Loading ...

Play interactive tourEdit tour

Windows Analysis Report 1wsm2uXwSY.exe

Overview

General Information

Sample Name:1wsm2uXwSY.exe
Analysis ID:483751
MD5:a560665e36e1af3084e31055adc83808
SHA1:c9d07a945765b3f90e0a970a748af631f22cf0e3
SHA256:3ffef680021c116955e889822e935c55b05576f9a0f9bd1dde334c0ccbfca006
Tags:exeOrcusRAT
Infos:

Most interesting Screenshot:

Detection

Orcus
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected Orcus RAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Installs a global keyboard hook
.NET source code references suspicious native API functions
Yara detected Costura Assembly Loader
Changes security center settings (notifications, updates, antivirus, firewall)
Machine Learning detection for sample
.NET source code contains potential unpacker
.NET source code contains very large strings
Contains functionality to disable the Task Manager (.Net Source)
Drops executables to the windows directory (C:\Windows) and starts them
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
PE file contains executable resources (Code or Archives)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Drops PE files to the windows directory (C:\Windows)
Detected TCP or UDP traffic on non-standard ports
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates or modifies windows services
Dropped file seen in connection with other malware
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • 1wsm2uXwSY.exe (PID: 6032 cmdline: 'C:\Users\user\Desktop\1wsm2uXwSY.exe' MD5: A560665E36E1AF3084E31055ADC83808)
    • WindowsInput.exe (PID: 992 cmdline: 'C:\Windows\SysWOW64\WindowsInput.exe' --install MD5: E6FCF516D8ED8D0D4427F86E08D0D435)
  • WindowsInput.exe (PID: 1848 cmdline: C:\Windows\SysWOW64\WindowsInput.exe MD5: E6FCF516D8ED8D0D4427F86E08D0D435)
  • svchost.exe (PID: 3468 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4080 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 3396 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5180 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1836 cmdline: c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4812 cmdline: c:\windows\system32\svchost.exe -k unistacksvcgroup MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2140 cmdline: c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2000 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • SgrmBroker.exe (PID: 6220 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: D3170A3F3A9626597EEE1888686E3EA6)
  • svchost.exe (PID: 6264 cmdline: c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc MD5: 32569E403279B3FD2EDB7EBD036273FA)
    • MpCmdRun.exe (PID: 5672 cmdline: 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable MD5: A267555174BFA53844371226F482B86B)
      • conhost.exe (PID: 5552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 6344 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: OrcusRAT

{"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "true", "AssemblyTitle": "Synapse X", "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2021-09-12T08:05:49-04:00"}, "ChangeIconBuilderProperty": {"ChangeIcon": "true", "IconPath": "C:\\Users\\Administrator\\Documents\\storage\\shitty rat maker\\icons\\synapse.ico"}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "136.144.41.171", "Port": "10134"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "false"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Synapse\\Synapse.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "true"}, "MutexBuilderProperty": {"Mutex": "e744d5f8bc5b44fcae386e2debf8200e"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "true"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
1wsm2uXwSY.exeMAL_BackNet_Nov18_1Detects BackNet samplesFlorian Roth
  • 0xcbed8:$s1: ProcessedByFody
  • 0xd7ac2:$s2: SELECT * FROM AntivirusProduct
1wsm2uXwSY.exeJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
    1wsm2uXwSY.exeRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
    • 0xcb652:$text01: Orcus.CommandManagement
    • 0xb22d3:$text02: Orcus.Commands.
    • 0xbfc6a:$text02: Orcus.Commands.
    • 0xbfdd8:$text02: Orcus.Commands.
    • 0xbfe18:$text02: Orcus.Commands.
    • 0xbfe6d:$text02: Orcus.Commands.
    • 0xc009c:$text02: Orcus.Commands.
    • 0xc0891:$text02: Orcus.Commands.
    • 0xc0cf8:$text02: Orcus.Commands.
    • 0xc109f:$text02: Orcus.Commands.
    • 0xc130b:$text02: Orcus.Commands.
    • 0xc15e7:$text02: Orcus.Commands.
    • 0xc1933:$text02: Orcus.Commands.
    • 0xc1a28:$text02: Orcus.Commands.
    • 0xc1fe0:$text02: Orcus.Commands.
    • 0xc21b0:$text02: Orcus.Commands.
    • 0xc24d1:$text02: Orcus.Commands.
    • 0xc2774:$text02: Orcus.Commands.
    • 0xc284f:$text02: Orcus.Commands.
    • 0xc2dbf:$text02: Orcus.Commands.
    • 0xc2e5e:$text02: Orcus.Commands.

