Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ruXU7wj3X9.dll

Overview

General Information

Sample name:ruXU7wj3X9.dll
renamed because original name is a hash value
Original sample name:d907672759069af4824b0354e9170285.dll
Analysis ID:1591362
MD5:d907672759069af4824b0354e9170285
SHA1:d995544a19032e9cebdd6d76c03580a89bd7a330
SHA256:4ad2a09b3c99f31faf5f46b2298dcf2e9c5b84a96732bffea2fcf4e2c2aa791e
Tags:dllexeuser-mentality
Infos:

Detection

Wannacry
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Wannacry ransomware
Connects to many different private IPs (likely to spread or exploit)
Connects to many different private IPs via SMB (likely to spread or exploit)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
Sample execution stops while process was sleeping (likely an evasion)
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6512 cmdline: loaddll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1736 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 3832 cmdline: rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • mssecsvr.exe (PID: 5944 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B15FB425B628062A7BB0F11DBAECF4AC)
    • rundll32.exe (PID: 4992 cmdline: rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
    • rundll32.exe (PID: 6780 cmdline: rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",PlayGame MD5: 889B99C52A60DD49227C5E485A016679)
      • mssecsvr.exe (PID: 6720 cmdline: C:\WINDOWS\mssecsvr.exe MD5: B15FB425B628062A7BB0F11DBAECF4AC)
        • tasksche.exe (PID: 3456 cmdline: C:\WINDOWS\tasksche.exe /i MD5: 41C0E22D28973F312DE789C027E61D0C)
          • WerFault.exe (PID: 4992 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • mssecsvr.exe (PID: 6552 cmdline: C:\WINDOWS\mssecsvr.exe -m security MD5: B15FB425B628062A7BB0F11DBAECF4AC)
  • svchost.exe (PID: 3148 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 2888 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • svchost.exe (PID: 3628 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
WannaCryptor, WannaCry, WannaCrypt
  • Lazarus Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ruXU7wj3X9.dllJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
    ruXU7wj3X9.dllWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
    • 0x45604:$x1: icacls . /grant Everyone:F /T /C /Q
    • 0x353d0:$x3: tasksche.exe
    • 0x455e0:$x3: tasksche.exe
    • 0x455bc:$x4: Global\MsWinZonesCacheCounterMutexA
    • 0x45634:$x5: WNcry@2ol7
    • 0x353a8:$x8: C:\%s\qeriuwjhrf
    • 0x45604:$x9: icacls . /grant Everyone:F /T /C /Q
    • 0x3014:$s1: C:\%s\%s
    • 0x12098:$s1: C:\%s\%s
    • 0x1b39c:$s1: C:\%s\%s
    • 0x353bc:$s1: C:\%s\%s
    • 0x45534:$s3: cmd.exe /c "%s"
    • 0x77a88:$s4: msg/m_portuguese.wnry
    • 0x326f0:$s5: \\192.168.56.20\IPC$
    • 0x1fae5:$s6: \\172.16.99.5\IPC$
    • 0xd195:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
    • 0x78da:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
    • 0x5449:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
    ruXU7wj3X9.dllwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
    • 0x455e0:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
    • 0x45608:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Windows\tasksche.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
      C:\Windows\tasksche.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
      • 0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q
      • 0xf4d8:$x3: tasksche.exe
      • 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA
      • 0xf52c:$x5: WNcry@2ol7
      • 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q
      • 0xf42c:$s3: cmd.exe /c "%s"
      • 0x41980:$s4: msg/m_portuguese.wnry
      C:\Windows\tasksche.exewanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
      • 0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
      • 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
      C:\Windows\mssecsvr.exeJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
        C:\Windows\mssecsvr.exeWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
        • 0x415a0:$x1: icacls . /grant Everyone:F /T /C /Q
        • 0x3136c:$x3: tasksche.exe
        • 0x4157c:$x3: tasksche.exe
        • 0x41558:$x4: Global\MsWinZonesCacheCounterMutexA
        • 0x415d0:$x5: WNcry@2ol7
        • 0x31344:$x8: C:\%s\qeriuwjhrf
        • 0x415a0:$x9: icacls . /grant Everyone:F /T /C /Q
        • 0xe034:$s1: C:\%s\%s
        • 0x17338:$s1: C:\%s\%s
        • 0x31358:$s1: C:\%s\%s
        • 0x414d0:$s3: cmd.exe /c "%s"
        • 0x73a24:$s4: msg/m_portuguese.wnry
        • 0x2e68c:$s5: \\192.168.56.20\IPC$
        • 0x1ba81:$s6: \\172.16.99.5\IPC$
        • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
        • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
        • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
        Click to see the 2 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
          0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
          • 0xf0d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
          • 0xf100:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
          0000000A.00000002.1584683802.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
            0000000B.00000000.1584094306.0000000000401000.00000020.00000001.01000000.00000007.sdmpwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
            • 0xf0d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
            • 0xf100:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
            0000000A.00000000.1562813019.000000000040F000.00000008.00000001.01000000.00000004.sdmpJoeSecurity_WannacryYara detected Wannacry ransomwareJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.mssecsvr.exe.22738c8.9.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
              • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
              • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
              8.2.mssecsvr.exe.1d4a084.5.raw.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0x9131:$op1: 10 AC 72 0D 3D FF FF 1F AC 77 06 B8 01 00 00 00
              • 0x3876:$op2: 44 24 64 8A C6 44 24 65 0E C6 44 24 66 80 C6 44
              • 0x13e5:$op3: 18 DF 6C 24 14 DC 64 24 2C DC 6C 24 5C DC 15 88
              8.0.mssecsvr.exe.7100a4.1.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xe8d8:$x3: tasksche.exe
              • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xe92c:$x5: WNcry@2ol7
              • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xe82c:$s3: cmd.exe /c "%s"
              8.0.mssecsvr.exe.7100a4.1.unpackwanna_cry_ransomware_genericdetects wannacry ransomware on disk and in virtual pageus-cert code analysis team
              • 0xe8d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63
              • 0xe900:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
              8.2.mssecsvr.exe.1d7c128.3.unpackWannaCry_RansomwareDetects WannaCry RansomwareFlorian Roth (with the help of binar.ly)
              • 0xe8fc:$x1: icacls . /grant Everyone:F /T /C /Q
              • 0xe8d8:$x3: tasksche.exe
              • 0xe8b4:$x4: Global\MsWinZonesCacheCounterMutexA
              • 0xe92c:$x5: WNcry@2ol7
              • 0xe8fc:$x9: icacls . /grant Everyone:F /T /C /Q
              • 0xe82c:$s3: cmd.exe /c "%s"
              Click to see the 91 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k WerSvcGroup, ProcessId: 3148, ProcessName: svchost.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T22:42:30.076941+010028033043Unknown Traffic192.168.2.849707103.224.212.21580TCP
              2025-01-14T22:42:32.744988+010028033043Unknown Traffic192.168.2.849709103.224.212.21580TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T22:42:29.157189+010028300181A Network Trojan was detected192.168.2.8492561.1.1.153UDP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: ruXU7wj3X9.dllAvira: detected
              Antivirus detection for URL or domain
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0caAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/pAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5eAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d63508Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5eafAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d635081dAvira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8Avira URL Cloud: Label: malware
              Source: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/Avira URL Cloud: Label: malware
              Antivirus detection for dropped file
              Source: C:\Windows\mssecsvr.exeAvira: detection malicious, Label: TR/Ransom.Gen
              Source: C:\Windows\tasksche.exeAvira: detection malicious, Label: TR/Patched.Gen
              Multi AV Scanner detection for submitted file
              Source: ruXU7wj3X9.dllVirustotal: Detection: 88%Perma Link
              Source: ruXU7wj3X9.dllReversingLabs: Detection: 89%
              Machine Learning detection for dropped file
              Source: C:\Windows\mssecsvr.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: ruXU7wj3X9.dllJoe Sandbox ML: detected

              Exploits

              barindex
              Connects to many different private IPs (likely to spread or exploit)
              Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
              Connects to many different private IPs via SMB (likely to spread or exploit)
