fltLib.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wevtapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: normaliz.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: fltLib.pdbRSDS]\| source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shell32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sspicli.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: StorageFileStartExperience_GetUserFileStreamForReadAsUserAsyncWindows.UI.Xaml.Interop.Marshal.IMarshalPropertyChangedEventArgsWindows.UI.Xaml.Interop.Marshal.IMarshalCustomPropertyProviderWindows.UI.Xaml.Interop.Marshal.IMarshalCustomPropertyinternal\sdk\inc\usermodelptc.hinternal\onecoreuapshell\private\inc\sharedstoragesources\syncrootcommon.honecoreuap\shell\inc\storagetelemetry.hData\Program Files\Data\Program Files (x86)\Data\ProgramData\Data\Windows\Program Files\Program Files (x86)\ProgramData\Windows\$Windows.~BT\Windows.old\.appx.appxbundle.appxpackage.automaticdestinations-ms.cat.cdxml.cer.cookie.customdestinations-ms.dmp.dsft.efi.etl.fon.ini.iso.mp.mpb.msip.msm.mui.nst.ocx.olb.ost.otf.p10.p12.p7b.p7c.p7m.p7r.p7s.p7x.partial.pdb.pem.pfm.pfx.psd1.psf.rll.sft.spc.spkg.sst.ttc.ttf.vmcx.vmrs.vsi.vsix.wfs.wim.winmd.xapFTSearched0000000000000000000 source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: oleaut32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: userenv.pdbQc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msvcp_win.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sechost.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: cfgmgr32.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wldap32.pdbKc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: rpcrt4.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: normaliz.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: setupapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ws2_32.pdbRSDSml source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: winhttp.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: psapi.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gdi32full.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: combase.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sspicli.pdb d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: user32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: userenv.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: mintdh.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Windows.Storage.pdbRSDSw source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wkscli.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: cfgmgr32.pdbWc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcrypt.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: gdi32full.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: gdi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: profapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netutils.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: sechost.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shcore.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shlwapi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ntdll.pdbRSDSCb source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: win32u.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbLc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: secur32.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: version.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Windows.Storage.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbgcore.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdbRSDSq source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Kernel.Appcore.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: msi.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\x64\Release\RepMgr.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: user32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbghelp.pdbUGP source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Kernel.Appcore.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: user32.pdbRSDS=; source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\repmgr\x64\Release\RepMgr.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psapi.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: netapi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: shell32.pdbFc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: The module signature does not match with .pdb signature. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: bcryptprimitives.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F790000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ntdll.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdbEc source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wtsapi32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: oleaut32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: wintrust.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: tdh.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: ws2_32.pdb8 source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sspicli.pdbRSDS source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: dbgcore.pdb&d source: w6ZM6tS22n.exe, 00000006.00000003.357123097.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F797000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr
Source:	Binary string: crypt32.pdb source: w6ZM6tS22n.exe, 00000006.00000003.357106694.000001B01F791000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr

Source: w6ZM6tS22n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: w6ZM6tS22n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: w6ZM6tS22n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: w6ZM6tS22n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: w6ZM6tS22n.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: w6ZM6tS22n.exe	Static PE information: section name: .detourc
Source: w6ZM6tS22n.exe	Static PE information: section name: .detourd
Source: w6ZM6tS22n.exe	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\w6ZM6tS22n.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\16FCB1A7

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\sc.exe sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe"

Source: C:\Users\user\Desktop\w6ZM6tS22n.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: w6ZM6tS22n.exe, 00000006.00000003.363291021.000001B01EF25000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.363323634.000001B01EF2E000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000002.363442495.000001B01EF30000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.363281623.000001B01EF24000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: PROCMON.EXE
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: /NOFILTER/MINIMIZED/QUIET/BACKINGFILE/WAITFORIDLE/TERMINATEPROCMON.EXEPROCMON64.EXEPROCMONLOWALT.EXELOGFILE.PMLPSC_PROCMON.PMLPSC_PROCMON-EULAACCEPTEDSOFTWARE\SYSINTERNALS\PROCESS MONITORPROCMONSYSINFO.XMLPSC_STATUS.TXTPSC_PROCESSES.TXTPSC_DEVICES.TXTPSC_VOLUMES.TXTPSC_CANONICAL_POLICY.JSONPSC_PRESENTATION.JSONPSC_CBD_POLICY.TXTPSC_YARA_RULES_CLASSIFICATION_PSC_CMDLINE_YARA_RULES.TXTCB-TEMP\TEMP\SGW_CONFIG.JSON@