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmpJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
      00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmpRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
      • 0xcb452:$text01: Orcus.CommandManagement
      • 0xb20d3:$text02: Orcus.Commands.
      • 0xbfa6a:$text02: Orcus.Commands.
      • 0xbfbd8:$text02: Orcus.Commands.
      • 0xbfc18:$text02: Orcus.Commands.
      • 0xbfc6d:$text02: Orcus.Commands.
      • 0xbfe9c:$text02: Orcus.Commands.
      • 0xc0691:$text02: Orcus.Commands.
      • 0xc0af8:$text02: Orcus.Commands.
      • 0xc0e9f:$text02: Orcus.Commands.
      • 0xc110b:$text02: Orcus.Commands.
      • 0xc13e7:$text02: Orcus.Commands.
      • 0xc1733:$text02: Orcus.Commands.
      • 0xc1828:$text02: Orcus.Commands.
      • 0xc1de0:$text02: Orcus.Commands.
      • 0xc1fb0:$text02: Orcus.Commands.
      • 0xc22d1:$text02: Orcus.Commands.
      • 0xc2574:$text02: Orcus.Commands.
      • 0xc264f:$text02: Orcus.Commands.
      • 0xc2bbf:$text02: Orcus.Commands.
      • 0xc2c5e:$text02: Orcus.Commands.
      00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmpJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
        00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmpRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
        • 0xcb452:$text01: Orcus.CommandManagement
        • 0xb20d3:$text02: Orcus.Commands.
        • 0xbfa6a:$text02: Orcus.Commands.
        • 0xbfbd8:$text02: Orcus.Commands.
        • 0xbfc18:$text02: Orcus.Commands.
        • 0xbfc6d:$text02: Orcus.Commands.
        • 0xbfe9c:$text02: Orcus.Commands.
        • 0xc0691:$text02: Orcus.Commands.
        • 0xc0af8:$text02: Orcus.Commands.
        • 0xc0e9f:$text02: Orcus.Commands.
        • 0xc110b:$text02: Orcus.Commands.
        • 0xc13e7:$text02: Orcus.Commands.
        • 0xc1733:$text02: Orcus.Commands.
        • 0xc1828:$text02: Orcus.Commands.
        • 0xc1de0:$text02: Orcus.Commands.
        • 0xc1fb0:$text02: Orcus.Commands.
        • 0xc22d1:$text02: Orcus.Commands.
        • 0xc2574:$text02: Orcus.Commands.
        • 0xc264f:$text02: Orcus.Commands.
        • 0xc2bbf:$text02: Orcus.Commands.
        • 0xc2c5e:$text02: Orcus.Commands.
        Process Memory Space: 1wsm2uXwSY.exe PID: 6032JoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
          Click to see the 2 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.1wsm2uXwSY.exe.2f0000.0.unpackMAL_BackNet_Nov18_1Detects BackNet samplesFlorian Roth
          • 0xcbed8:$s1: ProcessedByFody
          • 0xd7ac2:$s2: SELECT * FROM AntivirusProduct
          0.2.1wsm2uXwSY.exe.2f0000.0.unpackJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            0.2.1wsm2uXwSY.exe.2f0000.0.unpackRAT_Orcusunknown J from THL <j@techhelplist.com> with thx to MalwareHunterTeam
            • 0xcb652:$text01: Orcus.CommandManagement
            • 0xb22d3:$text02: Orcus.Commands.
            • 0xbfc6a:$text02: Orcus.Commands.
            • 0xbfdd8:$text02: Orcus.Commands.
            • 0xbfe18:$text02: Orcus.Commands.
            • 0xbfe6d:$text02: Orcus.Commands.
            • 0xc009c:$text02: Orcus.Commands.
            • 0xc0891:$text02: Orcus.Commands.
            • 0xc0cf8:$text02: Orcus.Commands.
            • 0xc109f:$text02: Orcus.Commands.
            • 0xc130b:$text02: Orcus.Commands.
            • 0xc15e7:$text02: Orcus.Commands.
            • 0xc1933:$text02: Orcus.Commands.
            • 0xc1a28:$text02: Orcus.Commands.
            • 0xc1fe0:$text02: Orcus.Commands.
            • 0xc21b0:$text02: Orcus.Commands.
            • 0xc24d1:$text02: Orcus.Commands.
            • 0xc2774:$text02: Orcus.Commands.
            • 0xc284f:$text02: Orcus.Commands.
            • 0xc2dbf:$text02: Orcus.Commands.
            • 0xc2e5e:$text02: Orcus.Commands.
            0.0.1wsm2uXwSY.exe.2f0000.0.unpackMAL_BackNet_Nov18_1Detects BackNet samplesFlorian Roth
            • 0xcbed8:$s1: ProcessedByFody
            • 0xd7ac2:$s2: SELECT * FROM AntivirusProduct
            0.0.1wsm2uXwSY.exe.2f0000.0.unpackJoeSecurity_OrcusRatYara detected Orcus RATJ from THL <j@techhelplist.com> with thx to MalwareHunterTeam