              Source: global trafficTCP traffic: 192.168.2.39:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.38:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.42:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.41:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.44:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.43:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.46:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.45:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.48:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.47:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.40:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.28:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.27:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.29:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.31:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.30:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.33:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.32:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.35:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.34:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.37:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.36:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.17:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.16:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.19:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.18:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.20:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.22:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.21:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.24:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.23:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.26:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.25:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.97:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.96:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.11:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.99:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.10:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.98:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.13:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.12:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.15:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.14:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.91:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.90:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.93:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.92:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.95:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.94:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.2:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.1:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.8:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.7:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.9:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.4:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.3:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.6:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.5:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.86:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.104:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.85:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.105:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.88:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.102:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.87:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.103:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.108:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.89:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.109:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.106:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.107:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.80:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.82:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.100:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.81:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.101:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.84:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.83:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.75:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.74:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.77:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.113:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.76:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.114:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.79:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.78:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.71:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.111:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.70:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.112:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.73:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.72:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.110:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.64:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.63:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.66:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.65:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.68:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.67:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.69:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.60:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.62:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.61:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.49:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.53:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.52:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.55:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.54:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.57:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.56:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.59:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.58:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.51:445Jump to behavior
              Source: global trafficTCP traffic: 192.168.2.50:445Jump to behavior
              Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000B.00000000.1584131463.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmp, ruXU7wj3X9.dll, mssecsvr.exe.3.dr, tasksche.exe.10.dr
              Source: C:\Windows\tasksche.exeCode function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,11_2_00409476

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2830018 - Severity 1 - ETPRO MALWARE Observed WannaCry Domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff .com in DNS Lookup) : 192.168.2.8:49256 -> 1.1.1.1:53
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3096-a478-d7c464a3f0ca HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890950.7011300
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-32cc-b361-86c8884a5eaf HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=215a8bf8-0e2d-4579-a9e0-ffb15187690d
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3207-bd07-6551d635081d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49709 -> 103.224.212.215:80
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.8:49707 -> 103.224.212.215:80
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.13
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 119.38.196.1
              Source: unknownTCP traffic detected without corresponding DNS query: 23.206.229.226
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.70
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 63.85.204.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.94
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 83.249.153.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.45
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: unknownTCP traffic detected without corresponding DNS query: 27.108.78.1
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3096-a478-d7c464a3f0ca HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comCache-Control: no-cacheCookie: __tad=1736890950.7011300
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-32cc-b361-86c8884a5eaf HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-AliveCookie: parking_session=215a8bf8-0e2d-4579-a9e0-ffb15187690d
              Source: global trafficHTTP traffic detected: GET /?subid1=20250115-0842-3207-bd07-6551d635081d HTTP/1.1Cache-Control: no-cacheHost: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: global trafficDNS traffic detected: DNS query: ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621897874.000001F22BF53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797552361.000001F22C415000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1600032519.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_k
              Source: svchost.exe, 0000000F.00000002.2797122115.000001F22B6C8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
              Source: svchost.exe, 0000000F.00000002.2797552361.000001F22C415000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
              Source: svchost.exe, 0000000F.00000003.1645563508.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620706961.000001F22BF32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621411496.000001F22BF58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797393464.000001F22BF30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620595444.000001F22BF30000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633412468.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620524966.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633951055.000001F22BF33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
              Source: svchost.exe, 0000000F.00000003.1633412468.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1620524966.000001F22BF33000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633951055.000001F22BF33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdpe
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797658785.000001F22C47D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
              Source: svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
              Source: svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scken
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: svchost.exe, 0000000F.00000003.1633985081.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1621897874.000001F22BF53000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1633985081.000001F22BF59000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
              Source: svchost.exe, 0000000F.00000002.2797480723.000001F22BF5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustbc
              Source: svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustm
              Source: Amcache.hve.14.drString found in binary or memory: http://upx.sf.net
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A8E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/.