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\w6ZM6tS22n.exe

Process information queried: ProcessInformation

Jump to behavior

Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: %08x-%08xLUIDLinkedLUIDSessionUserNameUserPrincipalNameDomainNameSid(LogonTypeLogonTimeAuthenticationPackageLogonServerDNSDomainNamePasswordLastSetTimeLastLogonTimeLastFailedLogonTimeFailedLogonAttemptsSensorStateSensorStateDetailsProtectionDelayPolicyNamePolicyTimestampLastManifestContentUpdateCurrentManifestContentErrorsDefenseEnabledCbFirewallRegisteredCbFirewallEnabledKernelFileFilterConnectedDeviceIDLastUserSensorRestartsLastSensorResetVirtualGuestToHostCommsStatusExternalIdentityFIPSModeEnabledVMwareESXiGuestVMwareHorizonCloneXDRSignaturesStatusSensorUpTimeSensorVersionSVNRevisionLocalScannerProductVersionLocalScannerEngineVersionDiskFilterVersionNetFilterVersionPSCPolicyVersionFileAnalysisVersionCbSharedVersionProtobufVersionSqliteVersionMhooklibVersionDisasmlibVersionWscuuidVersionMsgpackVersionDetoursVersionLibcurlVersionHtpVersionMinizipVersionHyperscanRuntimeVersionHyperscanCompilerVersionMicroidsVersion3.0.6MinizipPackageVersion0.5.4MsgpackPackageVersion1.1.0RapidJsonPackageVersion8.0.1LibcurlPackageVersion3.39.2SqlitePackageVersion4.1.3YaraPackageVersionSciterVersionBackgroundScanStateBackgroundScanProgressBackgroundScanCurrentDirectoryBackgroundScanFilesProcessedOnDemandScanStateOnDemandScanProgressOnDemandCurrentDirectoryOnDemandScanFilesProcessedSensorConnectedToCloudProtocolVersionServerAddressUsingProxyForceStaticProxyUseCurrentProxiesDetectedProxiesLastAttemptProxiesStaticProxiesRegisteredReregisterRequiredNextSendWindowSendWindowSizeEnabledPrivateLoggingMessagesSentMessageSendErrorsMessageTotalBytesSentMessageTotalBytesReceivedElapsedMilliSecondsSinceLastCloudSuccessElapsedMilliSecondsSinceLastCloudFailureLastCurlCodeLastHttpCodeNotConfiguredGatewayStatusResubmitReputationsOutstandingResubmitReputationsTotalQueuedExpeditedReputationsOutstandingExpeditedReputationsTotalQueuedSlowReputationsResubmitStateOutstandingSlowReputationsReadyStateOutstandingSlowReputationsStaleStateOutstandingSlowReputationsDemandStateOutstandingHighPriorityQueueOutstandingHighPriorityQueueProcessedMediumPriorityQueueOutstandingMediumPriorityQueueProcessedLowPriorityQueueOutstandingLowPriorityQueueProcessedLiveQueriesOutstandingLiveQueriesCompletedAPCUploadsOutstandingAnalysisUploadsOutstandingUBSUploadsOutstandingUBSUploadsCompletedPSCAverageUploadRatePerWindowUBSAverageUploadRatePerWindowEventBatchesUploadedTotalEventsUploadedTotalBytesUploadedAverageArchiveCompressionRatioCompressionMethodCompressionLevelAverageArchiveDurationInMillisecondsMaxArchiveTimespanInSecondsMaxArchiveSizeInBytesUploadTimeoutsUploadFailuresAverageUploadRateInBytesPerSecondAverageBytesUploadedPerMinuteMaximumUploadRateInBytesPerSecondPercentageOfDiskQuotaInUsePendingMinibatchCountPendingMinibatchSizeInBytesEventBatchesCreatedDueToTimeEventBatchesCreatedDueToSizeAverageEventSizeInBytesAverageEventsPerMinibatchAverageMinibatchesPerArchiveEventBacklogGroomingActivatedCountDebuggingEnabledDebugFlagsLoggingMaskKernelDebugLevelKernelDebugFlagsMaintenanceModeEnabledCommandLinesHidden
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: VHostComms-Windows errorVHostComms-vHostComms errorVHostComms-Windows/Fatal errorvHostComms/Fatal errorvHostComms::VHostCommsIpcErrorMsg::GetErrorTypeStrUnknown errorVHCInterfaceLockNot FoundInitializingServer Unavailabled:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\windows\VirtualHostComms\VHostCommsConnector\HostCommsInterface.cppvHostComms::HostInterface::GetConnectionStatusStrVHostComms:DisconnectCountVHostComms:FatalErrorsvHostComms::HostInterface::SendQueryIdentityMessage: VHostManager::SendIpcMsg[%ls] status = %dvHostComms::HostInterface::SendQueryIdentityMessage: Failed to create query identity message, error = %dvHostComms::HostInterface::SendVDiskInfoQuery: VHostManager::SendIpcMsg[%ls] status = %dvHostComms::HostInterface::SendVDiskInfoQuery: Failed to create VDiskInfo message, error = %dvHostComms::HostInterface::ProcessIdentityMessage: Failed to parse received message for identity info, error = %dvHostComms::HostInterface::ProcessIdentityMessage: External identity changed, need to reregistervHostComms::HostInterface::ProcessIdentityMessage: s_bVMReRegTriggeredUsingBIOS is set, not re-registeringvHostComms::HostInterface::ProcessIdentityMessages_bIsVMwareESXiGuest = %u, EnableAutoReregisterForVDIClones = %u, s_bIsVMwareHorizonClone = %uExternal identity updatedvHostComms::HostInterface::ProcessVDiskMessage: Failed to parse received message for vDisk info, error = %d :error code :vHostComms::HostInterface::HandleVHostCommsFatalError: Failed to restart virtual host communication helper processvHostComms::HostInterface::UpdateConnectionCounters: VHostComms connection still not restored after %d attemptsvHostComms::HostInterface::HandleConnectionStatusMsg: VHostComms connection status transition (%ls -> %ls)VHostComms: Cannot process empty IPC messageVHostComms: Failed to process message received over vhostcomms channel, error = %dvHostComms::HostInterface::ProcessRecvdIpcMsgVHostComms: Unsupported IPC message with type[%d] received.
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: Descriptor is invalidSockets::Socket::SetBlockingModeSockets::Socket::SetNoDelayVMwareVMwareMicrosoft Hvmachine.id.getCb.DeviceIdCb.RegIdCb.SensorVersionCb.Sensor.policyCb.Sensor.bypassCb.BackgroundScan.stateCb.BackgroundScan.statusCb.Av.SigVerCb.Av.LastUpdateitreplica^vdi.broker.brokers=(.*)( ?)Panic: Unrecoverable memory allocation failure
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: CompanyNameVMware, Inc.t&
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: PPENABLEDTESTSIGNUMCI_ENABLEDUMCI_AUDITMODE_ENABLEDUMCI_EXCLUSIONPATHS_ENABLEDDEBUGMODE_ENABLEDFLIGHTING_ENABLEDHVCI_KMCI_ENABLEDHVCI_KMCI_AUDITMODE_ENABLEDHVCI_KMCI_STRICTMODE_ENABLEDHVCI_IUM_ENABLEDWHQL_ENFORCEMENT_ENABLEDWHQL_AUDITMODE_ENABLEDMay 17 2023 20:27:36FatFat32ExFatReFSNoRootRemoteCD-ROMRAMBusinessBusiness NHPC EditionServer Hyper Core VCoreCore NChinaSingle LanguageServer Datacenter (Evaluation)Server DatacenterServer Datacenter (Core)Server Datacenter without Hyper-V (Core)Server Datacenter without Hyper-VEnterpriseEnterprise EEnterprise N (Evaluation)Enterprise NServer Enterprise (Evaluation)Server EnterpriseServer Enterprise (Core)Server Enterprise without Hyper-V (Core)Server Enterprise for Itanium-based SystemsServer Enterprise without Hyper-VWindows Essential Server Solution ManagementWindows Essential Server Solution AdditionalWindows Essential Server Solution Management SVCWindows Essential Server Solution Additional SVCHome BasicHome Basic EHome Basic NHome PremiumHome Premium EHome Premium NWindows Home Server 2011Windows Storage Server 2008 R2 EssentialsMicrosoft Hyper-V ServerWindows Essential Business Server Management ServerWindows Essential Business Server Messaging ServerWindows Essential Business Server Security ServerWindows MultiPoint Server StandardWindows MultiPoint Server PremiumProfessionalProfessional EProfessional NProfessional with Media CenterServer For SB Solutions EMServer For SB SolutionsWindows Server 2008 for Windows Essential Server SolutionsWindows Server 2008 without Hyper-V for Windows Essential Server SolutionsServer FoundationWindows Small Business Server 2011 EssentialsWindows Small Business ServerSmall Business Server PremiumSmall Business Server Premium (Core)Windows MultiPoint ServerServer Standard (Evaluation)Server StandardServer Standard (Core)Server Standard without Hyper-VServer Standard without Hyper-V (Core)Server Solutions PremiumServer Solutions Premium (Core)StarterStarter EStarter NStorage Server EnterpriseStorage Server Enterprise (Core)Storage Server ExpressStorage Server Express (Core)Storage Server Standard (Evaluation)Storage Server StandardStorage Server Standard (Core)Storage Server Workgroup (Evaluation)Storage Server WorkgroupStorage Server Workgroup (Core)UltimateUltimate EUltimate NWeb ServerWeb Server (Core)UnlicensedStandaloneWorkstationMemberWorkstationStandaloneServerMemberServerBackupDomainControllerPrimaryDomainControllerRecognizerDriverFileSystemDriverKernelDriverInteractiveProcessWin32OwnProcessInteractiveSharedProcessWin32ShareProcessUnknown Service Type[%08X]AutoBootManualLocalPackageLastUsedSourceLastUsedTypeMediaPackagePathDiskPromptInstallDateInstalledProductNameInstallLocationInstallSourcePublisherVersionStringRegCompanyRegOwnerAssignmentTypePackageCodeUpgradeCodeMsiInstallInfo::SetUpgradeCode%S: Failed to Set Upgrade code for [%s]
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: d:\jenkinsNew\workspace\CbShared_Build_Windows_2019\Das\Common\LibVmciSocket\Socket.cpp
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Equals": "<ProgramFiles>\\vmware\\vmware view\\agent\\bin\\wsnm.exe",
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Description": "Priority allow VMWare signed dlls to load into Repux/RepCli/VHostComms",
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: Software\VMware, Inc.\ViewComposer\ga\AgentIntegration
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: w6ZM6tS22n.exe, 00000006.00000003.363202485.000001B01EF6D000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.363163218.000001B01EF68000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: Evaluates to true if sensor is running on VMWare Horizon Cloud
