Windows Analysis Report
Windows-StandardCollector-x64.exe

Overview

General Information

Sample name:	Windows-StandardCollector-x64.exe
Analysis ID:	1541285
MD5:	28176438914c8cdb52e14fc2d9d5bf29
SHA1:	31f785268ef928894fe3768f83f1bcac42dfd9d4
SHA256:	4e27bed2a9c653a0349c958dc06f0b4b5fc712fb2a78b6c2cc13346f1227fbff
Tags:	exeuser-kittyhawk83
Infos:

Detection

Codoso Ghost

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected Codoso Ghost

Drops password protected ZIP file

Found direct / indirect Syscall (likely to bypass EDR)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Uses ipconfig to lookup or modify the Windows network settings

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables security privileges

PE file contains sections with non-standard names

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Source:	Binary string: SCardSvr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdb source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdb source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdb source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdb source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdb source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdb source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4sx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2758494276.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdb source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdb source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdb source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdb source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdb source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdb source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdb source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdb source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdb source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdb source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdb source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: megasr.pdb source: tmp2041392848.exe, 0000000A.00000003.2790194503.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdb source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdb source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdb source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdb source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdb source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdb source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdb source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_CNL.pdb source: tmp2041392848.exe, 0000000A.00000003.2781460676.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SCardSvr.pdb source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdb source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdb source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdb source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdb source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdb source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdb source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdb source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdb source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2780942321.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LSI_SAS2i.pdb source: tmp2041392848.exe, 0000000A.00000003.2787624661.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdb source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdb source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdb source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdb source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSSi_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdb source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdb source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\qba2\workspace\1371\lpss\Drivers\iaLPSS_GPIO\1.1.250.0\Win81Release\x64\inbox\iaLPSSi_GPIO.pdb source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdb source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdb source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_GLK.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2781591847.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdb source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdb source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdb source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdb source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdb source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IaStorV.pdb source: tmp2041392848.exe, 0000000A.00000003.2782425902.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdb source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdb source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdb source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdb source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdbRR source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdb source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdb source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdb source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdb source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdb source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdb source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ibbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2782759778.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HpSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdb source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdb source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: arcsas.pdb source: tmp2041392848.exe, 0000000A.00000003.2754019105.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdb source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdb source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdb source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_BXT_P.pdb source: tmp2041392848.exe, 0000000A.00000003.2781224367.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdb source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3ware.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdb source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdb source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdb source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdb source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SmartSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2810293060.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdb source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdb source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2214832534.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2166230550.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2225302687.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2164178417.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdb source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdb source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ItSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2785702857.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdb source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdb source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdb source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdb source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vstxraid.pdb source: tmp2041392848.exe, 0000000A.00000003.2821263598.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdb source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdb source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdb source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdb source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdb source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MegaSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2789986567.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdb source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdb source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdb source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdb source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdb source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4vx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2759169449.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\tmp2041392848.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\RegBack\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\	Jump to behavior

Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254/latesthttp://
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254iam-fips.amazonaws.comidna:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.170.2if/with
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(2).crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA(1).crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(2
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA(1).crt0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.trust-provider.com/AddTrustExternalCARoot.crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.trust-provider.com/AddTrustExternalCARoot.p7c0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.trust-provider.com/AddTrustUTNSGCCA.crt0
Source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlContent
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.python.org/library/functions.html#range).
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://jsonpatch.com/)Permission
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://myexternalip.com/rawhttps://api.github.com/userifSourceMetagenerationMatchignoring
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.trust-provider.com0
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/commentsinternal
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/spreadsheetml/mainignore
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s3.amazonaws.com/doc/2006-03-01/
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://underscorejs.org
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://wiki.ecmascript.org/doku.php?id=harmony:egal.
Source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.3ware.comD
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(2).crl
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA(1).crl
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(2).crt0u
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA(1).crt0o
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/pkicps/index.htm0
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s:%d/https://%v:%v/httptest.servehunt_flows:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://accounts.google.com
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=80797
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cdn.jsdelivr.net/npm/popper.js
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://code.jquery.com/jquery-3.4.1.slim.min.js
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7396)Access
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developers.google.com/accounts/docs/application-default-credentialslistChildren:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.velociraptor.app/
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.velociraptor.app/docs/deployment/cloud/multifrontend/
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://elastic.co/cloud).
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Velocidex/evtx-data.
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Velocidex/vtypes).
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwordsDEBUG:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://iamcredentials.googleapis.com/v1/%s:generateAccessTokeninternal
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://oauth2.googleapis.com/tokenincompatible
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubsub.googleapis.com/https://www.velocidex.com/docshunt_dispatcher_last_timestampifSourceMe
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111107121.00000000014A9000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cloud-platform
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111107121.00000000014A9000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/pubsub2
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111107121.00000000014A9000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/pubsubB
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/userinfo?access_token=initial
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.realvnc.com/en/connect/docs/logging.html#logging
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.velocidex.com
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.velocidex.comiam/security-credentials/ifMetagenerationNotMatch=illegal
Source: tmp2041392848.exe, 0000000A.00000000.2653965044.00007FF7CC13D000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.virustotal.com/about/terms-of-service
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://your-org-name.okta.com

System Summary

Drops password protected ZIP file

Source: Collection-571345-2024-10-24_14_57_13__0000_UTC.zip.0.dr

Zip Entry: encrypted

Detected potential crypto function

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C002807C46	0_3_000000C002807C46
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C00280844F	0_3_000000C00280844F
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C002807E92	0_3_000000C002807E92
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4

Enables security privileges

Source: C:\Users\user\Desktop\tmp2041392848.exe

Process token adjusted: Security

Jump to behavior

Sample file is different than original file name gathered from version info

Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2129219805.00000294F69E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2246429277.00000294FE421000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinInit.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSgrmBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2239784470.00000294FE409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedllhost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupfc.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2242304467.00000294FE411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedllhost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedasHost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedwm.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2137697420.00000294FE11F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2150390511.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinInit.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2127204938.00000294F69D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2143431216.00000294FE157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedasHost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2142422624.00000294FE144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148418760.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2133560787.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelsass.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesmss.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234163910.00000294FE133000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelsass.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedwm.exej% vs Windows-StandardCollector-x64.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@6/689@0/0

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

File created: C:\Users\user\Desktop\tmp2993025178

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:748:120:WilError_03

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

File opened: C:\Windows\system32\574d389ad83e69ed259730946bfbfa67ac851f275463ed688b4504f1699f9766AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Jump to behavior