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/8
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3096-a478-d7c464a3f0
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A7B000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1584037651.0000000000A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-3207-bd07-6551d63508
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250115-0842-32cc-b361-86c8884a5e
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A9A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/p
              Source: mssecsvr.exe.3.drString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1584053188.0000000000A80000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000003.1583298451.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/2XJ
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/X
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/b
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/s
              Source: mssecsvr.exe, 00000008.00000002.2222517608.000000000019D000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comJ
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comO
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comgs
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
              Source: svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
              Source: svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599048340.000001F22BF57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.ecur
              Source: svchost.exe, 0000000F.00000002.2797068737.000001F22B6A5000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
              Source: svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf53457
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B698000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797658785.000001F22C47D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C43D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfDM
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srfice
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797480723.000001F22BF6D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599152522.000001F22BF6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
              Source: svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
              Source: svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806044
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599048340.000001F22BF57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598817104.000001F22BF5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
              Source: svchost.exe, 0000000F.00000003.1599257869.000001F22BF56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598718329.000001F22BF29000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
              Source: svchost.exe, 0000000F.00000002.2797031764.000001F22B681000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srfm
              Source: svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
              Source: svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797445609.000001F22BF37000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
              Source: svchost.exe, 0000000F.00000002.2797122115.000001F22B6BF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797161373.000001F22B6D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796979177.000001F22B65E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
              Source: svchost.exe, 0000000F.00000003.1599134059.000001F22BF63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599077750.000001F22BF40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
              Source: svchost.exe, 0000000F.00000003.1599025091.000001F22BF3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.1598845700.000001F22BF55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
              Source: svchost.exe, 0000000F.00000002.2796955541.000001F22B646000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspxice
              Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Yara detected Wannacry ransomware
              Source: Yara matchFile source: ruXU7wj3X9.dll, type: SAMPLE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000008.00000002.2223330577.000000000042E000.00000004.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1584683802.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.1562813019.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1583712259.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1534389465.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.1560048220.000000000040F000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 5944, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 6552, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: mssecsvr.exe PID: 6720, type: MEMORYSTR
              Source: Yara matchFile source: C:\Windows\tasksche.exe, type: DROPPED
              Source: Yara matchFile source: C:\Windows\mssecsvr.exe, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d4a084.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000B.00000000.1584094306.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: Detects WannaCry Ransomware Author: Florian Roth (based on rule by US CERT)
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040690A: __EH_prolog,_wcslen,_wcscpy,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,_wcscpy,_wcscpy,_wcscpy,_wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,11_2_0040690A
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeFile created: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041B0D911_2_0041B0D9
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041B8B911_2_0041B8B9
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041494611_2_00414946
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040498611_2_00404986
              Source: C:\Windows\tasksche.exeCode function: 11_2_0042924111_2_00429241
              Source: C:\Windows\tasksche.exeCode function: 11_2_0042727C11_2_0042727C
              Source: C:\Windows\tasksche.exeCode function: 11_2_004283FC11_2_004283FC
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041AC0411_2_0041AC04
              Source: C:\Windows\tasksche.exeCode function: 11_2_00416C3F11_2_00416C3F
              Source: C:\Windows\tasksche.exeCode function: 11_2_00401CC111_2_00401CC1
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041F4D411_2_0041F4D4
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041BCD911_2_0041BCD9
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041B4AD11_2_0041B4AD
              Source: C:\Windows\tasksche.exeCode function: 11_2_00417D7811_2_00417D78
              Source: C:\Windows\tasksche.exeCode function: 11_2_00427D0411_2_00427D04
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041450F11_2_0041450F
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040FDFA11_2_0040FDFA
              Source: C:\Windows\tasksche.exeCode function: 11_2_00415D9A11_2_00415D9A
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040561011_2_00405610
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041462B11_2_0041462B
              Source: C:\Windows\tasksche.exeCode function: 11_2_00413EE311_2_00413EE3
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040FEF011_2_0040FEF0
              Source: C:\Windows\tasksche.exeCode function: 11_2_00402F2C11_2_00402F2C
              Source: C:\Windows\tasksche.exeCode function: 11_2_004277C011_2_004277C0
              Source: C:\Windows\tasksche.exeCode function: String function: 0041FA9C appears 38 times
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456
              Source: mssecsvr.exe.3.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
              Source: mssecsvr.exe.3.drStatic PE information: Resource name: R type: PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: ruXU7wj3X9.dll, type: SAMPLEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.22738c8.9.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d4a084.5.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d7c128.3.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.0.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.22a596c.8.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.0.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvr.exe.7100a4.1.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 11.2.tasksche.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d4a084.5.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.22738c8.9.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.2.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.1d59104.4.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 10.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 10.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 8.2.mssecsvr.exe.2282948.6.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.22a596c.8.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.0.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.0.mssecsvr.exe.7100a4.1.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d7c128.3.raw.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: 6.2.mssecsvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d59104.4.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.227e8e8.7.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.1d550a4.2.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: 8.2.mssecsvr.exe.2282948.6.unpack, type: UNPACKEDPEMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000B.00000000.1584094306.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2223913366.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000006.00000002.1583843452.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000A.00000000.1562935692.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\tasksche.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: WannaCry_Ransomware_Gen date = 2017-05-12, hash3 = 4384bf4530fb2e35449a8e01c7e0ad94e3a25811ba94f7847c1e6612bbb45359, hash2 = 8e5b5841a3fe81cade259ce2a678ccb4451725bba71f6662d0cc1f08148da8df, hash1 = 9fe91d542952e145f2244572f314632d93eb1e8657621087b2ca7f7df2b0cb05, author = Florian Roth (based on rule by US CERT), description = Detects WannaCry Ransomware, reference = https://www.us-cert.gov/ncas/alerts/TA17-132A
              Source: C:\Windows\mssecsvr.exe, type: DROPPEDMatched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Diagnosis
              Source: tasksche.exe.10.drBinary string: ]\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtxp
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbohci.sys
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\ega.cpiKF
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\localspl.dll
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\sensrsvc.dll
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\System32\ru-RU\WinSATAPI.dll.mui
              Source: tasksche.exe.10.drBinary string: b\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sysT
              Source: tasksche.exe.10.drBinary string: Z\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe#
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\powercfg.exep
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dll
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf\p
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wercplsupport.dll
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Locationp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\GAGP30KX.SYS
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\QAGENTRT.DLL
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netmscli.PNFC
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\netip6.PNF
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\ehome\ehrecvr.exe
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\SCardSvr.dll
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\umpass.sysdd
              Source: tasksche.exe.10.drBinary string: V\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\Prefetch\VPROT.EXE-D7ED8096.pf [
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\acpipmi.sysH
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys&
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABCO
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\amdsbs.sys\S
              Source: tasksche.exe.10.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16rp
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\volsnap.inf_loc
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\BrSerId.sys
              Source: mssecsvr.exe.3.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru_PTC
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sys?