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: VMwareHorizonClone[
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: DefenseEventNewFileDuration(ms)DefenseEventNewFileReportAndInfoGatheringDuration(ms)DefenseEventScriptNameDuration(ms)DefenseEventBlockedFileAccessDuration(ms)DefenseEventDataFileAccessDuration(ms)DefenseEventAVActionDuration(ms)DefenseEventAPICallDuration(ms)DefenseEventConsoleAPICallDuration(ms)DefenseEventNetFlowFromKernelDuration(ms)DefenseEventNetFlowFromAPIReportDuration(ms)DefenseEventProcessCreateDuration(ms)DefenseEventHashExecuteDuration(ms)DefenseEventRegistryDuration(ms)DefenseEventPolicyActionFileBlock(ms)DefenseEventPolicyActionProcessTerminated(ms)DefenseEventCSRFileUploadStatusDuration(ms)DefenseEventQueueDuration(ms)DefenseEventNewFileReportsDroppedDefenseEventNewFileReportsAttributedToRepmgrDefenseEventSuppressedDefenseEventNetworkEventsDroppedDefenseEventAddedDefenseEventPrunedUnsentEventsDefenseEventTotalPrunedEventsDefenseEventPruneDuration(ms)DefenseEventRecheckRepDuration(ms)DefenseEventAddThreatDuration(ms)DefenseReport:CollectFileDetailsDurationDefenseReport:CollectResourcesDurationDefenseReport:CollectSignatureDurationDefenseReport:CollectFileDetailsNonAccessibleFilesDefenseReport:SignatureInfoFoundInCacheDefenseReport:ResourceInfoFoundInCacheDefenseReport:CollectProcessInfoDurationDefenseReport:ReportsWithMissingProcessInfoDefenseReport:SignatureInfoRequeries: days HashObjectCache[%u entries, %u bytes/entry] Total[%u bytes]ProcessTable[%u entries, %u bytes/entry] Total[%u bytes}ResubmitQueue[%u entries, %u bytes/entry] Total[%u bytes}ExpediteQueue[%u entries, %u bytes/entry] Total[%u bytes}lvl >= LOG_LEVEL_LOWEST && lvl <= LOG_LEVEL_HIGHESTd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_3.9\2698\common\repmgr\RepGlobals.cppRepGlobals::ResolveLogLevelCblrKillRepGlobals::WriteCblrKillToConfigDb: CfgSetValue(%hs) failed with SiErr[%d]Global\SI_SERVICE_UPRepGlobals::Initialize: Failed to open svc up event - WinErr[%lu]InstallTimeCB Defense Service running for the first time.InstallBootTimeinstallBootTime != 0RepGlobals::InitializeRepGlobals::Initialize: Set InstallBootTime[%llu]SensorDeployTimeCB Defense Unable to obtain SensorDeployTime.RepGlobals::Initialize: Failed to initialize CertLibRepGlobals::Initialize: initialize guestinfo failed, error [%lu]RepGlobals::Initialize: init guestinfo devIdStatus: %d, regIdStatus: %d, versionStatus: %dRepGlobals::Initialize: no need to init guestinfo variables. vmType: %dRepGlobals::s_ResubmitRequestQueue.IsEmpty()RepGlobals::Finalizeconfer.logHORIZONRepGlobals::IsVMwareHorizonClone: s_bIsVMwareESXiGuest = %u, EnableAutoReregisterForVDIClones = %u, bIsVmwareHorizonClone = %u, vdiProvider = %ls
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "$comment": "https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDS+signature+syntax"
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Equals": "<ProgramFilesCommonx86>\\VMware\\**",
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: LegalCopyrightCopyright (C) 2011-2023 VMware, Inc. All Rights Reserved.
Source: w6ZM6tS22n.exe, 00000006.00000000.354265880.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp, w6ZM6tS22n.exe, 00000006.00000002.363858104.00007FF74E00E000.00000002.00000001.01000000.00000003.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: IsVirtualMachineVirtualizationProviderExternallyAssignedDeviceIdDeviceManagementIdVdiProviderAzureVmId{
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: send() returned 0 bytesd:\jenkinsNew\workspace\CbShared_Build_Windows_2019\Das\Common\LibVmciSocket\Socket.cppSockets::Socket::SendSockets::Socket::SendAll : Failed to send %d bytes, error = %d
Source: w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: IsVirtualMachine
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: VMwareESXiGuest[VMwareHorizonClone[Alarms: {none}
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: HKLM\Software\VMware, Inc.
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Comment": "DSEN-11529: allowing vmwsci.dll that is vmware signed to load into repcli.exe on horizon vms",
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Comment" : "DSEN-8733: To avoid interop issues with Horizon, we need to allow <ProgramFilesCommon>\\vmware\\remote experience\\vmtoolshook.dll",
Source: w6ZM6tS22n.exe, 00000006.00000002.363409700.000001B01EED0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \VMware, Inc.\ViewComposer\ga\AgentIntegration
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: VMwareVMware
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: LegalTrademarksVMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.>
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: CIniFileBaseSoftware\VMware, Inc.\ViewComposer\ga\AgentIntegrationCustomizationStartedhttp://169.254.169.254/latest/meta-data/instance-id/services/registration//services/vdiregistration//services/registrationcode//services/deregister//services/status//services/reputation//services/policyV2//services/configuration//services/bulkbehaviorV2//services/bulkreputationV2//services/asyncrepreq//services/hello//services/healthCheck//services/malwareremoved//services/upload//services/uploadconferfile//services/hashlistrefreshV2//services/gethashuploadlist//services/uploadhash//services/getsoftwareupgrade//services/getsoftwarepatch//services/getipblocklist//services/defense/v1/hashdelete/list//services/defense/v1/hashdelete/report//services/getSensorActions//services/zipcontainer//services/cblr//services/uninstallcode//services/metadata//services/psc/v1/threathunter/events//services/ubs/v1/file/existence//services/ubs/v2/file/upload//services/psc/v1/livequery/requests//services/psc/v1/livequery//content_pacing/v1/manifestSoftware\Microsoft\Windows\CurrentVersion\RunOnce
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: EnableGuestVmNetworkConnectivity
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Equals": ["VMWare, Inc."]
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: VMwareESXiGuest[
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Equals": "<ProgramFilesCommon>\\VMware\\**",
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "Comment":"https://bugzilla.eng.vmware.com/show_bug.cgi?id=2962550: Denying csrss access causes issues for smart card logons",
Source: w6ZM6tS22n.exe	Binary or memory string: IsVirtualMachineVirtualizationProviderExternallyAssignedDeviceIdDeviceManagementIdVdiProviderAzureVmId{6B
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: "$comment": "https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDS+signature+syntax"
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: SystemInformation::InitializeForWindowsUpdateCollection%hs: Failed to initialize COM[0x%08lx]wuapi.dll%hs: Failed to load wuapi[%lu]Microsoft %uWindows 11 Windows 11Windows 10 Windows 10Windows 2022 Server Windows 2022 ServerserverclientWindows 10 Enterprise for Virtual Desktops Windows 2019 Server Windows 2019 ServerWindows 2016 Server Windows 2016 ServerWindows Vista Windows VistaWindows Server 2008 Windows Server 2008Windows 7 Windows 7Windows Server 2008 R2 Windows Server 2008 R2Windows 8 Windows 8Windows Server 2012 Windows Server 2012Windows 8.1 Windows 8.1Windows Server 2012 R2 Windows Server 2012 R2x64 x86 arm64 GetProductInfo EmbeddedWindows Server 2003 R2Windows Storage Server 2003Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003 Datacenter Edition for Itanium-based Systems Enterprise Edition for Itanium-based Systems Datacenter x64 Edition Enterprise x64 Edition Standard x64 Edition Compute Cluster Edition Datacenter Edition Enterprise Edition Web Edition Standard EditionWindows XP Windows XPHome EditionEmbeddedWindows 2000 Windows 2000Windows 2000 ServerDatacenter ServerAdvanced ServerServerFeaturePackVersionSYSTEM\CurrentControlSet\Control\WindowsEmbedded\ProductVersion(%d.%d.%d)Windows NT 4.0 or earlierWindows NT 4.0GlobalMemoryStatusEx: %dHARDWARE\DESCRIPTION\System\CentralProcessor\~MHzVendorIdentifierIdentifierProcessorNameStringSystemInformation::GetSystemBootTime%hs: Failed to get QuerySystemInformation function[%lu]%hs: Failed to call QuerySystemInformation[0x%08lx]NtQuerySymbolicLinkObject: Device[%ls] Error[%08X]NtOpenSymbolicLinkObject: Devices[%ls] Error[%08X]NoRootDirRAMDiskA:\ FindFirstVolume: %dSystemInformation::Update%hs: Failed to query SystemBootEnvironmentInformation Error[0x%08lx]%hs: Failed to query SystemSecureBootInformation Error[0x%08lx]%hs: Failed to query SystemCodeIntegrityInformation Error[0x%08lx]BIOSVendorHARDWARE\DESCRIPTION\System\BIOSSystemBiosVersionHARDWARE\DESCRIPTION\SystemBIOSReleaseDateSystemBiosDateVmIdSOFTWARE\Microsoft\Windows AzureSOFTWARE\VMware, Inc.\VMware VDM\AgentVMware, Inc.VMware Virtual PlatformVMW_ESXVMW_WSVMW_OTHERBIOSVersionHyper-VHyperVVBOXVirtualBoxOracle, Inc.RTUALSystemManufacturerinnotek GmbHDeviceClientIdSOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceIDSystemProductNameamazonhvmgoogleKVMgoogle compute engineSYSTEM\CurrentControlSet\Control\SystemInformationxenXenamazon ec2%hs: Failed to convert domain role to string[%u]<Processors>
Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\sc.exe sc start FhZxY			Jump to behavior