Source: C:\Users\user\Desktop\tmp2041392848.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

File read: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe "C:\Users\user\Desktop\Windows-StandardCollector-x64.exe"
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Users\user\Desktop\tmp2041392848.exe C:\Users\user\Desktop\tmp2041392848.exe -nobanner -accepteula -t -a * -c -h *
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Users\user\Desktop\tmp2041392848.exe C:\Users\user\Desktop\tmp2041392848.exe -nobanner -accepteula -t -a * -c -h *	Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\Desktop\tmp2041392848.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\Desktop\tmp2041392848.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Outlook\Addins

Jump to behavior

Source: Windows-StandardCollector-x64.exe

Static file information: File size 48203579 > 1048576

Source:	Binary string: SCardSvr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdb source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdb source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdb source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdb source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdb source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdb source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4sx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2758494276.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdb source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdb source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdb source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdb source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdb source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdb source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdb source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdb source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdb source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdb source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdb source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: megasr.pdb source: tmp2041392848.exe, 0000000A.00000003.2790194503.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdb source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdb source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdb source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdb source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdb source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdb source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdb source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_CNL.pdb source: tmp2041392848.exe, 0000000A.00000003.2781460676.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SCardSvr.pdb source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdb source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdb source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdb source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdb source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdb source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdb source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdb source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdb source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2780942321.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LSI_SAS2i.pdb source: tmp2041392848.exe, 0000000A.00000003.2787624661.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdb source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdb source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdb source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdb source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSSi_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdb source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdb source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\qba2\workspace\1371\lpss\Drivers\iaLPSS_GPIO\1.1.250.0\Win81Release\x64\inbox\iaLPSSi_GPIO.pdb source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdb source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdb source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_GLK.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2781591847.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdb source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdb source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdb source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdb source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdb source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IaStorV.pdb source: tmp2041392848.exe, 0000000A.00000003.2782425902.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdb source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdb source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdb source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdb source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdbRR source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdb source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdb source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdb source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdb source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdb source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdb source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ibbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2782759778.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HpSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdb source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdb source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: arcsas.pdb source: tmp2041392848.exe, 0000000A.00000003.2754019105.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdb source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdb source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdb source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_BXT_P.pdb source: tmp2041392848.exe, 0000000A.00000003.2781224367.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdb source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3ware.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdb source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdb source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdb source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdb source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SmartSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2810293060.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdb source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdb source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2214832534.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2166230550.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2225302687.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2164178417.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdb source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdb source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ItSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2785702857.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdb source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdb source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdb source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdb source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vstxraid.pdb source: tmp2041392848.exe, 0000000A.00000003.2821263598.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdb source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdb source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdb source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdb source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdb source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MegaSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2789986567.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdb source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdb source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdb source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdb source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdb source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4vx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2759169449.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp

PE file contains sections with non-standard names

Source: tmp2041392848.exe.0.dr

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C00280258D push 0000000Fh; iretd	0_3_000000C00280258F
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE119BAF push esi; retf	0_3_00000294FE119BB2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE119BAF push esi; retf	0_3_00000294FE119BB2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE119BAF push esi; retf	0_3_00000294FE119BB2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11959F push esi; retf	0_3_00000294FE1195A2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11959F push esi; retf	0_3_00000294FE1195A2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11959F push esi; retf	0_3_00000294FE1195A2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE1185EA push ds; retf	0_3_00000294FE1185F9
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE1185EA push ds; retf	0_3_00000294FE1185F9
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Drops PE files

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

File created: C:\Users\user\Desktop\tmp2041392848.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_NetworkAdapterConfiguration

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Description, VolumeName, FreeSpace, Size, SystemName, VolumeSerialNumber from Win32_LogicalDisk
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Description, VolumeName, FreeSpace, Size, SystemName, VolumeSerialNumber from Win32_LogicalDisk

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM win32_computersystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\RegBack\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\	Jump to behavior

Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FvmicshutdownSeShutdownPrivilegevmicvmsession
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 910,VMware (Fusion/Workstation/Server/Player),Memory,*10\.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines.
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 911,VMware (Fusion/Workstation/Server/Player),Memory,*10\.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines.
Source: tmp2041392848.exe, 0000000A.00000003.2787988429.0000026FD6A7B000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2788782050.0000026FD6A7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter: Virtual Machine Generation CounterG
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VirtualMachineId
Source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3Microsoft-Windows-Hyper-V-VID
Source: tmp2041392848.exe, 0000000A.00000003.2762454904.0000026FD70B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ADxgkCompositionObjectDxgkSharedBundleObjectDxgkSharedProtectedSessionObjectDxgkCurrentDxgThreadObjectDxgkDisplayManagerObjectDxgkSharedSwapChainObjectDxgkSharedSyncObjectDxgkSharedKeyedMutexObjectDxgkSharedResourceGraphicsDrivers\ValidationReportVirtualMachineFailReserveGPUVAFailRenderDDIFailEscapeDDILevelMultiMonSupportMicrosoft-Windows-Core-AllowMultiMonDisableNonPOSTDeviceIDConfigDB\CurrentDockInfoDockingStateUserIsCurrentProcessImmersiveWin32FreePoolUserUnsafeIsProcessDwmUserUnsafeIsCurrentProcessDwmUserSetWindowedSwapChainApiExtUserRemoveWindowedSwapChainUserReferenceDwmProcessUserReferenceDwmApiPortUserLeaveUserCritSecUserIsWindowDesktopComposedUserIsDisconnectConnectionUserIsUserCritSecInUserIsCurrentThreadDesktopComposedUserEnterUserCritSecSharedUserDereferenceDwmProcessUserAllocDefaultCompositionSecurityDescriptorGreUnlockDwmStateGreSfmOpenTokenEventGreSfmGetPresentQueueEventGreSfmGetNotificationTokensGreSfmCleanupPresentHistoryGreLockDwmStateGreIsDwmStateLockedGreDwmDesktopOverlaysEnabledEtwTraceTokenStateChangedEventEtwTraceTokenIndependentFlipSkipCompleteEventEtwTraceTokenCompositionSurfaceObjectEventEtwTraceFlipManagerStopTokenReleaseToFrameEtwTraceFlipManagerStartTokenReleaseToFrameEtwTraceFlipManagerStopCompleteTokenEtwTraceFlipManagerStartCompleteTokenEtwTraceCompositionSurfaceObjectUpdateEventEngDeleteRgnDCompositionShouldDeferTokenDCompositionNotifyPresentDCompositionNotifyCompositionTokenPresentCreateRegionFromRectCreateRegionCheckAndProcessSurfaceCompleteHD15\Registry\Machine\System\CurrentControlSet\Control\GraphicsDrivers\AdditionalModeLists\VidSchInterfaceVidMmInterface\SystemRoot\System32\drivers\dxgmms2.sys\SystemRoot\System32\drivers\dxgmms1.sys\Registry\Machine\System\CurrentControlSet\Control\GraphicsDrivers\FeatureSetUsage\Callback\PowerStateUnsupportedMonitorModesAllowedGraphicsDrivers\IoMmuHistoryEntryStackSizeEnableHistoryTrackingMaxHistoryCountLog2Generic Monitori>Lh
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @"GuestKvpInfoVirtualMachineId
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 909,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk.
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UpdateItemsvmickvpexchangeonecore\vm\ic\features\kvpexchange\child\ickvpexchangechild.cppGetComputerNameEx failed; cannot update ComputerNameDNSFullyQualified.GetVersionEx failed; could not update version info.%d.%d.%dGetProductInfo failed.UnknownSoftware\Microsoft\Windows NT\CurrentVersionProductNameGet IP Address version mismatch.Invalid or unsupported KVP exchange request.VirtualMachineIdIntegrationServicesVersionOSBuildNumberOSMinorVersionSuiteMaskRDPAddressIPv4NetworkAddressIPv6OSEditionIdOSSignatureProductTypeOSMajorVersionServicePackMajorServicePackMinorOSNameCSDVersionRDPAddressIPv6OSVersionFullyQualifiedDomainNameOSPlatformIdProcessorArchitectureOSVendorNetworkAddressIPv4SOFTWARE\Microsoft\Virtual Machine\ExternalSOFTWARE\Microsoft\Virtual Machine\GuestSOFTWARE\Microsoft\Virtual Machine\AutoSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersInvalid value name.onecore\vm\ic\features\kvpexchange\child\ickvpexchangereg.cppInvalid key name pointer.Invalid value data pointer.Invalid or unsupported registry data.Invalid pool specifier: 0x%X.Failed to open registry key: %ws.Registry type mismatch - expected REG_SZ, actual = %u.The value data size is too large for value name: %ws.%ubad castonecore\vm\ic\features\kvpexchange\child\ICWbemUtility.hbad locale nameroot\StandardCimV2':SELECT * FROM MSFT_NetAdapter WHERE PermanentAddress = 'SELECT * FROM MSFT_NetAdapter WHERE PnPDeviceID LIKE 'PermanentAddressInterfaceIndexInterfaceGuidonecore\vm\ic\features\kvpexchange\child\ickvpipnetworkadapterconfiguration.cppDhcpMSFT_NetIPInterfaceMSFT_NetIPInterfaceAdapterStoreinterface ipv4 delete address %u %sinterface ipv4 add address %u %s %sinterface ipv4 delete route 0.0.0.0/0 %u %sinterface ipv4 add route 0.0.0.0/0 %u %sinterface ipv4 set dnsserver %u dhcpinterface ipv4 set dnsserver %u static none validate=nointerface ipv4 add dnsserver %u %s%sinterface ipv6 delete address %u %sinterface ipv6 add address %u %s/%sinterface ipv6 delete route ::/0 %u %sinterface ipv6 add route ::/0 %u %sinterface ipv6 set dnsserver %u dhcpinterface ipv6 set dnsserver %u static noneinterface ipv6 add dnsserver %u %s%sMSFT_NetRouteMSFT_NetIPInterfaceRouteAddressFamilyDestinationPrefixNextHop0.0.0.0/0::/0Failed to get the list of gateways (InterfaceIndex = %u).MSFT_NetIPAddressMSFT_NetIPInterfaceIPAddressIPAddressPrefixLengthFailed to get a list of IP addresses (InterfaceIndex = %u). NULWSAStartup failed: 0x%Xnetsh.exevector<T> too longvector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigit
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicguestinterface%hswil -- onecore\vm\ic\features\guestinterface\child\icguestinterface.cppNT AUTHORITYSYSTEMICGuestInterfaceGetAccessToken failedICGuestInterfaceCreateDirectory for directory %ws failedError creating destination file %ws.Error setting the file pointer in fileError writing %lu bytes to filestring too longonecore\internal\sdk\inc\wil\opensource\wil\resource.h_p0honecore\internal\sdk\inc\wil\opensource\wil\result.hWilError_03ChildInitializeICServiceMainvmicheartbeatFailed to initialize transport.onecore\vm\ic\features\heartbeat\child\icheartbeatchild.cppICChild::Initialize failed.Failed to register endpoint.ICChild::ICServiceRegisterCtrlHandler failed.ICHeartbeatChild::ICServiceMain: Wait for thread failed.Local\SM0:%d:%d:%hs
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 912,VMware (Fusion/Workstation/Server/Player),Memory,*10\.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines.
Source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-VID

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\tmp2041392848.exe	NtCreateKey: Indirect: 0x7FF7CC0BD32B			Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	NtOpenKey: Indirect: 0x7FF7CC0BD2C1			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns			Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Users\user\Desktop\tmp2041392848.exe C:\Users\user\Desktop\tmp2041392848.exe -nobanner -accepteula -t -a * -c -h *			Jump to behavior

Queries the installation date of Windows

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the product ID of Windows

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId4	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package051021~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0514~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package051021~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0514~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0517~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Codoso Ghost

Source: Yara match

File source: Process Memory Space: tmp2041392848.exe PID: 1472, type: MEMORYSTR

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\tmp2041392848.exe

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected Codoso Ghost

Source: Yara match

File source: Process Memory Space: tmp2041392848.exe PID: 1472, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true