              Source: tasksche.exe.10.drBinary string: [\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Filtering Platform
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\keyboard.inf_loc
              Source: mssecsvr.exe.3.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\net
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\MTConfig.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\timedate.cplp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpu320.sysH;
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Shell
              Source: tasksche.exe.10.drBinary string: t\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\dmvsc.sys@
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\umrdp.dllSTRP
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sppsvc.exer
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\mshdc.PNFp
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netip6.inf_locp
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\FXSSVC.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysR_
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sys
              Source: mssecsvr.exe.3.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLsCPU1
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\ULIAGPKX.SYS
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\ru-RU\runonce.exe.mui+
              Source: tasksche.exe.10.drBinary string: \Device\Harddisk0\DR0p
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndiscap.PNF
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\bthserv.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\amdk8.syslump
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys=\(
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft$Hp
              Source: mssecsvr.exe.3.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\vds.exeH
              Source: tasksche.exe.10.drBinary string: j\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgsched.log.lock
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\intelide.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys|$P@
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\shredlog.cfgp
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\System32\appidpolicyconverter.exe
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\Apphlpdm.dllp
              Source: tasksche.exe.10.drBinary string: H\Device\HarddiskVolume2\Windows\System32\SystemPropertiesPerformance.exe
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\tapisrv.dllID
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYS3
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\krnlapi.cfgp
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysGtn
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYS.
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\errdev.sys1
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\flpydisk.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\gptext.dll
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ListSvc.dll
              Source: tasksche.exe.10.drBinary string: ~\Device\HarddiskVolume2\ProgramData\Microsoft\Windows\Caches\{7CD55808-3D38-4DD5-90C9-62F0E6EE60D4}.2.ver0x0000000000000001.db
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\wcncsvc.dll^/
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacDatabase.sdf
              Source: tasksche.exe.10.drBinary string: U\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdeploy.dllW
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netserv.inf_locLNKD
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vhdmp.sys
              Source: tasksche.exe.10.drBinary string: ?\Device\HarddiskVolume2\Program Files\AVG\UiDll\2623\icudtl.datp
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sysDC2
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\PeerDistSvc.dll/
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\amdide.sysp
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\SVCHOST.EXE-80F4A784.pfMp
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\AppIDp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sysCP
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\errdev.sys
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\nettcpip.PNFS
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netavpnt.PNF
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\MegaSR.sysDC2
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbohci.sys3
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\drmkaud.sys
              Source: tasksche.exe.10.drBinary string: [\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatformU3
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\WsmSvc.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\ehome\ehprivjob.exe
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\csllog.cfgLL
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_scsi.sys
              Source: tasksche.exe.10.drBinary string: m\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\Myp
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\wbem\WmiApSrv.exe
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\fsdepends.sysd0`p
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\certprop.dll
              Source: tasksche.exe.10.drBinary string: p\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\NV_AGP.SYS\S
              Source: tasksche.exe.10.drBinary string: W\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrass.inf_loc
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\input.PNFp
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\hidir.sysalH
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\w32time.dllBU
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sisraid2.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\ru-RU\duser.dll.muiIOp
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\ssdpsrv.dllTD
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sys2\
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasauto.dll_S
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\oem10.PNFp
              Source: tasksche.exe.10.drBinary string: L\Device\HarddiskVolume2\Program Files\Remote Access Host\RemoteSoundServ.exei
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\battery.inf_loc
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MultimediaR_CPp
              Source: tasksche.exe.10.drBinary string: +\Device\HarddiskVolume2\Windows\System32\ru1
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netsstpt.inf_locBFFRp
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys1
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-2c059045-004a-4137-b301-6c3064f40275.tmpp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\hcw85cir.sys
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\Tasks\WPD\$
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\bdesvc.dll^BN
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA\System
              Source: mssecsvr.exe.3.drBinary string: +\Device\HarddiskVolume2\Windows\System32\en_CPU
              Source: tasksche.exe.10.drBinary string: O\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
              Source: tasksche.exe.10.drBinary string: +\Device\HarddiskVolume2\ProgramData\Avg\log
              Source: tasksche.exe.10.drBinary string: {\Device\HarddiskVolume2\Windows\Performance\WinSAT\DataStore\2016-02-02 17.08.06.946 Formal.Assessment (Initial).WinSAT.xml
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-2c059045-004a-4137-b301-6c3064f40275.tmpb
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Ras
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\ipnat.sys
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\rspndr.PNFQ0pIRp
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\Globalization\Sortingp
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\mpio.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\iirsp.sys
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\cpu.inf_locCC
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\Globalization
              Source: tasksche.exe.10.drBinary string: u\Device\HarddiskVolume2\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtxp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sysS,
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\Resources\Themes\Aero
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\circlass.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas.sysM
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\ehome\ehrec.exe
              Source: tasksche.exe.10.drBinary string: Y\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas2.sys
              Source: tasksche.exe.10.drBinary string: i\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\RemoteApp and Desktop Connections Update
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Windows\Prefetch\DLLHOST.EXE-766398D2.pf_Tp
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\WinSATAPI.dllp
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\iscsiexe.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\nslog.cfgS
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\tdpipe.sys
              Source: tasksche.exe.10.drBinary string: ?\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysS1
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\wuaueng.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\1394ohci.sys
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows Defender
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netsstpt.PNFwnp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\lsi_sas.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\termsrv.dll
              Source: tasksche.exe.10.drBinary string: H\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\mshdc.inf_loc
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbSer.sys
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\filetrace.sysp}
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\WUDFRd.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wersvc.dllTV
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-7e9df016-cbcc-4646-838e-02461299762d.tmp