              Click to see the 1 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 1wsm2uXwSY.exeMalware Configuration Extractor: OrcusRAT {"AutostartBuilderProperty": {"AutostartMethod": "Disable", "TaskSchedulerTaskName": "Orcus", "TaskHighestPrivileges": "true", "RegistryHiddenStart": "true", "RegistryKeyName": "Orcus", "TryAllAutostartMethodsOnFail": "true"}, "ChangeAssemblyInformationBuilderProperty": {"ChangeAssemblyInformation": "true", "AssemblyTitle": "Synapse X", "AssemblyDescription": null, "AssemblyCompanyName": null, "AssemblyProductName": null, "AssemblyCopyright": null, "AssemblyTrademarks": null, "AssemblyProductVersion": "1.0.0.0", "AssemblyFileVersion": "1.0.0.0"}, "ChangeCreationDateBuilderProperty": {"IsEnabled": "false", "NewCreationDate": "2021-09-12T08:05:49-04:00"}, "ChangeIconBuilderProperty": {"ChangeIcon": "true", "IconPath": "C:\\Users\\Administrator\\Documents\\storage\\shitty rat maker\\icons\\synapse.ico"}, "ClientTagBuilderProperty": {"ClientTag": null}, "ConnectionBuilderProperty": {"IpAddresses": [{"Ip": "136.144.41.171", "Port": "10134"}]}, "DataFolderBuilderProperty": {"Path": "%appdata%\\Orcus"}, "DefaultPrivilegesBuilderProperty": {"RequireAdministratorRights": "true"}, "DisableInstallationPromptBuilderProperty": {"IsDisabled": "false"}, "FrameworkVersionBuilderProperty": {"FrameworkVersion": "NET45"}, "HideFileBuilderProperty": {"HideFile": "true"}, "InstallationLocationBuilderProperty": {"Path": "%programfiles%\\Synapse\\Synapse.exe"}, "InstallBuilderProperty": {"Install": "false"}, "KeyloggerBuilderProperty": {"IsEnabled": "true"}, "MutexBuilderProperty": {"Mutex": "e744d5f8bc5b44fcae386e2debf8200e"}, "ProxyBuilderProperty": {"ProxyOption": "None", "ProxyAddress": null, "ProxyPort": "1080", "ProxyType": "2"}, "ReconnectDelayProperty": {"Delay": "10000"}, "RequireAdministratorPrivilegesInstallerBuilderProperty": {"RequireAdministratorPrivileges": "true"}, "RespawnTaskBuilderProperty": {"IsEnabled": "false", "TaskName": "Orcus Respawner"}, "ServiceBuilderProperty": {"Install": "true"}, "SetRunProgramAsAdminFlagBuilderProperty": {"SetFlag": "false"}, "WatchdogBuilderProperty": {"IsEnabled": "false", "Name": "OrcusWatchdog.exe", "WatchdogLocation": "AppData", "PreventFileDeletion": "false"}}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 1wsm2uXwSY.exeVirustotal: Detection: 64%Perma Link
              Source: 1wsm2uXwSY.exeMetadefender: Detection: 62%Perma Link
              Source: 1wsm2uXwSY.exeReversingLabs: Detection: 79%
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: 1wsm2uXwSY.exeAvira: detected
              Antivirus detection for dropped fileShow sources
              Source: C:\Windows\SysWOW64\WindowsInput.exeAvira: detection malicious, Label: TR/Agent.zgvcy
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Windows\SysWOW64\WindowsInput.exeMetadefender: Detection: 70%Perma Link
              Source: C:\Windows\SysWOW64\WindowsInput.exeReversingLabs: Detection: 86%
              Machine Learning detection for sampleShow sources
              Source: 1wsm2uXwSY.exeJoe Sandbox ML: detected
              Source: 1wsm2uXwSY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 1wsm2uXwSY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Features\Orcus.Service\obj\Release\Orcus.Service.pdblf source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000000.226049010.0000000000B52000.00000002.00020000.sdmp, WindowsInput.exe, 00000005.00000002.491758825.0000000000462000.00000002.00020000.sdmp, WindowsInput.exe.0.dr
              Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.515638251.0000000002A32000.00000004.00000001.sdmp
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.StaticCommands\obj\Release\Orcus.StaticCommands.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.515213538.00000000029C0000.00000004.00000001.sdmp
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Features\Orcus.Service\obj\Release\Orcus.Service.pdb source: WindowsInput.exe, WindowsInput.exe.0.dr
              Source: Binary string: D:\Dokumente\GitHub\starksoft-aspen\Starksoft.Aspen\obj\Release\starksoft.aspen.pdbL source: 1wsm2uXwSY.exe, 00000000.00000002.515638251.0000000002A32000.00000004.00000001.sdmp
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared.Utilities\obj\Release\Orcus.Shared.Utilities.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.514919469.0000000002983000.00000004.00000001.sdmp
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.518013459.0000000004B50000.00000004.00020000.sdmp
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdb source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Shared\obj\Release\Orcus.Shared.pdbDr source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmp
              Source: Binary string: E:\Dokumente\Visual Studio 2015\Projects\Orcus\Source\Orcus.Plugins\obj\Release\Orcus.Plugins.pdbD source: 1wsm2uXwSY.exe, 00000000.00000002.518013459.0000000004B50000.00000004.00020000.sdmp
              Source: Joe Sandbox ViewASN Name: WORLDSTREAMNL WORLDSTREAMNL
              Source: global trafficTCP traffic: 192.168.2.3:49737 -> 136.144.41.171:10134
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: unknownTCP traffic detected without corresponding DNS query: 136.144.41.171
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://aia.startssl.com/certs/ca.crt0