Source: w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr

Binary or memory string: CLSID\%s\Instance\InitPropertyBagSoftware\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\RemovableStorageDVDAudioCDDriveDrive\CommandscloseSessioneraseejectcloseSessioneraseformatejectformatRunAsShell_TrayWndRunAsopenSoftware\Microsoft\Tracking\TimeOutNo transparent thumbnail::{9db1186e-40df-11d1-aa8c-00c04fb67863}:;folderundeleteTarget;program

Source: w6ZM6tS22n.exe, 00000006.00000003.363291021.000001B01EF25000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.363323634.000001B01EF2E000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000002.363442495.000001B01EF30000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe, 00000006.00000003.363281623.000001B01EF24000.00000004.00000020.00020000.00000000.sdmp, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr

Binary or memory string: procmon.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	11 Windows Service	11 Windows Service	1 Virtualization/Sandbox Evasion	21 Input Capture	111 Security Software Discovery	Remote Services	21 Input Capture	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Service Execution	Boot or Logon Initialization Scripts	12 Process Injection	12 Process Injection	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	1 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
w6ZM6tS22n.exe	0%	ReversingLabs
w6ZM6tS22n.exe	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://www.certplus.com/CRL/class3.crl0	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	Avira URL Cloud	safe
http://www.e-me.lv/repository0	0%	Avira URL Cloud	safe
http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#	0%	Avira URL Cloud	safe
http://www.acabogacia.org/doc0	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	0%	Virustotal		Browse
http://www.acabogacia.org/doc0	1%	Virustotal		Browse
http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#	0%	Virustotal		Browse
http://www.certplus.com/CRL/class3.crl0	0%	Virustotal		Browse
http://www.postsignum.cz/crl/psrootqca2.crl02	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl0	0%	Avira URL Cloud	safe
http://ocsp.suscerte.gob.ve0	0%	Avira URL Cloud	safe
http://crl.dhimyotis.com/certignarootca.crl0	0%	Avira URL Cloud	safe
http://www.e-me.lv/repository0	0%	Virustotal		Browse
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	Avira URL Cloud	safe
http://www.suscerte.gob.ve/lcr0#	0%	Avira URL Cloud	safe
http://www.postsignum.cz/crl/psrootqca2.crl02	0%	Virustotal		Browse
http://crl.dhimyotis.com/certignarootca.crl0	0%	Virustotal		Browse
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl0	0%	Virustotal		Browse
http://crl.ssc.lt/root-c/cacrl.crl0	0%	Avira URL Cloud	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	Avira URL Cloud	safe
http://postsignum.ttc.cz/crl/psrootqca2.crl0	0%	Avira URL Cloud	safe
http://www.pkioverheid.nl/policies/root-policy0	0%	Virustotal		Browse
http://www.suscerte.gob.ve/lcr0#	0%	Virustotal		Browse
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	0%	Virustotal		Browse
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	Avira URL Cloud	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	Avira URL Cloud	safe
http://postsignum.ttc.cz/crl/psrootqca2.crl0	0%	Virustotal		Browse
http://www.certplus.com/CRL/class3P.crl0	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Avira URL Cloud	safe
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	0%	Virustotal		Browse
http://crl.ssc.lt/root-c/cacrl.crl0	0%	Virustotal		Browse
http://ca.disig.sk/ca/crl/ca_disig.crl0	0%	Virustotal		Browse
http://www.suscerte.gob.ve/dpc0	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3P.crl0	0%	Virustotal		Browse
http://www.certplus.com/CRL/class2.crl0	0%	Avira URL Cloud	safe
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	0%	Virustotal		Browse
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	Avira URL Cloud	safe
http://www.defence.gov.au/pki0	0%	Avira URL Cloud	safe
http://www.suscerte.gob.ve/dpc0	0%	Virustotal		Browse
http://www.sk.ee/cps/0	0%	Avira URL Cloud	safe
https://curl.se/docs/hsts.html	0%	Virustotal		Browse
http://www.globaltrust.info0=	0%	Avira URL Cloud	safe
https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/do	0%	Avira URL Cloud	safe
http://www.carbonblack.com0/	0%	Avira URL Cloud	safe
http://www.disig.sk/ca/crl/ca_disig.crl0	0%	Virustotal		Browse
http://policy.camerfirma.com0	0%	Avira URL Cloud	safe
http://www.defence.gov.au/pki0	0%	Virustotal		Browse
http://www.ssc.lt/cps03	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl0	0%	Virustotal		Browse
http://www.sk.ee/cps/0	0%	Virustotal		Browse
http://ocsp.pki.gva.es0	0%	Avira URL Cloud	safe
https://http://FileAssociationKillListSearchProtocolHost.exeAlwaysShowExtNeverShowExtNoStaticDefault	0%	Avira URL Cloud	safe
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	Avira URL Cloud	safe
http://ca.mtin.es/mtin/ocsp0	0%	Avira URL Cloud	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	Avira URL Cloud	safe
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	0%	Avira URL Cloud	safe
http://www.ssc.lt/cps03	0%	Virustotal		Browse
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/0m	0%	Avira URL Cloud	safe
http://crl.ssc.lt/root-b/cacrl.crl0	0%	Virustotal		Browse
http://www.dnie.es/dpc0	0%	Avira URL Cloud	safe
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	0%	Avira URL Cloud	safe
http://ca.mtin.es/mtin/DPCyPoliticas0	0%	Avira URL Cloud	safe
https://wwww.certigna.fr/autorites/0m	0%	Virustotal		Browse
http://www.dnie.es/dpc0	0%	Virustotal		Browse
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	0%	Virustotal		Browse
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	0%	Virustotal		Browse
https://curl.se/docs/alt-svc.html	0%	Avira URL Cloud	safe
http://ca.mtin.es/mtin/ocsp0	0%	Virustotal		Browse
http://www.globaltrust.info0	0%	Avira URL Cloud	safe
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	0%	Virustotal		Browse
http://https://_bad_pdb_file.pdb	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3TS.crl0	0%	Avira URL Cloud	safe
http://ac.economia.gob.mx/last.crl0G	0%	Avira URL Cloud	safe
https://www.catcert.net/verarrel	0%	Avira URL Cloud	safe
http://www.disig.sk/ca0f	0%	Avira URL Cloud	safe
http://www.sk.ee/juur/crl/0	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersignroot.crl0	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	Avira URL Cloud	safe
http://certs.oati.net/repository/OATICA2.crl0	0%	Avira URL Cloud	safe
https://gitlab.bit9.local/cbprotection/appcontrol-rules/-/merge_requests/4/diffs	0%	Avira URL Cloud	safe
http://crl.oces.trust2408.com/oces.crl0	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
http://crl.ssc.lt/root-a/cacrl.crl0	0%	Avira URL Cloud	safe
http://www.trustdst.com/certificates/policy/ACES-index.html0	0%	Avira URL Cloud	safe
http://certs.oaticerts.com/repository/OATICA2.crl	0%	Avira URL Cloud	safe
http://certs.oati.net/repository/OATICA2.crt0	0%	Avira URL Cloud	safe
http://www.accv.es00	0%	Avira URL Cloud	safe
http://www.pkioverheid.nl/policies/root-policy-G20	0%	Avira URL Cloud	safe
https://www.netlock.net/docs	0%	Avira URL Cloud	safe
http://www.e-trust.be/CPS/QNcerts	0%	Avira URL Cloud	safe
http://ocsp.ncdc.gov.sa0	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/ComSignCA.crl0	0%	Avira URL Cloud	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	Avira URL Cloud	safe
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com0	0%	Avira URL Cloud	safe
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class3.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.e-me.lv/repository0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#	w6ZM6tS22n.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.acabogacia.org/doc0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.suscerte.gob.ve0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.postsignum.cz/crl/psrootqca2.crl02	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.dhimyotis.com/certignarootca.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.chambersign.org1	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.pkioverheid.nl/policies/root-policy0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.suscerte.gob.ve/lcr0#	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ca2.mtin.es/mtin/crl/MTINAutoridadRaiz0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.ssc.lt/root-c/cacrl.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://postsignum.ttc.cz/crl/psrootqca2.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ca.disig.sk/ca/crl/ca_disig.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html	w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.suscerte.gob.ve/dpc0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.certeurope.fr/reference/root2.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.certplus.com/CRL/class2.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.disig.sk/ca/crl/ca_disig.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://eca.hinet.net/repository/Certs/IssuedToThisCA.p7b05	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.defence.gov.au/pki0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.sk.ee/cps/0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.globaltrust.info0=	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	low
http://www.anf.es	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.pki.admin.ch/cps/CPS_2_16_756_1_17_3_1_0.pdf09	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.md	w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/do	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://json-schema.org/schema#	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://pki.registradores.org/normativa/index.htm0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.carbonblack.com0/	w6ZM6tS22n.exe	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.ssc.lt/cps03	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ocsp.pki.gva.es0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.anf.es/es/address-direccion.html	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
https://http://FileAssociationKillListSearchProtocolHost.exeAlwaysShowExtNeverShowExtNoStaticDefault	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	low
https://www.anf.es/address/)1(0&	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0?	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://ca.mtin.es/mtin/ocsp0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.ssc.lt/root-b/cacrl.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://web.ncdc.gov.sa/crl/nrcacomb1.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.certicamara.com/dpc/0Z	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.uce.gub.uy/informacion-tecnica/politicas/cp_acrn.pdf0G	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crl.pki.wellsfargo.com/wsprca.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
https://wwww.certigna.fr/autorites/0m	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.dnie.es/dpc0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ica.co.il/repository/cps/PersonalID_Practice_Statement.pdf0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://ca.mtin.es/mtin/DPCyPoliticas0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://www.anf.es/AC/ANFServerCA.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
https://curl.se/docs/alt-svc.html	w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://deploymentresearch.com/psscriptpolicytest-script-gets-blocked-by-applocker-in-the-event-log-	w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.globaltrust.info0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://certificates.starfieldtech.com/repository/1604	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://acedicom.edicomgroup.com/doc0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.certplus.com/CRL/class3TS.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://crl.anf.es/AC/ANFServerCA.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://https://_bad_pdb_file.pdb	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	low
http://www.certeurope.fr/reference/pc-root2.pdf0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDS	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://ac.economia.gob.mx/last.crl0G	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://www.catcert.net/verarrel	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.disig.sk/ca0f	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1.crt0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.e-szigno.hu/RootCA.crl	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.sk.ee/juur/crl/0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://crl.chambersign.org/chambersignroot.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://certs.oati.net/repository/OATICA2.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://gitlab.bit9.local/cbprotection/appcontrol-rules/-/merge_requests/4/diffs	w6ZM6tS22n.exe, w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://crl.oces.trust2408.com/oces.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://eca.hinet.net/repository0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://crl.ssc.lt/root-a/cacrl.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://certs.oaticerts.com/repository/OATICA2.crl	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.trustdst.com/certificates/policy/ACES-index.html0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://certs.oati.net/repository/OATICA2.crt0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.accv.es00	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.pkioverheid.nl/policies/root-policy-G20	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://www.netlock.net/docs	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.e-trust.be/CPS/QNcerts	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.ncdc.gov.sa0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://fedir.comsign.co.il/crl/ComSignCA.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://web.ncdc.gov.sa/crl/nrcaparta1.crl	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.datev.de/zertifikat-policy-int0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://ocsp.sectigo.com0	w6ZM6tS22n.exe	false	Avira URL Cloud: safe	unknown
http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://www.acabogacia.org0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown
http://ocsp.eca.hinet.net/OCSP/ocspG2sha20	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.firmaprofesional.com/cps0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false		high
http://www.uce.gub.uy/acrn/acrn.crl0	w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp.6.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1310728
Start date and time:	2023-09-19 13:25:38 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Run as Windows Service
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	w6ZM6tS22n.exe
Original Sample Name:	25654_71745077_c4471ac3272ce62f341bec8b18819c7320538563acce29f2c44e9d2c0aa5d47d_repmgr.exe
Detection:	CLEAN
Classification:	clean18.evad.winEXE@9/4@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\w6ZM6tS22n.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8732
Entropy (8bit):	3.5816771273384282
Encrypted:	false
SSDEEP:	96:c5GrcjYOQGQ1X+AapViEBT6Os6+5C0rtfTmAPmHk1g1g1g1gVxrB8zfizLihJTFT:ZpoLzKg6KhPZZiru6666bMWSrkrhB
MD5:	82263ABEC9A62AC934A9123A3968B166
SHA1:	7EAA82C96FCD82C515A181D25A8921531CFD43CA
SHA-256:	2FF4C3834862F80A6A623511D0EA1A7624C3B4D1953FA6410EB173A88938FBF9
SHA-512:	8A7526408006812600ED236C9D0CCB36763EE06D25313706C7DA92A94611383854AE3DA113BCEEB255BEB6B3A505BE0EA7461E9388748A9A636D608F7C39CE0A
Malicious:	false
Reputation:	low
Preview:	..0.9./.1.9./.2.3. .1.5.:.2.0.:.1.6...8.5.9.:. .1.a.2.0. . . . . .I.N.F.O. . . . . . .i.n.s.t.a.l.l.:. .S.e.t.S.e.r.v.i.c.e.R.e.s.t.a.r.t.O.n.F.a.i.l.u.r.e.:. .e.n.t.e.r.:. .C.b.D.e.f.e.n.s.e.....0.9./.1.9./.2.3. .1.5.:.2.0.:.1.6...8.6.2.:. .1.a.2.0. . . . . .E.R.R.O.R. . . . . .E.R.R.O.R.:. .S.e.t.S.e.r.v.i.c.e.R.e.s.t.a.r.t.O.n.F.a.i.l.u.r.e.:. .s.e.r.v.i.c.e...S.e.t.F.a.i.l.u.r.e.A.c.t.i.o.n.s. .f.a.i.l.e.d. .(.6.).....0.9./.1.9./.2.3. .1.5.:.2.0.:.1.6...8.6.2.:. .1.a.2.0. . . . . .E.R.R.O.R. . . . . .i.n.s.t.a.l.l.:. .E.R.R.O.R.:. .u.n.a.b.l.e. .t.o. .s.e.t. .s.e.r.v.i.c.e. .C.b.D.e.f.e.n.s.e. .t.o. .r.e.s.t.a.r.t. .o.n. .f.a.i.l.u.r.e.s.....0.9./.1.9./.2.3. .1.5.:.2.0.:.1.6...8.6.2.:. .1.a.2.0. . . . . .S.U.C.C.E.S.S. . . .S.v.c.R.e.p.o.r.t.S.t.a.t.u.s.:. .s.e.r.v.i.c.e. .n.o.t. .a.l.l.o.w.e.d. .t.o. .s.t.o.p.....0.9./.1.9./.2.3. .1.5.:.2.0.:.1.6...8.6.3.:. .1.a.2.0. . . . . .I.N.F.O. . . . . . .S.v.c.I.n.i.t.:. . .r.u.n.n.i.n.g.....0.9./.1.9./.2.3. .1.5.:.2.0.:.1.6...8.7.8.:. .1.