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\irenum.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wscsvc.dllLNKD
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\ipfltdrv.sys
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\publog.cfgk
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_ru-ru_a13dea73a92ad990\comctl32.dll.muiME
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\schedlog.cfgp
              Source: tasksche.exe.10.drBinary string: ;\Device\Hardd
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\KMSVC.DLLVID3PP
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpprnext.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adpahci.sys
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\ndisuio.PNFT`
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgemc.log.lockA
              Source: tasksche.exe.10.drBinary string: q\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Contentp
              Source: tasksche.exe.10.drBinary string: -\Device\HarddiskVolume2\Windows\inf\netnb.PNFp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\dxgkrnl.sysT
              Source: tasksche.exe.10.drBinary string: m\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndisuio.inf_loc
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\wbengine.exe&
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\b57nd60x.sysp
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\avg_ru.lng>"
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MUI
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\wfplwf.PNF
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\$Extend
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\nfrd960.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\WebClnt.dllG
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\Temp\avg-3778490c-65ff-4631-9fd1-8f2e97842712.tmp
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vhdmp.sysskV
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\viac7.sys\\._PR
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\fdPHost.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\bthmodem.sys
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\RemoteAssistance(
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\VIAAGP.SYSi\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys01CP
              Source: tasksche.exe.10.drBinary string: T\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys$H
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpprefcl.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\megasas.sysPD
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\evbdx.sysC
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wpcsvc.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\emclog.cfgH
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\stexstor.sys
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\udfs.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sysp
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\rasmans.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\adp94xx.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\usbmon.dll
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netrasa.PNFMPARp
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netnwifi.inf_locPCF
              Source: mssecsvr.exe.3.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs1
              Source: tasksche.exe.10.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Error ReportingPU
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sermouse.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sysg\M
              Source: tasksche.exe.10.drBinary string: ,\Device\HarddiskVolume2\Windows\inf\disk.PNFH
              Source: tasksche.exe.10.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16p
              Source: tasksche.exe.10.drBinary string: E\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\UPnPp
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\msdtc.exe}SDTL
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\aelupsvc.dll
              Source: tasksche.exe.10.drBinary string: F\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Tcpip
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\RACU5
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-7167c74e-f403-416d-93ad-1632477e850e.tmpp
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netrass.PNFRCBAp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\tssecsrv.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\System32\Speech\SpeechUX\sapi.cpl
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\modem.sysTEMPb
              Source: tasksche.exe.10.drBinary string: X\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sysST
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sbp2port.sys
              Source: tasksche.exe.10.drBinary string: l\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\commonpriv.log.lockUF$
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sysLNKH
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\FntCache.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvraid.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\msdtckrm.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sysPT
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\WERFAULT.EXE-E69F695A.pfp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\iaStorV.sys
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\serenum.sysCT
              Source: tasksche.exe.10.drBinary string: O\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacWmiEventData.dat
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16\temp\avg-49fb6b11-545c-406d-a9bb-da1ce541e50e.tmp
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\bxvbdx.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\appmgmts.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\regsvc.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\HdAudio.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\RTSndMgr.cpl
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\mprdim.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\aliide.sysH
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avg-7167c74e-f403-416d-93ad-1632477e850e.tmp`
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\auditcse.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tbssvc.dllSTE
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wacompen.sys
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\lltdio.inf_locp
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\drivers\wd.sys
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\Fonts\segoeuii.ttfp
              Source: tasksche.exe.10.drBinary string: M\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Task Manager
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\en-USC
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wecsvc.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\modem.sysCu|
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\TabSvc.dll
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netpacer.PNF
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\p2pcollab.dllp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\lsi_scsi.sysp
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\tdh.dllp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\ProgramData\Avg\log\AV16\history.xml
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\ProgramData\Avg\AV\Chjw\avgpsi.db-journal
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\DFDWiz.exe
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow CHPD p
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netserv.PNFTMP8p
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\ehome\ehsched.exe
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\volsnap.PNFR07
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\sqlceoledb30.dll
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MobilePC
              Source: tasksche.exe.10.drBinary string: @\Device\HarddiskVolume2\Program Files\Windows Defender\MpSvc.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\rasacd.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\TASKHOST.EXE-7238F31D.pf
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\qwavedrv.sys
              Source: tasksche.exe.10.drBinary string: E\Device\HarddiskVolume2\Windows\System32\drivers\rdpvideominiport.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\ProgramData\Avg\AV\Chjw\avgpsi.db-journalp
              Source: mssecsvr.exe.3.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\VMBusHID.sys
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\hidserv.PNF
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\arc.sys
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\$Recycle.Bin\S-1-5-21-1870734524-1274666089-2119431859-1000
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbuhci.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\asyncmac.sys
              Source: mssecsvr.exe.3.drBinary string: N\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netvwififlt.inf_locCPU1AP
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sys
              Source: tasksche.exe.10.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgemc.log
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\SessEnv.dllB_p
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SystemRestore
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\mshidkmdf.sysA
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: #\Device\HarddiskVolume2\Windows\infS
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\mrxdav.sysD
              Source: tasksche.exe.10.drBinary string: q\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrSerWdm.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\pnrpsvc.dllO
              Source: tasksche.exe.10.drBinary string: z\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\AxInstSv.dll
              Source: mssecsvr.exe.3.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exeAP7PDC
              Source: tasksche.exe.10.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
              Source: mssecsvr.exe.3.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\wbengine.exe