Source:	Binary string: SCardSvr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdb source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdb source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdb source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdb source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdb source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdb source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4sx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2758494276.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdb source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdb source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdb source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdb source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdb source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdb source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdb source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdb source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdb source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdb source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdb source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: megasr.pdb source: tmp2041392848.exe, 0000000A.00000003.2790194503.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdb source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdb source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdb source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdb source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdb source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdb source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdb source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_CNL.pdb source: tmp2041392848.exe, 0000000A.00000003.2781460676.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SCardSvr.pdb source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdb source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdb source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdb source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdb source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdb source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdb source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdb source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdb source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2780942321.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LSI_SAS2i.pdb source: tmp2041392848.exe, 0000000A.00000003.2787624661.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdb source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdb source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdb source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdb source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSSi_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdb source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdb source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\qba2\workspace\1371\lpss\Drivers\iaLPSS_GPIO\1.1.250.0\Win81Release\x64\inbox\iaLPSSi_GPIO.pdb source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdb source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdb source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_GLK.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2781591847.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdb source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdb source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdb source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdb source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdb source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IaStorV.pdb source: tmp2041392848.exe, 0000000A.00000003.2782425902.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdb source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdb source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdb source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdb source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdbRR source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdb source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdb source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdb source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdb source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdb source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdb source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ibbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2782759778.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HpSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdb source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdb source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: arcsas.pdb source: tmp2041392848.exe, 0000000A.00000003.2754019105.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdb source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdb source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdb source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_BXT_P.pdb source: tmp2041392848.exe, 0000000A.00000003.2781224367.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdb source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3ware.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdb source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdb source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdb source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdb source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SmartSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2810293060.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdb source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdb source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2214832534.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2166230550.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2225302687.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2164178417.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdb source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdb source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ItSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2785702857.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdb source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdb source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdb source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdb source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vstxraid.pdb source: tmp2041392848.exe, 0000000A.00000003.2821263598.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdb source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdb source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdb source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdb source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdb source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MegaSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2789986567.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdb source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdb source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdb source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdb source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdb source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4vx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2759169449.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\tmp2041392848.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\RegBack\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\	Jump to behavior

Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254/latesthttp://
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.169.254iam-fips.amazonaws.comidna:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://169.254.170.2if/with
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(2).crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA(1).crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(2
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://certificates.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA(1).crt0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.trust-provider.com/AddTrustExternalCARoot.crl0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.trust-provider.com/AddTrustExternalCARoot.p7c0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.trust-provider.com/AddTrustUTNSGCCA.crt0
Source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enRootDirUrlContent
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://docs.python.org/library/functions.html#range).
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://jsonpatch.com/)Permission
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://myexternalip.com/rawhttps://api.github.com/userifSourceMetagenerationMatchignoring
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.trust-provider.com0
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/officeDocument/relationships/commentsinternal
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://purl.oclc.org/ooxml/spreadsheetml/mainignore
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://s3.amazonaws.com/doc/2006-03-01/
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://underscorejs.org
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://wiki.ecmascript.org/doku.php?id=harmony:egal.
Source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.3ware.comD
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Issuing%20CA%203B(2).crl
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/CRL/Intel%20External%20Basic%20Policy%20CA(1).crl
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Issuing%20CA%203B(2).crt0u
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/certificates/Intel%20External%20Basic%20Policy%20CA(1).crt0o
Source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.intel.com/repository/pkicps/index.htm0
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%s:%d/https://%v:%v/httptest.servehunt_flows:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://accounts.google.com
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002027000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=80797
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://cdn.jsdelivr.net/npm/popper.js
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://code.jquery.com/jquery-3.4.1.slim.min.js
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://datatracker.ietf.org/doc/html/rfc7396)Access
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://developers.google.com/accounts/docs/application-default-credentialslistChildren:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.velociraptor.app/
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://docs.velociraptor.app/docs/deployment/cloud/multifrontend/
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://elastic.co/cloud).
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Velocidex/evtx-data.
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/Velocidex/vtypes).
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://github.com/go-sql-driver/mysql/wiki/old_passwordsDEBUG:
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://iamcredentials.googleapis.com/v1/%s:generateAccessTokeninternal
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://oauth2.googleapis.com/tokenincompatible
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://pubsub.googleapis.com/https://www.velocidex.com/docshunt_dispatcher_last_timestampifSourceMe
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/css/bootstrap.min.css
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111107121.00000000014A9000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/cloud-platform
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111107121.00000000014A9000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/pubsub2
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111107121.00000000014A9000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/auth/pubsubB
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.googleapis.com/oauth2/v2/userinfo?access_token=initial
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.realvnc.com/en/connect/docs/logging.html#logging
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.velocidex.com
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.velocidex.comiam/security-credentials/ifMetagenerationNotMatch=illegal
Source: tmp2041392848.exe, 0000000A.00000000.2653965044.00007FF7CC13D000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://www.virustotal.com/about/terms-of-service
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.000000000174D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://your-org-name.okta.com

System Summary

Drops password protected ZIP file

Source: Collection-571345-2024-10-24_14_57_13__0000_UTC.zip.0.dr

Zip Entry: encrypted

Detected potential crypto function

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C002807C46	0_3_000000C002807C46
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C00280844F	0_3_000000C00280844F
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C002807E92	0_3_000000C002807E92
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11D54A	0_3_00000294FE11D54A
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE115BF4	0_3_00000294FE115BF4

Enables security privileges

Source: C:\Users\user\Desktop\tmp2041392848.exe

Process token adjusted: Security

Jump to behavior

Sample file is different than original file name gathered from version info

Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2129219805.00000294F69E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2246429277.00000294FE421000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinInit.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSgrmBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2239784470.00000294FE409000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedllhost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameupfc.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2242304467.00000294FE411000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedllhost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedasHost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedwm.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2137697420.00000294FE11F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesihost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2150390511.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWinInit.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2127204938.00000294F69D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCSRSS.Exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2143431216.00000294FE157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedasHost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2142422624.00000294FE144000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148418760.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2133560787.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelsass.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesmss.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234163910.00000294FE133000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamelsass.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWmiprvse.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesvchost.exej% vs Windows-StandardCollector-x64.exe
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedwm.exej% vs Windows-StandardCollector-x64.exe

Source: classification engine

Classification label: mal68.troj.evad.winEXE@6/689@0/0

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

File created: C:\Users\user\Desktop\tmp2993025178

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:748:120:WilError_03

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Jump to behavior

Source: C:\Users\user\Desktop\tmp2041392848.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: Windows-StandardCollector-x64.exe, 00000000.00000000.2111323072.0000000002A27000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