C:\ProgramData\CarbonBlack\Logs\w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp

Download File

Process:	C:\Users\user\Desktop\w6ZM6tS22n.exe
File Type:	Mini DuMP crash report, 12 streams, Tue Sep 19 11:26:27 2023, 0x2 type
Category:	dropped
Size (bytes):	126024019
Entropy (8bit):	5.853213394863551
Encrypted:	false
SSDEEP:	786432:wJ3EZ2JvlUbgZ3pUmJaaBqJU3SNlMSg2Y/Z8YHfzFUFB:B0vrpRgaoG3VF/zFQ
MD5:	65BE33F161B161252F8BDDF880A2ADCB
SHA1:	2CB5E8E2CB47FC7BF968A21B5F48F7E259B5C10E
SHA-256:	3DE68D194CA101B5CF474A313E12DBACEB0A8309887B80B4239B42FFE9E76D13
SHA-512:	3DE976FA604B26CD501FC06ADEB7F13E66EE6466E7C49EBD83BBDFE5CF287B38EE33422645A29FD0EC878B03D55B199B326C199FBBFB3BC1F442B5F02EF076F4
Malicious:	false
Reputation:	low
Preview:	MDMP....... .......c..e.........................................O..........<.......8...........T...........................l .......................................................U...........B.......!......Lw................{.....T...........b..e.............................@..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...