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://aia.startssl.com/certs/sca.code3.crt06
              Source: 1wsm2uXwSY.exe, 00000000.00000002.520322448.0000000005790000.00000004.00000001.sdmp, svchost.exe, 00000007.00000002.507580524.000002B014888000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://crl.startssl.com/sca-code3.crl0#
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://crl.startssl.com/sfsca.crl0f
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: svchost.exe, 00000007.00000002.505224674.000002B014814000.00000004.00000001.sdmpString found in binary or memory: http://crl.ver)
              Source: 1wsm2uXwSY.exe, 00000000.00000003.240192397.0000000005814000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: 1wsm2uXwSY.exe, 00000000.00000002.502371283.0000000000B4F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab0
              Source: 1wsm2uXwSY.exe, 00000000.00000003.240192397.0000000005814000.00000004.00000001.sdmp, 1wsm2uXwSY.exe, 00000000.00000002.520322448.0000000005790000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f4ff848365b24
              Source: 1wsm2uXwSY.exe, 00000000.00000002.502371283.0000000000B4F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ent
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.startssl.com00
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.startssl.com07
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.EventLog
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/Orcus.Shared.Commands.Registry
              Source: WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
              Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
              Source: WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/faultP
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anon
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516711666.0000000002B68000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.505312254.00000000014AB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.505312254.00000000014AB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/spn
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/system
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/identity
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.505312254.00000000014AB000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
              Source: 1wsm2uXwSY.exe, 00000000.00000002.508689788.0000000002711000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/
              Source: WindowsInput.exe, 00000005.00000002.504197637.000000000143B000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/:NetNamedPipeBinding
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServiceP
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServiceP$
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServiceP(
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServiceP0
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServiceP8
              Source: WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateSubKeyResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateValue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/CreateValueResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteFile
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteFileResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKey
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteSubKeyResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteValue
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/DeleteValueResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetPath
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetPathResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeys
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistrySubKeysResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValues
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetRegistryValuesResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLog
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/GetSecurityEventLogResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/IsAlive
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/IsAliveDnet.pipe://localhost/69e001dd06a44ff1b3260a75a6f10381/OrcusU
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506477974.00000000014FC000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/IsAliveResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/StartProcess
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/StartProcessResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/StartProcessom
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/WriteFile