File read: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe "C:\Users\user\Desktop\Windows-StandardCollector-x64.exe"
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Users\user\Desktop\tmp2041392848.exe C:\Users\user\Desktop\tmp2041392848.exe -nobanner -accepteula -t -a * -c -h *
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Users\user\Desktop\tmp2041392848.exe C:\Users\user\Desktop\tmp2041392848.exe -nobanner -accepteula -t -a * -c -h *	Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\ipconfig.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Section loaded: xmllite.dll	Jump to behavior

Source: C:\Users\user\Desktop\tmp2041392848.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: C:\Users\user\Desktop\tmp2041392848.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Outlook\Addins

Jump to behavior

Source: Windows-StandardCollector-x64.exe

Static file information: File size 48203579 > 1048576

Source:	Binary string: SCardSvr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdb source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdb source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdb source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdb source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fvevol.pdb source: tmp2041392848.exe, 0000000A.00000003.2766822225.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdb source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4sx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2758494276.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdb source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdb source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdb source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 1394OHCI.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2750104128.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdb source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pci.pdb source: tmp2041392848.exe, 0000000A.00000003.2798405381.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdb source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdb source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdb source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdb source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConsentUxClient.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2680101286.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdb source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdb source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpusersvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676553595.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: megasr.pdb source: tmp2041392848.exe, 0000000A.00000003.2790194503.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdb source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdb source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netbt.pdb source: tmp2041392848.exe, 0000000A.00000003.2796538835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdb source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TetheringService.pdb source: tmp2041392848.exe, 0000000A.00000003.2701002961.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdb source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdb source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_CNL.pdb source: tmp2041392848.exe, 0000000A.00000003.2781460676.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SCardSvr.pdb source: tmp2041392848.exe, 0000000A.00000003.2720348537.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdb source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: netman.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2708853282.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: icsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2750524180.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdb source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdb source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdb source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SystemEventsBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2727105996.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GenericUsbFn.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdk8.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752817901.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: psmsrv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2673902020.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdb source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdb source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CloudIdSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2679463296.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volsnap.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820681558.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dasHost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2145183010.00000294FE3D5000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2194874461.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SharedRealitySvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2723323620.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdrsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: luafv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2788587638.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IndirectKmd.pdb source: tmp2041392848.exe, 0000000A.00000003.2783191826.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdb source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdb source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensrSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2722611457.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2780942321.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LSI_SAS2i.pdb source: tmp2041392848.exe, 0000000A.00000003.2787624661.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rfcomm.pdb source: tmp2041392848.exe, 0000000A.00000003.2802988609.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdb source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtcexe.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2706860086.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MixedRealityRuntime.pdb source: tmp2041392848.exe, 0000000A.00000003.2706336851.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdb source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdb source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSSi_I2C.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxsmb20.pdb source: tmp2041392848.exe, 0000000A.00000003.2791913912.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: certprop.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2721256638.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2677030945.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpiex.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbhost.pdb source: tmp2041392848.exe, 0000000A.00000003.2788844110.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppvVemgr.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2753761537.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\qba2\workspace\1371\lpss\Drivers\iaLPSS_GPIO\1.1.250.0\Win81Release\x64\inbox\iaLPSSi_GPIO.pdb source: tmp2041392848.exe, 0000000A.00000003.2782141220.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AxInstSv.pdb source: tmp2041392848.exe, 0000000A.00000003.2670821680.0000026FD6A70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: btha2dp.pdb source: tmp2041392848.exe, 0000000A.00000003.2755456980.0000026FD6D6F000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_GLK.pdb source: tmp2041392848.exe, 0000000A.00000003.2782099577.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2781591847.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvnet.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2811526823.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: profsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2717066131.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: locator.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2719979129.0000026FD6A9D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdb source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: deviceaccess.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682447352.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: spaceport.pdb source: tmp2041392848.exe, 0000000A.00000003.2810694895.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: UcmTcpciCx.pdb source: tmp2041392848.exe, 0000000A.00000003.2815424611.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdb source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipnat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784516593.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2784256508.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dwm.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2185489066.00000294FE381000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2134540634.00000294FE0E9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdb source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WmiPrvSE.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2199940375.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2198933840.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152933515.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149955749.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IaStorV.pdb source: tmp2041392848.exe, 0000000A.00000003.2782425902.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ufxsynopsys.pdb source: tmp2041392848.exe, 0000000A.00000003.2816801341.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdb source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2714789204.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mrxdav.pdb source: tmp2041392848.exe, 0000000A.00000003.2791538683.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthmodem.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2756808169.0000026FD6D70000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mgmtrefreshcredprov.pdb source: tmp2041392848.exe, 0000000A.00000003.2824028071.0000026FD70A3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2146806512.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146477963.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143088516.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147995799.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2143796615.00000294FE14F000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146344080.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2152439685.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147021001.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2144410621.00000294FE14C000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2135502313.00000294FE113000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2145336068.00000294FE14B000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2133716628.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2153317613.00000294F6A0E000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2675594277.0000026FD6A86000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2673612843.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2671901787.0000026FD6A77000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2676982086.0000026FD6A8E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdsbs.pdbRR source: tmp2041392848.exe, 0000000A.00000003.2753152161.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: srvsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2703422040.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NcaSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2708054115.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdb source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PrintWorkflowService.pdb source: tmp2041392848.exe, 0000000A.00000003.2716688467.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Windows.Devices.Picker.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2683838821.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msgpioclx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2767285099.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mausbip.pdb source: tmp2041392848.exe, 0000000A.00000003.2789257543.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2684981598.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wininit.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2234085791.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2129350422.00000294FE0E1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sihost.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2190744008.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2142902852.00000294FE13C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdb source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cldflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759796445.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: eapsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: storahci.pdb source: tmp2041392848.exe, 0000000A.00000003.2811844286.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecdd.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2786211621.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdrom.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2757897836.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appidsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2661047369.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pacer.pdb source: tmp2041392848.exe, 0000000A.00000003.2800143530.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ibbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2782759778.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CaptureService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HpSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: intelpep.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2783542788.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: clfs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2760088826.