C:\servicereg.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	28
Entropy (8bit):	3.678439190827718
Encrypted:	false
SSDEEP:	3:4A4AnXjzSv:4HAnXjg
MD5:	A8F4D690C5BDE96AD275C7D4ABE0E3D3
SHA1:	7C62C96EFD2CA4F3C3EBF0B24C9B5B4C04A4570A
SHA-256:	596CCC911C1772735AAC6A6B756A76D3D55BCECD006B980CF147090B2243FA7B
SHA-512:	A875EBE3C5CDF222FF9D08576F4D996AF827A1C86B3E758CE23F6B33530D512A82CE8E39E519837512080C6212A0A19B3385809BE5F5001C4E488DD79550B852
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[SC] CreateService SUCCESS..

C:\servicestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	421
Entropy (8bit):	3.520516275855071
Encrypted:	false
SSDEEP:	6:lg3D/8Fx/6dgVKBRjGxVVLvH2s/u8qLLFmLaZnsHgm66//V+NmKfq:lgAT6dgV0qVbH2suZLQqOVKmYq
MD5:	0E057275AC9C2F7D85B1D228154C2F4C
SHA1:	139643ADDF75DBF43541F736D4C3823265B5A878
SHA-256:	BFC7CBBB8AFC9DA581DF2FF5CB48B9E5016355E04566AA84263C7B974B72AADD
SHA-512:	C0ED49DF913AE3D2D3335EE18A178368CE28D1AA8D168C7071D8EDE64605ABB0BE00EF21FCDD75D1A056CBA5203FFCF16D99BF5F7EFC3209786B69F34DEC2447
Malicious:	false
Reputation:	low
Preview:	..SERVICE_NAME: FhZxY .. TYPE : 10 WIN32_OWN_PROCESS .. STATE : 2 START_PENDING .. (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN).. WIN32_EXIT_CODE : 0 (0x0).. SERVICE_EXIT_CODE : 0 (0x0).. CHECKPOINT : 0x0.. WAIT_HINT : 0x7d0.. PID : 6636.. FLAGS : ..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	5.531295027622909
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	w6ZM6tS22n.exe
File size:	48'998'088 bytes
MD5:	3327d9e161d54f8f48b3125055f91040
SHA1:	d0765df58aaed552dbbca44f55ebc2b0c3a323ce
SHA256:	c4471ac3272ce62f341bec8b18819c7320538563acce29f2c44e9d2c0aa5d47d
SHA512:	13137ec47b8b5a005f0120777c3b63ab6701fa985b876291f829e33d891e420284ac8a7f5717cec30277c2e803e0fb3488e1dd70bd2b4bedc0eb562b89415d8a
SSDEEP:	393216:l3E8F6XjEj3KmmcJhQmLZhqYxvW64L8B3Uz3IJZ3YxIyXrnC50Pn20bVBWs3:l3EZ2JvlUbgZ3p1Y
TLSH:	7EB70885B7A5EC51F3BAC1389CA6CA88A2F1B5348FA542DB309C431E1F3F6DC5A71215
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.......).h-m..~m..~m..~y...b..~y......~.x.~j..~....y..~....a..~.......~\..~o..~y...s..~....l..~....h..~....a..~y...h..~....,..~y...T..

File Icon


Icon Hash:	0f33d81919d0170e

Static PE Info

General

Entrypoint:	0x140fdb6a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x647E12EF [Mon Jun 5 16:53:03 2023 UTC]
TLS Callbacks:	0x40fdb860, 0x1
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e2b36b7560810f4902a273f7116af918

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Sectigo RSA Code Signing CA 2, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	2/21/2022 4:00:00 PM 2/15/2025 3:59:59 PM
Subject Chain	CN="Carbon Black, Inc.", O="Carbon Black, Inc.", S=Massachusetts, C=US
Version:	3
Thumbprint MD5:	585AF4D777231A61858742E3E6227B2E
Thumbprint SHA-1:	FCE3566368D917ACF28779B98D996F416FEF1F2B
Thumbprint SHA-256:	4D70B84AA937658EBCF8CD1F361B657620982F88DF3F54FB3D5822E9931F3303
Serial:	328F83AE4A5C2EDA3DA2FFF083904A38

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FF158F2BA78h
dec eax
add esp, 28h
jmp 00007FF158F2B293h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov ecx, ebx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor ecx, 756E6547h
inc esp
mov edx, edx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or ecx, eax
cpuid
inc ecx
xor edx, 49656E69h
mov dword ptr [esp], eax
inc ebp
or ecx, edx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007FF158F2B4E2h
dec eax
or dword ptr [01CA03DBh], FFFFFFFFh
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FF158F2B4BAh
cmp eax, 00020660h
je 00007FF158F2B4B3h
cmp eax, 00020670h
je 00007FF158F2B4ACh
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007FF158F2B4B6h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007FF158F2B4A6h
inc esp
mov eax, dword ptr [01CEAC60h]
inc ecx
or eax, 01h
inc esp
mov dword ptr [01CEAC55h], eax
jmp 00007FF158F2B499h
inc esp
mov eax, dword ptr [01CEAC4Ch]
mov eax, 00000007h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2528cc8	0x244	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2d89000	0x4b90	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x2cc9000	0xba1c8	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2e4f800	0x6aec8
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2d8e000	0xf5458	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2365000	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x23651b0	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2365070	0x130	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x153e000	0x1750	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x153c03c	0x153c200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x153e000	0xfefb96	0xfefc00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x252e000	0x79a9d8	0x76ca00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x2cc9000	0xba1c8	0xba200	False	0.5159293149764943	data	6.984198800916438	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.detourc	0x2d84000	0x2230	0x2400	False	0.04481336805555555	data	2.213016149554347	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.detourd	0x2d87000	0x18	0x200	False	0.037109375	data	0.11611507530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x2d88000	0x100	0x200	False	0.212890625	data	2.1987791673023303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2d89000	0x4b90	0x4c00	False	0.18179481907894737	data	3.4427195541234124	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x2d8e000	0xf5458	0xf5600	False	0.04508206507896077	data	5.4855076492194925	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
WEVT_TEMPLATE	0x2d89320	0x54a	data	English	United States	0.4098966026587888
RT_ICON	0x2d89870	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.2624113475177305
RT_ICON	0x2d89cd8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.1400093808630394
RT_ICON	0x2d8ad80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.0946058091286307
RT_MESSAGETABLE	0x2d89240	0xe0	data	English	United States	0.6785714285714286
RT_GROUP_ICON	0x2d8d328	0x30	data	English	United States	0.8125
RT_VERSION	0x2d8d358	0x514	data	English	United States	0.42230769230769233
RT_MANIFEST	0x2d8d870	0x31e	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (738), with CRLF line terminators	English	United States	0.4949874686716792