              Source: 1wsm2uXwSY.exe, 00000000.00000002.511114754.00000000027B6000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.500370409.000000000137A000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/IServicePipe/WriteFileResponse
              Source: 1wsm2uXwSY.exe, 00000000.00000002.512127698.000000000280F000.00000004.00000001.sdmp, WindowsInput.exe, 00000005.00000002.506383414.00000000014F8000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/V
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/lJ)
              Source: 1wsm2uXwSY.exe, 00000000.00000002.516119638.0000000002AB3000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/t&)
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: svchost.exe, 0000000E.00000002.313404338.000002B1EF413000.00000004.00000001.sdmpString found in binary or memory: http://www.bingmapsportal.com
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://www.startssl.com/0P
              Source: 1wsm2uXwSY.exe, 00000000.00000002.517202235.0000000003711000.00000004.00000001.sdmpString found in binary or memory: http://www.startssl.com/policy0
              Source: WindowsInput.exe, 00000003.00000002.230271529.0000000002E11000.00000004.00000001.sdmpString found in binary or memory: http://www.w3.o
              Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.dnet.xboxlive.com
              Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmpString found in binary or memory: https://%s.xboxlive.com
              Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmpString found in binary or memory: https://activity.windows.com
              Source: 1wsm2uXwSY.exeString found in binary or memory: https://api.ipify.org/
              Source: 1wsm2uXwSY.exeString found in binary or memory: https://api.ipify.org/I(.
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
              Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmpString found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000B.00000002.495717491.000001A6DAC3E000.00000004.00000001.sdmpString found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
              Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
              Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
              Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
              Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
              Source: svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
              Source: svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
              Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
              Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.311935590.000002B1EF45A000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.311769035.000002B1EF463000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000003.312028259.000002B1EF440000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t
              Source: svchost.exe, 0000000E.00000003.311819408.000002B1EF460000.00000004.00000001.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
              Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
              Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
              Source: svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
              Source: svchost.exe, 0000000E.00000002.313404338.000002B1EF413000.00000004.00000001.sdmp, svchost.exe, 0000000E.00000002.313505141.000002B1EF43C000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.312252438.000002B1EF456000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.312252438.000002B1EF456000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
              Source: svchost.exe, 0000000E.00000003.289923073.000002B1EF430000.00000004.00000001.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
              Source: svchost.exe, 0000000E.00000003.311889347.000002B1EF447000.00000004.00000001.sdmpString found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Installs a global keyboard hookShow sources
              Source: C:\Users\user\Desktop\1wsm2uXwSY.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1wsm2uXwSY.exeJump to behavior

              System Summary:

              barindex
              Yara detected Orcus RATShow sources
              Source: Yara matchFile source: 1wsm2uXwSY.exe, type: SAMPLE
              Source: Yara matchFile source: 0.2.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.0.1wsm2uXwSY.exe.2f0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.491759765.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000000.220589849.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 1wsm2uXwSY.exe PID: 6032, type: MEMORYSTR
              Malicious sample detected (through community Yara rule)Show sources
              Source: 1wsm2uXwSY.exe, type: SAMPLE