              Source: mssecsvr.exe.3.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\VSSVC.exeSU
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpdrv.log.2H
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\pots.dllp
              Source: tasksche.exe.10.drBinary string: z\Device\HarddiskVolume2\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
              Source: tasksche.exe.10.drBinary string: \\Device\HarddiskVolume2\Windows\System32\ru-RU\microsoft-windows-kernel-power-events.dll.mui
              Source: tasksche.exe.10.drBinary string: L\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Maintenance
              Source: tasksche.exe.10.drBinary string: k\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exeta
              Source: tasksche.exe.10.drBinary string: ]\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Power Efficiency Diagnostics
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\AMDAGP.SYS
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\dot3svc.dllPN
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\rdpdr.sysw
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\UAGP35.SYS0H
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\pnrpauto.dll
              Source: tasksche.exe.10.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Time Synchronization
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\gpscript.dll
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\qmgr.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\scfilter.sys
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\filetrace.sys
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\upnphost.dll
              Source: mssecsvr.exe.3.drBinary string: S\Device\HarddiskVolume2\Program Files\Common Files\AV\avast! Antivirus\userdata.cab0_TS
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\System32\RTCOMX
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\FDResPub.dll
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\winspool.drvp
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\terminpt.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\hidbatt.sysL
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sysm
              Source: tasksche.exe.10.drBinary string: \Device\HarddiskVolume2\Windows\winsxs\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_ru-ru_a13dea73a92ad990
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\defragsvc.dll
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\lpremove.exep
              Source: tasksche.exe.10.drBinary string: i\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\avgmsgdisp.log.2
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\viaide.systo
              Source: tasksche.exe.10.drBinary string: i\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\avgmsgdisp.log.3
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\hidbth.sys<\
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\IPBusEnum.dll
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\gatherNetworkInfo.vbs1
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\swprv.dllHM
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\qwave.dllP03HPS
              Source: mssecsvr.exe.3.drBinary string: P\Device\HarddiskVolume2\Program Files\Common Files\AV\AVG AntiVirus Free EditionU4
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\FXSMON.dll
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\djsvs.sysD
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgidpdrv.log.3
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\vmbus.sys
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume3\$RECYCLE.BIN\S-1-5-21-1870734524-1274666089-2119431859-1000H
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\msdsm.sysA\_^
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\sppuinotify.dll
              Source: tasksche.exe.10.drBinary string: l\Device\HarddiskVolume2\Users\
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\Windows\System32\msra.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vms3cap.sys
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\viaide.sys
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\HpSAMD.sys
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\ru-RU\rascfg.dll.mui
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\amdsata.syso
              Source: tasksche.exe.10.drBinary string: e\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgshred.logp
              Source: tasksche.exe.10.drBinary string: U\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\User Profile Service
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\isapnp.sys
              Source: tasksche.exe.10.drBinary string: H\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Autochk
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrUsbMdm.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\IPMIDrv.sys
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\Mcx2Svc.dll
              Source: tasksche.exe.10.drBinary string: V\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\TextServicesFrameworkDR
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\inf\netnwifi.PNF
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mspqm.syst
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\ru-RU\racengn.dll.muiH
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\dskquota.dll
              Source: tasksche.exe.10.drBinary string: G\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\DefragRe
              Source: tasksche.exe.10.drBinary string: Q\Device\HarddiskVolume2\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\AGP440.sys;
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\hidserv.inf_locp}
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wersvc.dll
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Windows\System32\dot3gpclnt.dll
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ws2ifsl.sys._
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netvwififlt.inf_loc
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\wimmount.sys
              Source: tasksche.exe.10.drBinary string: ?\Device\HarddiskVolume2\Windows\System32\drivers\Synth3dVsc.sys
              Source: tasksche.exe.10.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs:
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\netrast.PNFp
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\usbport.inf_locD5
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\Defrag.exe
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\vsmraid.sys
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\System32\drivers\fsdepends.sysSB_PADp
              Source: mssecsvr.exe.3.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\tdtcp.sys
              Source: tasksche.exe.10.drBinary string: A\Device\HarddiskVolume2\Windows\Prefetch\AVGUIRNX.EXE-006CD133.pfp
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\tcpmon.dll
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\inf\netvwififlt.PNFF4
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffdisk.sys0
              Source: mssecsvr.exe.3.drBinary string: Y\Device\HarddiskVolume2\Windows\System32\Macromed\Flash\FlashUtil32_25_0_0_148_pepper.exe
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sysP
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\appidsvc.dll
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Bluetoothp
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\p2psvc.dll
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\machine.inf_loc3
              Source: tasksche.exe.10.drBinary string: D\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PLA_S
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Windows\System32\drivers\cdfs.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\USBSTOR.SYS
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\usbuhci.sysS
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\SyncCenter;PBI
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\drivers\mstee.sys
              Source: tasksche.exe.10.drBinary string: I\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetTrace
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\runonce.exe
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\seclogon.dll
              Source: tasksche.exe.10.drBinary string: 1\Device\HarddiskVolume2\ProgramData\Avg\AV\cfgall
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\storvsc.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sfloppy.sysH
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\serial.sys
              Source: mssecsvr.exe.3.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\fveui.dllPR_CPU
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\display.inf_loc DDL3 p
              Source: tasksche.exe.10.drBinary string: e\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgsched.logh
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\vds.exe
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\PerfTrackYS
              Source: tasksche.exe.10.drBinary string: 2\Device\HarddiskVolume2\Windows\System32\VSSVC.exe
              Source: tasksche.exe.10.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaDataI
              Source: tasksche.exe.10.drBinary string: h\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgpal.log.lock
              Source: mssecsvr.exe.3.drBinary string: T\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\av16
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\alg.exe_
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\WindowsColorSystemH
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\RacRules.xml
              Source: tasksche.exe.10.drBinary string: S\Device\HarddiskVolume2\ProgramData\Microsoft\RAC\StateData\RacWmiDataBookmarks.dat
              Source: tasksche.exe.10.drBinary string: 8\Device\HarddiskVolume2\Windows\System32\drivers\fdc.sys
              Source: tasksche.exe.10.drBinary string: :\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RUrdd
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\ru-RU\mprmsg.dll.muip