Imports

DLL	Import
PSAPI.DLL	EnumDeviceDrivers, GetPerformanceInfo, GetDeviceDriverBaseNameW, GetDeviceDriverFileNameW, GetProcessMemoryInfo
FLTLIB.DLL	FilterFindNext, FilterFindClose, FilterFindFirst, FilterUnload, FilterConnectCommunicationPort, FilterSendMessage, FilterGetMessage, FilterLoad
RPCRT4.dll	UuidCreate
Secur32.dll	LsaFreeReturnBuffer, LsaGetLogonSessionData, LsaEnumerateLogonSessions, GetComputerObjectNameW
USERENV.dll	ExpandEnvironmentStringsForUserA, GetProfilesDirectoryW, ExpandEnvironmentStringsForUserW
WS2_32.dll	WSAEnumNetworkEvents, getsockopt, WSAWaitForMultipleEvents, closesocket, ioctlsocket, getsockname, inet_addr, inet_ntoa, listen, recv, setsockopt, socket, WSASetEvent, WSAStartup, WSACleanup, WSAAddressToStringA, WSAStringToAddressA, WSAStringToAddressW, select, WSAEventSelect, gethostname, GetAddrInfoExA, FreeAddrInfoEx, ntohs, ntohl, WSASetLastError, WSAIoctl, __WSAFDIsSet, bind, accept, WSAGetLastError, send, WSCSetApplicationCategory, GetNameInfoW, WSAAddressToStringW, connect, getaddrinfo, freeaddrinfo, recvfrom, sendto, getpeername, inet_ntop, gethostbyname, htonl, shutdown, WSAResetEvent, WSACreateEvent, WSACloseEvent, inet_pton, htons
ADVAPI32.dll	CryptHashData, GetSidSubAuthority, GetSidIdentifierAuthority, CreateServiceW, ChangeServiceConfigW, RegFlushKey, RegQueryInfoKeyW, RegOpenCurrentUser, QueryServiceConfigW, EnumServicesStatusExW, DuplicateToken, OpenThreadToken, CryptEncrypt, CryptImportKey, CryptSetKeyParam, CryptDestroyKey, ControlService, RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, DeleteService, CreateProcessAsUserW, ImpersonateLoggedOnUser, RevertToSelf, DeregisterEventSource, RegisterEventSourceA, ReportEventA, EventRegister, EventUnregister, EventWrite, QueryServiceConfig2W, QueryServiceStatus, RegOpenKeyExW, RegSaveKeyExW, QueryServiceStatusEx, StartServiceW, RegSetKeyValueW, LsaNtStatusToWinError, RegCreateKeyExW, RegSetValueExW, RegDeleteTreeW, GetLengthSid, IsValidSid, EnableTraceEx2, OpenTraceW, ProcessTrace, CloseTrace, StartTraceW, QueryTraceW, ControlTraceW, EventAccessControl, LookupAccountSidW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegQueryValueExW, ConvertStringSidToSidW, StartServiceCtrlDispatcherA, SetSecurityInfo, RegisterServiceCtrlHandlerExA, SetServiceStatus, LookupPrivilegeNameA, ChangeServiceConfig2W, CloseServiceHandle, OpenSCManagerW, OpenServiceW, RegGetValueW, GetSecurityInfo, SetEntriesInAclW, CheckTokenMembership, SetSecurityDescriptorDacl, SetSecurityDescriptorControl, InitializeSecurityDescriptor, GetSecurityDescriptorDacl, GetAce, FreeSid, EqualSid, AllocateAndInitializeSid, RegQueryInfoKeyA, RegDeleteKeyExW, CryptAcquireContextA, RegEnumKeyW, LookupAccountNameW, GetTokenInformation, DuplicateTokenEx, IsTextUnicode, CopySid, OpenProcessToken, ReportEventW, ConvertSidToStringSidA, ConvertSidToStringSidW, RegisterEventSourceW, CryptDestroyHash, LookupPrivilegeValueA, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, LookupPrivilegeValueW, AdjustTokenPrivileges
CRYPT32.dll	CryptFindOIDInfo, CertDuplicateCertificateContext, CertGetCertificateContextProperty, CertGetPublicKeyLength, CryptDecodeObject, CryptMsgOpenToDecode, CryptMsgClose, CryptMsgUpdate, CertGetSubjectCertificateFromStore, CertFindCertificateInStore, CertFindAttribute, CryptVerifyMessageSignature, CryptVerifyDetachedMessageSignature, CryptQueryObject, CertFreeCertificateChainEngine, CertDuplicateCertificateChain, CertVerifyCertificateChainPolicy, CertCreateCertificateChainEngine, CertGetEnhancedKeyUsage, CryptMsgGetParam, CertGetIssuerCertificateFromStore, CertCompareCertificate, CertGetNameStringW, CertGetCertificateChain, CryptStringToBinaryA, CryptBinaryToStringW, CryptDecodeObjectEx, CertDuplicateCRLContext, CertFreeCRLContext, CertFindCertificateInCRL, CertFindExtension, CertAddCertificateContextToStore, CertFreeCertificateContext, CertCreateCertificateContext, CertCloseStore, CertOpenStore, PFXImportCertStore, CryptProtectMemory, CertEnumCertificatesInStore, CryptStringToBinaryW, CryptBinaryToStringA, CertGetNameStringA, CertFreeCertificateChain, CertNameToStrA, CryptUnprotectData, CryptProtectData
bcrypt.dll	BCryptHashData, BCryptCreateHash, BCryptCloseAlgorithmProvider, BCryptGetProperty, BCryptFinishHash, BCryptDestroyHash, BCryptGenRandom, BCryptOpenAlgorithmProvider
wevtapi.dll	EvtUpdateBookmark, EvtCreateBookmark
IPHLPAPI.DLL	CancelIPChangeNotify, NotifyAddrChange, Icmp6SendEcho2, IcmpCloseHandle, Icmp6CreateFile, IcmpCreateFile, NotifyUnicastIpAddressChange, GetNetworkParams, GetIpAddrTable, GetExtendedTcpTable, GetAdaptersAddresses, CancelMibChangeNotify2, NotifyIpInterfaceChange, IcmpSendEcho
ntdll.dll	VerSetConditionMask, RtlCaptureContext, RtlInitUnicodeString, RtlInitAnsiString, RtlUnwind, RtlUnwindEx, RtlPcToFileHeader, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlDowncaseUnicodeString, RtlUpcaseUnicodeString, RtlPrefixUnicodeString, RtlFreeUnicodeString, RtlUpcaseUnicodeChar, RtlAppendUnicodeStringToString, RtlCopyUnicodeString, RtlEqualUnicodeString, RtlCompareUnicodeString, RtlNtStatusToDosError, RtlCaptureStackBackTrace, RtlAnsiStringToUnicodeString
tdh.dll	TdhGetPropertySize, TdhGetEventInformation, TdhGetEventMapInformation, TdhGetProperty
NETAPI32.dll	DsRoleFreeMemory, DsRoleGetPrimaryDomainInformation, NetGetJoinInformation, NetApiBufferFree
msi.dll
KERNEL32.dll	InitOnceBeginInitialize, GetStringTypeW, GetExitCodeThread, GetLogicalProcessorInformation, EncodePointer, SystemTimeToTzSpecificLocalTime, GetModuleHandleExW, WaitForMultipleObjectsEx, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, SignalObjectAndWait, InitOnceComplete, SwitchToThread, SetProcessAffinityMask, FreeLibraryAndExitThread, GetThreadTimes, SetThreadAffinityMask, GetProcessAffinityMask, GetNumaHighestNodeNumber, CreateTimerQueueTimer, SetStdHandle, CreateTimerQueue, UnhandledExceptionFilter, SetEnvironmentVariableW, GetConsoleMode, ChangeTimerQueueTimer, GetFileInformationByHandleEx, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, CreateMutexA, ReleaseMutex, SetThreadErrorMode, GetThreadErrorMode, SleepEx, GetFileType, GetStdHandle, GetSystemDirectoryA, CompareStringW, SetCurrentDirectoryW, GetTempFileNameW, GlobalAlloc, LCMapStringW, lstrcmpW, GetModuleFileNameA, lstrlenA, DebugBreak, GlobalFindAtomW, GlobalAddAtomW, GlobalDeleteAtom, CreateSymbolicLinkW, CreateHardLinkW, VerifyVersionInfoW, MoveFileA, SetFileInformationByHandle, GetFileInformationByHandle, GetFileAttributesExA, InitializeCriticalSectionAndSpinCount, VerLanguageNameW, IsBadWritePtr, IsBadReadPtr, GetConsoleOutputCP, GetCommandLineA, GetCommandLineW, IsValidLocale, EnumSystemLocalesW, SetConsoleCtrlHandler, FindFirstFileExW, IsValidCodePage, GetACP, lstrcpynW, DeleteTimerQueueTimer, RtlCompareMemory, GetSystemDefaultLocaleName, GetUserDefaultLocaleName, GetCPInfo, GetLocaleInfoW, ReadConsoleW, GetUserDefaultLCID, GetSystemDefaultLCID, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetUserGeoID, GetComputerNameW, GetSystemWindowsDirectoryW, IsProcessorFeaturePresent, OpenThread, TryEnterCriticalSection, AreFileApisANSI, GetStartupInfoW, IsDebuggerPresent, HeapCreate, GetDiskFreeSpaceW, LockFile, InitializeSListHead, GetFullPathNameA, GetOEMCP, WriteConsoleW, Process32FirstW, EnterCriticalSection, LeaveCriticalSection, WaitForSingleObject, InitializeCriticalSection, DeleteCriticalSection, CloseHandle, GetLastError, SetEvent, CreateEventA, GetEnvironmentVariableA, DeleteFileW, GetProcessTimes, GetCurrentProcess, GetCurrentProcessId, OpenProcess, MoveFileExW, ReleaseSRWLockExclusive, ReleaseSRWLockShared, AcquireSRWLockExclusive, AcquireSRWLockShared, ResetEvent, DeleteFileA, CopyFileA, GetTickCount64, UnmapViewOfFile, InitializeSRWLock, CreateThread, GetEnvironmentVariableW, Sleep, GetCurrentThread, SetThreadPriority, ProcessIdToSessionId, DuplicateHandle, QueueUserWorkItem, WaitForMultipleObjects, ExitThread, SuspendThread, ResumeThread, GetThreadContext, CreateEventW, OpenEventW, GetSystemTimeAsFileTime, GetFileAttributesW, GetEnvironmentStringsW, FreeEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDiskFreeSpaceExW, GetVolumePathNameW, ReadFile, SetHandleInformation, CreatePipe, PeekNamedPipe, TerminateProcess, GetExitCodeProcess, GetThreadPriority, CreateProcessW, InitializeProcThreadAttributeList, DeleteProcThreadAttributeList, UpdateProcThreadAttribute, GetProcessHandleCount, FreeLibrary, GetModuleHandleExA, GetProcAddress, RegisterWaitForSingleObject, UnregisterWait, CreateFileA, GetFileAttributesA, GetFileSize, SetFilePointer, WriteFile, GetCurrentThreadId, MultiByteToWideChar, CreateDirectoryW, CreateFileW, SetFileAttributesW, GetVolumePathNamesForVolumeNameW, CopyFileW, MoveFileW, QueryPerformanceCounter, SystemTimeToFileTime, QueryPerformanceFrequency, SetLastError, GetModuleHandleW, GetSystemTimes, GetTickCount, IsWow64Process, VerifyVersionInfoA, GetCurrentDirectoryW, GetLongPathNameA, LocalFree, GetLogicalDriveStringsA, CreateToolhelp32Snapshot, HeapQueryInformation, Process32NextW, GlobalMemoryStatusEx, GetNativeSystemInfo, FindVolumeClose, CreateRemoteThread, GetProcessId, QueryDosDeviceA, FindFirstVolumeA, FindNextVolumeA, GetVolumePathNamesForVolumeNameA, WideCharToMultiByte, ReadProcessMemory, GetSystemDirectoryW, GetWindowsDirectoryW, LoadLibraryA, GetPhysicallyInstalledSystemMemory, GetModuleHandleA, GetPrivateProfileStringA, SetWaitableTimer, CancelWaitableTimer, CreateWaitableTimerA, GetFileSizeEx, DecodePointer, RaiseException, InitializeCriticalSectionEx, GetPrivateProfileIntW, WritePrivateProfileStringW, GetSystemInfo, GetPrivateProfileStringW, OutputDebugStringA, ExitProcess, CreateProcessA, VirtualAllocEx, VirtualProtectEx, VirtualQueryEx, WriteProcessMemory, VirtualProtect, VirtualQuery, LoadLibraryExA, LoadLibraryExW, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualFree, GetVersionExW, LoadLibraryW, FileTimeToLocalFileTime, GetFullPathNameW, RemoveDirectoryW, GetLocalTime, FormatMessageW, FileTimeToSystemTime, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, CompareFileTime, SetFilePointerEx, CreateFileMappingW, MapViewOfFile, FindFirstVolumeW, FindNextVolumeW, GetDriveTypeW, GetVolumeInformationW, QueryDosDeviceW, GetVolumeNameForVolumeMountPointW, GetCompressedFileSizeW, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, CreateIoCompletionPort, GetQueuedCompletionStatus, OutputDebugStringW, lstrlenW, ExpandEnvironmentStringsW, CreateDirectoryA, GetFileAttributesExW, GetSystemTime, GetComputerNameExW, VirtualFreeEx, GetModuleFileNameW, MoveFileExA, WTSGetActiveConsoleSessionId, GetDateFormatA, GetTimeFormatA, K32EnumProcesses, K32EnumProcessModulesEx, K32GetModuleBaseNameA, K32GetModuleFileNameExW, K32GetProcessImageFileNameW, CreateFileMappingA, GlobalFree, FindFirstFileA, FindNextFileA, LocalAlloc, SetDllDirectoryW, SetUnhandledExceptionFilter, GetProcessIoCounters, K32GetProcessMemoryInfo, GetFileTime, SetFileTime, DeviceIoControl, FlushFileBuffers, FormatMessageA, LockFileEx, UnlockFile, HeapCompact, WaitForSingleObjectEx, FlushViewOfFile, GetDiskFreeSpaceA, GetTempPathA, HeapValidate, CreateMutexW, GetTempPathW, UnlockFileEx, SetEndOfFile
USER32.dll	CharUpperBuffW, UnregisterClassW, UnregisterClassA, MessageBoxA, GetSystemMetrics, CharLowerBuffW
SHELL32.dll	SHGetKnownFolderPath, SHGetFolderPathA, SHGetFolderPathW
ole32.dll	StringFromGUID2, IIDFromString, CoSetProxyBlanket, CoTaskMemFree, CoInitializeSecurity, CoCreateInstance, CoInitializeEx, CoUninitialize
OLEAUT32.dll	SetErrorInfo, GetErrorInfo, VariantTimeToSystemTime, SysStringLen, VariantChangeType, SysAllocString, SysAllocStringLen, SysFreeString, CreateErrorInfo, SafeArrayCreate, VariantInit, VariantClear
SHLWAPI.dll	PathCanonicalizeW, UrlEscapeW, UrlUnescapeW, PathIsNetworkPathA, PathIsNetworkPathW, PathIsRelativeW, PathIsURLW, PathFileExistsW, PathFileExistsA
VERSION.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
WINTRUST.dll	WTHelperGetProvSignerFromChain, CryptCATAdminEnumCatalogFromHash, CryptCATAdminAcquireContext, CryptCATAdminReleaseContext, CryptCATAdminReleaseCatalogContext, WTHelperProvDataFromStateData, WinVerifyTrust, CryptCATAdminCalcHashFromFileHandle, CryptCATCatalogInfoFromContext
WINHTTP.dll	WinHttpGetIEProxyConfigForCurrentUser, WinHttpGetDefaultProxyConfiguration, WinHttpOpen, WinHttpCloseHandle, WinHttpGetProxyForUrl
WTSAPI32.dll	WTSEnumerateSessionsW, WTSEnumerateProcessesExW, WTSFreeMemoryExW, WTSQuerySessionInformationW, WTSQueryUserToken, WTSFreeMemory
WLDAP32.dll
Normaliz.dll	IdnToAscii
SETUPAPI.dll	SetupInstallServicesFromInfSectionW, SetupDiEnumDeviceInterfaces, SetupCloseInfFile, SetupOpenInfFileW, SetupDiGetDeviceInterfaceDetailW, SetupDiGetClassDevsW, SetupDiGetDeviceInstanceIdW, CM_Get_Child, CM_Get_Device_IDW, CM_Get_DevNode_Registry_PropertyW, CM_Get_Parent, CM_Get_Sibling, CM_Locate_DevNodeW, SetupDiEnumDeviceInfo, SetupInstallFromInfSectionW, SetupDiGetDeviceRegistryPropertyW, SetupDiDestroyDeviceInfoList