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wkssvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2703879705.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdb source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbhub.pdb source: tmp2041392848.exe, 0000000A.00000003.2818241694.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AppReadiness.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2663814071.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dot3svc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2689062428.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmbatt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2760553891.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RuntimeBroker.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2151429032.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2147902794.00000294FE351000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2146986736.00000294FE341000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2149003675.00000294FE371000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2161452845.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: LanguageOverlayServer.pdb source: tmp2041392848.exe, 0000000A.00000003.2705071174.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdb source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: arcsas.pdb source: tmp2041392848.exe, 0000000A.00000003.2754019105.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Vid.pdb source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdb source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksthunk.pdb source: tmp2041392848.exe, 0000000A.00000003.2787701534.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Acx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751436536.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SgrmBroker.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2152360799.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: TimeBrokerServer.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2728873220.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: das.pdb source: tmp2041392848.exe, 0000000A.00000003.2682973732.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PushToInstall.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2717393030.0000026FD6CDD000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: EhStorTcgDrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2764389464.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iaLPSS2i_I2C_BXT_P.pdb source: tmp2041392848.exe, 0000000A.00000003.2781224367.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dusmsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690051859.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: McpManagementService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2705514320.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2705431056.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: shsvcs.pdb source: tmp2041392848.exe, 0000000A.00000003.2723523471.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cimfs.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: 3ware.pdb source: tmp2041392848.exe, 0000000A.00000003.2750624632.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lltdsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2704479493.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdb source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nlasvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2710222929.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appinfo.pdb source: tmp2041392848.exe, 0000000A.00000003.2661856705.0000026FD6A5D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: swprv.pdb source: tmp2041392848.exe, 0000000A.00000003.2726907709.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msiscsi.pdb source: tmp2041392848.exe, 0000000A.00000003.2784869942.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: http.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2777753000.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdbUGP source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ucx01000.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2815738897.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: exfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764324693.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: circlass.pdb source: tmp2041392848.exe, 0000000A.00000003.2759744261.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SmartSAMD.pdb source: tmp2041392848.exe, 0000000A.00000003.2810293060.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: isapnp.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2785034015.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DiagSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2685276781.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: usbxhci.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2819131423.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Microsoft.Bluetooth.UserService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2673448012.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dhcpcore.pdb source: tmp2041392848.exe, 0000000A.00000003.2684592952.0000026FD6C51000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AarSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2660212360.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdb source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2214832534.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2166230550.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2225302687.00000294FE379000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2164178417.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AudioDG.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2154246793.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NetSetupSvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2709411964.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: IPxlatCfg.pdb source: tmp2041392848.exe, 0000000A.00000003.2702370064.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: APHostService.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2710697570.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: defragsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2682108674.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: hidbth.pdb source: tmp2041392848.exe, 0000000A.00000003.2777975205.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ScDeviceEnum.pdb source: tmp2041392848.exe, 0000000A.00000003.2720618592.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: nCounter.pdb source: tmp2041392848.exe, 0000000A.00000003.2767369878.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ItSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2785702857.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: pnrpsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2710992607.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CapabilityAccessManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2675144481.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ksecpkg.pdb source: tmp2041392848.exe, 0000000A.00000003.2787158429.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: afd.pdb source: tmp2041392848.exe, 0000000A.00000003.2752047202.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cryptsvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: upfc.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2165116053.00000294FE379000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SchedSvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2720901281.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: USBAudio2.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2817542117.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdb source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: DispBroker.Desktop.pdb source: tmp2041392848.exe, 0000000A.00000003.2685499830.0000026FD6C53000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BthAvctpSvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dssvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2689310497.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iexplore.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2657711575.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ES.pdb source: tmp2041392848.exe, 0000000A.00000003.2693459299.0000026FD6C75000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: fastfat.pdb source: tmp2041392848.exe, 0000000A.00000003.2764740138.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: vstxraid.pdb source: tmp2041392848.exe, 0000000A.00000003.2821263598.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2784978754.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: CredentialEnrollmentManager.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2681100846.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: csc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2761109663.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: errdev.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2764426697.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bxvbda.pdb source: tmp2041392848.exe, 0000000A.00000003.2754433808.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdb source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bthserv.pdb source: tmp2041392848.exe, 0000000A.00000003.2674742667.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdtckrm.pdb source: tmp2041392848.exe, 0000000A.00000003.2702705788.0000026FD6C95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: tapisrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2727517211.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mbbcx.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2789131710.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: PimIndexMaintenance.pdb source: tmp2041392848.exe, 0000000A.00000003.2712716515.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mssecflt.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2793223241.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dllhost.pdbGCTL source: Windows-StandardCollector-x64.exe, 00000000.00000003.2148773834.00000294FE145000.00000004.00000020.00020000.00000000.sdmp, Windows-StandardCollector-x64.exe, 00000000.00000003.2148851106.00000294FE147000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2680070742.0000026FD6A95000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ncbservice.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2708261518.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RMapi.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2719440260.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ALG.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2660411080.0000026FD6A5B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cdpsvc.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2676225727.0000026FD6C41000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SessEnv.pdb source: tmp2041392848.exe, 0000000A.00000003.2722843866.0000026FD6D0B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p2psvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2711373955.0000026FD6CD7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sdbus.pdb source: tmp2041392848.exe, 0000000A.00000003.2808181740.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: embeddedmodesvc.pdb source: tmp2041392848.exe, 0000000A.00000003.2690829347.0000026FD6C61000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umrdp.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2730358229.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ndiswan.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2795623923.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: appmgmts.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2662321081.0000026FD6A5F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ipsecsvc.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2714101905.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdbss.pdb source: tmp2041392848.exe, 0000000A.00000003.2801188835.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: smss.pdb source: Windows-StandardCollector-x64.exe, 00000000.00000003.2121525800.00000294F69B0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: MegaSas35i.pdb source: tmp2041392848.exe, 0000000A.00000003.2789986567.0000026FD6D83000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: volmgrx.pdb source: tmp2041392848.exe, 0000000A.00000003.2820461957.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: amdppm.pdb source: tmp2041392848.exe, 0000000A.00000003.2752951736.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: gpuenergydrv.pdb source: tmp2041392848.exe, 0000000A.00000003.2769229705.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: NaturalAuth.pdb source: tmp2041392848.exe, 0000000A.00000003.2707983549.0000026FD6CB5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: qwave.pdb source: tmp2041392848.exe, 0000000A.00000003.2717733966.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2717623441.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msquic.pdbUGP source: tmp2041392848.exe, 0000000A.00000003.2792665347.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: SensorService.pdbGCTL source: tmp2041392848.exe, 0000000A.00000003.2722414011.0000026FD6D03000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: acpitime.pdb source: tmp2041392848.exe, 0000000A.00000003.2751498802.0000026FD6D6D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: umpnpmgr.pdb source: tmp2041392848.exe, 0000000A.00000003.2683209921.0000026FD6C49000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2713437926.0000026FD6CD9000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: iscsiexe.pdb source: tmp2041392848.exe, 0000000A.00000003.2707121763.0000026FD6CA5000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rdyboost.pdb source: tmp2041392848.exe, 0000000A.00000003.2801597478.0000026FD4A74000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cht4vx64.pdb source: tmp2041392848.exe, 0000000A.00000003.2759169449.0000026FD7041000.00000004.00000020.00020000.00000000.sdmp