              Source: tasksche.exe.10.drBinary string: 9\Device\HarddiskVolume2\Program Files\AVG\Av\avgmfapx.exe
              Source: tasksche.exe.10.drBinary string: V\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\SISAGP.SYSU0CS
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\ProgramData\Avg\AV\DB\stats.db\/
              Source: tasksche.exe.10.drBinary string: W\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\Application Experience'B
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\nettcpip.inf_loc
              Source: tasksche.exe.10.drBinary string: >\Device\HarddiskVolume2\Windows\servicing\TrustedInstaller.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffp_sd.sysU6
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\BrFiltUp.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\elxstor.sys
              Source: tasksche.exe.10.drBinary string: j\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgshred.log.lockNOT
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\processr.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\iaStorV.sysX[
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\wmiacpi.sys@A
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql40xx.sys\
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\pciide.sys
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netmscli.inf_loc
              Source: mssecsvr.exe.3.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sppsvc.exe
              Source: tasksche.exe.10.drBinary string: /\Device\HarddiskVolume2\Windows\inf\usbport.PNF
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\DriverStoreop
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\ndiscap.inf_loc
              Source: tasksche.exe.10.drBinary string: r\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\nvstor.sysD
              Source: tasksche.exe.10.drBinary string: .\Device\HarddiskVolume2\Windows\inf\lltdio.PNFS
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\lltdsvc.dll
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\WcsPlugInService.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\TsUsbGD.sys$
              Source: tasksche.exe.10.drBinary string: N\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\WindowsBackup$XH
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\sdrsvc.dll
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\arcsas.sys
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\msiscsi.sysH
              Source: tasksche.exe.10.drBinary string: c\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\av16\avgpal.logPS['`
              Source: tasksche.exe.10.drBinary string: 5\Device\HarddiskVolume2\Windows\System32\raserver.exe
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\serenum.sys2
              Source: tasksche.exe.10.drBinary string: 0\Device\HarddiskVolume2\Windows\System32\pla.dll
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\crcdisk.sys
              Source: tasksche.exe.10.drBinary string: X\Device\HarddiskVolume2\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtectionPM
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\sffp_sd.syst+
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\cmdide.sys
              Source: tasksche.exe.10.drBinary string: 7\Device\HarddiskVolume2\Program Files\AVG\Av\fixcfg.exes\p
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\parvdm.sys
              Source: tasksche.exe.10.drBinary string: 6\Device\HarddiskVolume2\Windows\System32\bthudtask.exe
              Source: tasksche.exe.10.drBinary string: J\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netrast.inf_loc
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sysgr
              Source: tasksche.exe.10.drBinary string: G\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\disk.inf_locD$XHp
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\mskssrv.sysDC
              Source: tasksche.exe.10.drBinary string: 4\Device\HarddiskVolume2\Windows\System32\Locator.exe
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\lsi_fc.sysX
              Source: tasksche.exe.10.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\ql2300.sys
              Source: tasksche.exe.10.drBinary string: +\Device\HarddiskVolume2\Windows\System32\enp
              Source: tasksche.exe.10.drBinary string: g\Device\HarddiskVolume2\Windows\System32\config\systemprofile\AppData\Local\Avg\log\fmw1\commonpriv.log
              Source: tasksche.exe.10.drBinary string: j\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
              Source: mssecsvr.exe.3.drBinary string: ;\Device\HarddiskVolume2\Windows\System32\drivers\tdpipe.sys1APP
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\mspclock.sys
              Source: tasksche.exe.10.drBinary string: K\Device\HarddiskVolume2\Windows\System32\DriverStore\ru-RU\netpacer.inf_locNKA
              Source: tasksche.exe.10.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\ndiscap.sys,
              Source: mssecsvr.exe.3.drBinary string: <\Device\HarddiskVolume2\Windows\System32\drivers\USBSTOR.SYSW
              Source: tasksche.exe.10.drBinary string: =\Device\HarddiskVolume2\Windows\System32\drivers\sffp_mmc.sys
              Source: tasksche.exe.10.drBinary string: 3\Device\HarddiskVolume2\Windows\System32\wermgr.exeP80D
              Source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000B.00000002.1645946666.0000000000401000.00000020.00000001.01000000.00000007.sdmp, ruXU7wj3X9.dll, mssecsvr.exe.3.dr, tasksche.exe.10.drBinary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
              Source: classification engineClassification label: mal100.rans.expl.evad.winDLL@25/11@2/100
              Source: C:\Windows\tasksche.exeCode function: 11_2_00406553 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,11_2_00406553
              Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\mssecsvr.exeCode function: sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,8_2_00407C40
              Source: C:\Windows\tasksche.exeCode function: 11_2_00419BB0 CoCreateInstance,11_2_00419BB0
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407CE0 InternetCloseHandle,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,FindResourceA,LoadResource,LockResource,SizeofResource,sprintf,sprintf,sprintf,MoveFileExA,CreateFileA,WriteFile,CloseHandle,CreateProcessA,CloseHandle,CloseHandle,6_2_00407CE0
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,6_2_00408090
              Source: C:\Windows\mssecsvr.exeCode function: 8_2_00408090 GetModuleFileNameA,__p___argc,OpenSCManagerA,InternetCloseHandle,OpenServiceA,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,StartServiceCtrlDispatcherA,8_2_00408090
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:2888:64:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3456
              Source: C:\Windows\System32\svchost.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\079e2700-0cda-4fda-a92a-4c4572cca49dJump to behavior
              Source: C:\Windows\tasksche.exeCommand line argument: @CB11_2_00424290
              Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGame
              Source: ruXU7wj3X9.dllVirustotal: Detection: 88%
              Source: ruXU7wj3X9.dllReversingLabs: Detection: 89%
              Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll"
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGame
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
              Source: unknownProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe -m security
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",PlayGame
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exe
              Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /i
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456
              Source: C:\Windows\tasksche.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604
              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1Jump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\ruXU7wj3X9.dll,PlayGameJump to behavior
              Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",PlayGameJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1Jump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\mssecsvr.exe C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess created: C:\Windows\tasksche.exe C:\WINDOWS\tasksche.exe /iJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456Jump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604Jump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknownJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\System32\loaddll32.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: msvcp60.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\tasksche.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dllJump to behavior
              Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Windows\mssecsvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: ruXU7wj3X9.dllStatic file information: File size 5267459 > 1048576
              Source: Binary string: d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, tasksche.exe, 0000000B.00000000.1584131463.000000000042A000.00000002.00000001.01000000.00000007.sdmp, tasksche.exe, 0000000B.00000002.1645986133.000000000042A000.00000002.00000001.01000000.00000007.sdmp, ruXU7wj3X9.dll, mssecsvr.exe.3.dr, tasksche.exe.10.dr
              Source: C:\Windows\tasksche.exeCode function: 11_2_00425715 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,11_2_00425715
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041FAE1 push ecx; ret 11_2_0041FAF4
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041A4DC push eax; ret 11_2_0041A4FA

              Persistence and Installation Behavior

              barindex
              Drops executables to the windows directory (C:\Windows) and starts them
              Source: C:\Windows\SysWOW64\rundll32.exeExecutable created and started: C:\WINDOWS\mssecsvr.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeExecutable created and started: C:\WINDOWS\tasksche.exeJump to behavior
              Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvr.exeJump to dropped file