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

• cmd.exe
• conhost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• w6ZM6tS22n.exe

Click to jump to process

Memory Usage

• cmd.exe
• conhost.exe
• sc.exe
• cmd.exe
• conhost.exe
• sc.exe
• w6ZM6tS22n.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	13:26:24
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe" >> C:\servicereg.log 2>&1
Imagebase:	0x50000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:26:24
Start date:	19/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff766460000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:26:24
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc create FhZxY binpath= "C:\Users\user\Desktop\w6ZM6tS22n.exe"
Imagebase:	0x9c0000
File size:	60'928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:26:25
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c sc start FhZxY >> C:\servicestart.log 2>&1
Imagebase:	0x50000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:26:25
Start date:	19/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff766460000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:26:25
Start date:	19/09/2023
Path:	C:\Windows\SysWOW64\sc.exe
Wow64 process (32bit):	true
Commandline:	sc start FhZxY
Imagebase:	0x9c0000
File size:	60'928 bytes
MD5 hash:	24A3E2603E63BCB9695A2935D3B24695
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:26:26
Start date:	19/09/2023
Path:	C:\Users\user\Desktop\w6ZM6tS22n.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\w6ZM6tS22n.exe
Imagebase:	0x7ff74cad0000
File size:	48'998'088 bytes
MD5 hash:	3327D9E161D54F8F48B3125055F91040
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report w6ZM6tS22n.exe

Overview

General Information

Detection

Signatures

Classification

Analysis Advice

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\CarbonBlack\Logs\confer.log

C:\ProgramData\CarbonBlack\Logs\w6ZM6tS22n.exe_NoCrash_NonZeroExitCode_3.9.2.2698.dmp

C:\servicereg.log

C:\servicestart.log

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Windows Analysis Report
w6ZM6tS22n.exe