PE file contains sections with non-standard names

Source: tmp2041392848.exe.0.dr

Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_000000C00280258D push 0000000Fh; iretd	0_3_000000C00280258F
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE119BAF push esi; retf	0_3_00000294FE119BB2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE119BAF push esi; retf	0_3_00000294FE119BB2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE119BAF push esi; retf	0_3_00000294FE119BB2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11959F push esi; retf	0_3_00000294FE1195A2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11959F push esi; retf	0_3_00000294FE1195A2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11959F push esi; retf	0_3_00000294FE1195A2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11A1BF push esi; retf	0_3_00000294FE11A1C2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE1185EA push ds; retf	0_3_00000294FE1185F9
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE1185EA push ds; retf	0_3_00000294FE1185F9
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B3EF push esi; retf	0_3_00000294FE11B3F2
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Code function: 0_3_00000294FE11B9FF push esi; retf	0_3_00000294FE11BA02

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns

Drops PE files

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

File created: C:\Users\user\Desktop\tmp2041392848.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * from Win32_NetworkAdapterConfiguration

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Description, VolumeName, FreeSpace, Size, SystemName, VolumeSerialNumber from Win32_LogicalDisk
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DeviceID, Description, VolumeName, FreeSpace, Size, SystemName, VolumeSerialNumber from Win32_LogicalDisk

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM win32_computersystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\RegBack\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	File opened: C:\Windows\System32\config\systemprofile\AppData\LocalLow\	Jump to behavior

Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FvmicshutdownSeShutdownPrivilegevmicvmsession
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 910,VMware (Fusion/Workstation/Server/Player),Memory,*10\.vmem,lazy_ntfs,Captures all raw memory from VMware virtual machines.
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 911,VMware (Fusion/Workstation/Server/Player),Memory,*10\.vmss,lazy_ntfs,Captures all memory images from VMware virtual machines.
Source: tmp2041392848.exe, 0000000A.00000003.2787988429.0000026FD6A7B000.00000004.00000020.00020000.00000000.sdmp, tmp2041392848.exe, 0000000A.00000003.2788782050.0000026FD6A7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter: Virtual Machine Generation CounterG
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VirtualMachineId
Source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3Microsoft-Windows-Hyper-V-VID
Source: tmp2041392848.exe, 0000000A.00000003.2762454904.0000026FD70B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ADxgkCompositionObjectDxgkSharedBundleObjectDxgkSharedProtectedSessionObjectDxgkCurrentDxgThreadObjectDxgkDisplayManagerObjectDxgkSharedSwapChainObjectDxgkSharedSyncObjectDxgkSharedKeyedMutexObjectDxgkSharedResourceGraphicsDrivers\ValidationReportVirtualMachineFailReserveGPUVAFailRenderDDIFailEscapeDDILevelMultiMonSupportMicrosoft-Windows-Core-AllowMultiMonDisableNonPOSTDeviceIDConfigDB\CurrentDockInfoDockingStateUserIsCurrentProcessImmersiveWin32FreePoolUserUnsafeIsProcessDwmUserUnsafeIsCurrentProcessDwmUserSetWindowedSwapChainApiExtUserRemoveWindowedSwapChainUserReferenceDwmProcessUserReferenceDwmApiPortUserLeaveUserCritSecUserIsWindowDesktopComposedUserIsDisconnectConnectionUserIsUserCritSecInUserIsCurrentThreadDesktopComposedUserEnterUserCritSecSharedUserDereferenceDwmProcessUserAllocDefaultCompositionSecurityDescriptorGreUnlockDwmStateGreSfmOpenTokenEventGreSfmGetPresentQueueEventGreSfmGetNotificationTokensGreSfmCleanupPresentHistoryGreLockDwmStateGreIsDwmStateLockedGreDwmDesktopOverlaysEnabledEtwTraceTokenStateChangedEventEtwTraceTokenIndependentFlipSkipCompleteEventEtwTraceTokenCompositionSurfaceObjectEventEtwTraceFlipManagerStopTokenReleaseToFrameEtwTraceFlipManagerStartTokenReleaseToFrameEtwTraceFlipManagerStopCompleteTokenEtwTraceFlipManagerStartCompleteTokenEtwTraceCompositionSurfaceObjectUpdateEventEngDeleteRgnDCompositionShouldDeferTokenDCompositionNotifyPresentDCompositionNotifyCompositionTokenPresentCreateRegionFromRectCreateRegionCheckAndProcessSurfaceCompleteHD15\Registry\Machine\System\CurrentControlSet\Control\GraphicsDrivers\AdditionalModeLists\VidSchInterfaceVidMmInterface\SystemRoot\System32\drivers\dxgmms2.sys\SystemRoot\System32\drivers\dxgmms1.sys\Registry\Machine\System\CurrentControlSet\Control\GraphicsDrivers\FeatureSetUsage\Callback\PowerStateUnsupportedMonitorModesAllowedGraphicsDrivers\IoMmuHistoryEntryStackSizeEnableHistoryTrackingMaxHistoryCountLog2Generic Monitori>Lh
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @"GuestKvpInfoVirtualMachineId
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 909,VMware - Virtual Machine Inventory,Apps,Users\*\AppData\Roaming\VMware,lazy_ntfs,Locates an inventory of all Virtual Machines on disk.
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: UpdateItemsvmickvpexchangeonecore\vm\ic\features\kvpexchange\child\ickvpexchangechild.cppGetComputerNameEx failed; cannot update ComputerNameDNSFullyQualified.GetVersionEx failed; could not update version info.%d.%d.%dGetProductInfo failed.UnknownSoftware\Microsoft\Windows NT\CurrentVersionProductNameGet IP Address version mismatch.Invalid or unsupported KVP exchange request.VirtualMachineIdIntegrationServicesVersionOSBuildNumberOSMinorVersionSuiteMaskRDPAddressIPv4NetworkAddressIPv6OSEditionIdOSSignatureProductTypeOSMajorVersionServicePackMajorServicePackMinorOSNameCSDVersionRDPAddressIPv6OSVersionFullyQualifiedDomainNameOSPlatformIdProcessorArchitectureOSVendorNetworkAddressIPv4SOFTWARE\Microsoft\Virtual Machine\ExternalSOFTWARE\Microsoft\Virtual Machine\GuestSOFTWARE\Microsoft\Virtual Machine\AutoSOFTWARE\Microsoft\Virtual Machine\Guest\ParametersInvalid value name.onecore\vm\ic\features\kvpexchange\child\ickvpexchangereg.cppInvalid key name pointer.Invalid value data pointer.Invalid or unsupported registry data.Invalid pool specifier: 0x%X.Failed to open registry key: %ws.Registry type mismatch - expected REG_SZ, actual = %u.The value data size is too large for value name: %ws.%ubad castonecore\vm\ic\features\kvpexchange\child\ICWbemUtility.hbad locale nameroot\StandardCimV2':SELECT * FROM MSFT_NetAdapter WHERE PermanentAddress = 'SELECT * FROM MSFT_NetAdapter WHERE PnPDeviceID LIKE 'PermanentAddressInterfaceIndexInterfaceGuidonecore\vm\ic\features\kvpexchange\child\ickvpipnetworkadapterconfiguration.cppDhcpMSFT_NetIPInterfaceMSFT_NetIPInterfaceAdapterStoreinterface ipv4 delete address %u %sinterface ipv4 add address %u %s %sinterface ipv4 delete route 0.0.0.0/0 %u %sinterface ipv4 add route 0.0.0.0/0 %u %sinterface ipv4 set dnsserver %u dhcpinterface ipv4 set dnsserver %u static none validate=nointerface ipv4 add dnsserver %u %s%sinterface ipv6 delete address %u %sinterface ipv6 add address %u %s/%sinterface ipv6 delete route ::/0 %u %sinterface ipv6 add route ::/0 %u %sinterface ipv6 set dnsserver %u dhcpinterface ipv6 set dnsserver %u static noneinterface ipv6 add dnsserver %u %s%sMSFT_NetRouteMSFT_NetIPInterfaceRouteAddressFamilyDestinationPrefixNextHop0.0.0.0/0::/0Failed to get the list of gateways (InterfaceIndex = %u).MSFT_NetIPAddressMSFT_NetIPInterfaceIPAddressIPAddressPrefixLengthFailed to get a list of IP addresses (InterfaceIndex = %u). NULWSAStartup failed: 0x%Xnetsh.exevector<T> too longvector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacessupperupperwwxdigitxdigit
Source: tmp2041392848.exe, 0000000A.00000003.2733098123.0000026FD6D2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicguestinterface%hswil -- onecore\vm\ic\features\guestinterface\child\icguestinterface.cppNT AUTHORITYSYSTEMICGuestInterfaceGetAccessToken failedICGuestInterfaceCreateDirectory for directory %ws failedError creating destination file %ws.Error setting the file pointer in fileError writing %lu bytes to filestring too longonecore\internal\sdk\inc\wil\opensource\wil\resource.h_p0honecore\internal\sdk\inc\wil\opensource\wil\result.hWilError_03ChildInitializeICServiceMainvmicheartbeatFailed to initialize transport.onecore\vm\ic\features\heartbeat\child\icheartbeatchild.cppICChild::Initialize failed.Failed to register endpoint.ICChild::ICServiceRegisterCtrlHandler failed.ICHeartbeatChild::ICServiceMain: Wait for thread failed.Local\SM0:%d:%d:%hs
Source: Windows-StandardCollector-x64.exe, 00000000.00000003.2118428930.000000C001362000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: 912,VMware (Fusion/Workstation/Server/Player),Memory,*10\.vmsn,lazy_ntfs,Captures all memory images from VMware virtual machines.
Source: tmp2041392848.exe, 0000000A.00000003.2819783459.0000026FD6D96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft-Windows-Hyper-V-VID

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Process token adjusted: Debug	Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\tmp2041392848.exe	NtCreateKey: Indirect: 0x7FF7CC0BD32B			Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	NtOpenKey: Indirect: 0x7FF7CC0BD2C1			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig /displaydns			Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Process created: C:\Users\user\Desktop\tmp2041392848.exe C:\Users\user\Desktop\tmp2041392848.exe -nobanner -accepteula -t -a * -c -h *			Jump to behavior

Queries the installation date of Windows

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Queries the product ID of Windows

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId4	Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package051021~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0514~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0516~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package04~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package051021~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05113~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0514~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package05110~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0515~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0511~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-Package0517~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\tmp2041392848.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0015~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Windows-StandardCollector-x64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Codoso Ghost

Source: Yara match

File source: Process Memory Space: tmp2041392848.exe PID: 1472, type: MEMORYSTR

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Users\user\Desktop\tmp2041392848.exe

Directory queried: number of queries: 1001

Remote Access Functionality

Yara detected Codoso Ghost

Source: Yara match

File source: Process Memory Space: tmp2041392848.exe PID: 1472, type: MEMORYSTR

ID:	1541285
Product:	CloudBasic
Start time:	16:56:15
Start date:	24.10.2024
Sample:	Windows-StandardCollector-x64.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	28176438914c8cdb52e14fc2d9d5bf29
SHA1:	31f785268ef928894fe3768f83f1bcac42dfd9d4
SHA256:	4e27bed2a9c653a0349c958dc06f0b4b5fc712fb2a78b6c2cc13346f1227fbff
Filetype:	Windows ActiveX control (116523/4) 87.91%

Windows Analysis Report
Windows-StandardCollector-x64.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report Windows-StandardCollector-x64.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Domains

Windows Analysis Report
Windows-StandardCollector-x64.exe