              Source: C:\Windows\mssecsvr.exeFile created: C:\Windows\tasksche.exeJump to dropped file
              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\mssecsvr.exeJump to dropped file
              Source: C:\Windows\mssecsvr.exeCode function: 6_2_00407C40 sprintf,OpenSCManagerA,InternetCloseHandle,CreateServiceA,CloseServiceHandle,StartServiceA,CloseServiceHandle,CloseServiceHandle,6_2_00407C40
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\mssecsvr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_0040CC10 sldt word ptr [eax]11_2_0040CC10
              Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
              Source: C:\Windows\tasksche.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_11-15265
              Source: C:\Windows\tasksche.exeAPI coverage: 3.5 %
              Source: C:\Windows\mssecsvr.exe TID: 6496Thread sleep count: 92 > 30Jump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 6496Thread sleep time: -184000s >= -30000sJump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 2452Thread sleep count: 131 > 30Jump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 2452Thread sleep count: 38 > 30Jump to behavior
              Source: C:\Windows\mssecsvr.exe TID: 6496Thread sleep time: -86400000s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\tasksche.exeCode function: 11_2_00409476 FindFirstFileW,FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,11_2_00409476
              Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
              Source: C:\Windows\mssecsvr.exeThread delayed: delay time: 86400000Jump to behavior
              Source: Amcache.hve.14.drBinary or memory string: VMware
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1584037651.0000000000A9D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWCQ\
              Source: Amcache.hve.14.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.14.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
              Source: Amcache.hve.14.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.14.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.14.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.14.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.14.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: mssecsvr.exe, 00000006.00000002.1584053188.0000000000A66000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000006.00000002.1584053188.0000000000AA7000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2225441842.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000003.1584037651.0000000000A9D000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.2797122115.000001F22B6C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: Amcache.hve.14.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.14.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: mssecsvr.exe, 0000000A.00000002.1585287821.0000000000A37000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: svchost.exe, 0000000F.00000002.2796933895.000001F22B62B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: Amcache.hve.14.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.14.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: mssecsvr.exe, 00000008.00000002.2225441842.0000000000A58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXx
              Source: Amcache.hve.14.drBinary or memory string: vmci.sys
              Source: Amcache.hve.14.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.14.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.14.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: svchost.exe, 0000000F.00000002.2797577121.000001F22C457000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
              Source: Amcache.hve.14.drBinary or memory string: VMware20,1
              Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.14.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.14.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.14.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.14.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.14.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.14.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.14.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.14.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.14.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: Amcache.hve.14.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Windows\System32\svchost.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\tasksche.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\tasksche.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041E6DE
              Source: C:\Windows\tasksche.exeCode function: 11_2_00425715 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,11_2_00425715
              Source: C:\Windows\tasksche.exeCode function: 11_2_004234CE SetUnhandledExceptionFilter,11_2_004234CE
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041E6DE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041E6DE
              Source: C:\Windows\tasksche.exeCode function: 11_2_0041FFDB _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_0041FFDB
              Source: C:\Windows\tasksche.exeCode function: 11_2_00423F89 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind,11_2_00423F89
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\ruXU7wj3X9.dll",#1Jump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3456 -ip 3456Jump to behavior
              Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 604Jump to behavior
              Source: C:\Windows\tasksche.exeCode function: 11_2_00410E50 cpuid 11_2_00410E50
              Source: C:\Windows\tasksche.exeCode function: GetLocaleInfoA,11_2_00425EF0
              Source: C:\Windows\tasksche.exeCode function: 11_2_00411393 GetSystemTime,SystemTimeToFileTime,11_2_00411393
              Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.14.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.14.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.14.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
              Source: mssecsvr.exe, 00000006.00000000.1534540990.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000000.1560193255.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe, 00000008.00000002.2225953882.0000000001D59000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 00000008.00000002.2226237017.0000000002282000.00000004.00000020.00020000.00000000.sdmp, mssecsvr.exe, 0000000A.00000002.1584859851.0000000000710000.00000002.00000001.01000000.00000004.sdmp, mssecsvr.exe.3.dr, tasksche.exe.10.drBinary or memory string: 2\Device\HarddiskVolume2\Windows\ehome\mcupdate.exe
              Source: Amcache.hve.14.drBinary or memory string: MsMpEng.exe

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
              Command and Scripting Interpreter              		4
              Windows Service              		1
              Access Token Manipulation              		12
              Masquerading              		OS Credential Dumping1
              Network Share Discovery              		Remote Services1
              Archive Collected Data              		12
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Service Execution              		1
              DLL Side-Loading              		4
              Windows Service              		41
              Virtualization/Sandbox Evasion              		LSASS Memory1
              System Time Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Native API              		Logon Script (Windows)11
              Process Injection              		1
              Access Token Manipulation              		Security Account Manager31
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		11
              Process Injection              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture3
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets41
              Virtualization/Sandbox Evasion              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Obfuscated Files or Information              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Rundll32              		DCSync22
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1591362 Sample: ruXU7wj3X9.dll Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 49 www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->49 51 ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 2->51 53 77026.bodis.com 2->53 63 Suricata IDS alerts for network traffic 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 Antivirus detection for URL or domain 2->67 69 4 other signatures 2->69 10 loaddll32.exe 1 2->10         started        12 mssecsvr.exe 12 2->12         started        16 svchost.exe 8 2->16         started        18 svchost.exe 2 1 2->18         started        signatures3 process4 dnsIp5 20 rundll32.exe 10->20         started        23 cmd.exe 1 10->23         started        25 rundll32.exe 1 10->25         started        28 conhost.exe 10->28         started        55 192.168.2.102 unknown unknown 12->55 57 192.168.2.103 unknown unknown 12->57 59 98 other IPs or domains 12->59 77 Connects to many different private IPs via SMB (likely to spread or exploit) 12->77 79 Connects to many different private IPs (likely to spread or exploit) 12->79 30 WerFault.exe 2 16->30         started        signatures6 process7 file8 71 Drops executables to the windows directory (C:\Windows) and starts them 20->71 32 mssecsvr.exe 13 20->32         started        36 rundll32.exe 23->36         started        47 C:\Windows\mssecsvr.exe, PE32 25->47 dropped signatures9 process10 file11 45 C:\Windows\tasksche.exe, PE32 32->45 dropped 61 Drops executables to the windows directory (C:\Windows) and starts them 32->61 38 tasksche.exe 32->38         started        41 mssecsvr.exe 12 36->41         started        signatures12 process13 signatures14 43 WerFault.exe 19 16 38->43         started        73 Antivirus detection for dropped file 41->73 75 Machine Learning detection for dropped file 41->75 process15

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.