Windows Analysis Report
442.docx.exe

Overview

General Information

Sample name:	442.docx.exe renamed because original name is a hash value
Original sample name:	.docx.exe
Analysis ID:	1567177
MD5:	fb8117b1a3f0924100fbc209dbbb1bb1
SHA1:	9d18c954eae8e8f8437d4e32d0b685f3f51b982b
SHA256:	beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
Infos:

Detection

RMSRemoteAdmin

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected RMS RemoteAdmin tool

Yara signature match

Classification

Signatures

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC345A0 rmsEncInitSimpleEncryption,memcpy,memcpy,	12_2_5FC345A0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC33760 rmsEncEncryptData,	12_2_5FC33760
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC33D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy,	12_2_5FC33D30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC338C0 rmsEncDecryptData,	12_2_5FC338C0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC342D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy,	12_2_5FC342D0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC33AE0 rmsEncRsaPublicEncrypt,memcpy,	12_2_5FC33AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC34000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy,	12_2_5FC34000

Source: rfusclient.exe, 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_0ea94acd-6

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Unpacked PE file: 12.2.rfusclient.exe.c70000.0.unpack

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

Jump to behavior

Source: 442.docx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe, 00000000.00000002.2057143242.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmp, 442.docx.exe, 00000000.00000000.2026361763.00007FF7C99E8000.00000002.00000001.01000000.00000003.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99B40BC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DFCA0 FindFirstFileExA,	0_2_00007FF7C99DFCA0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then push esi	12_2_5FFF6B90
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then push esi	12_2_5FFF6AD0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then sub esp, 1Ch	12_2_5FFFBEB0

Source: winword.exe

Memory has grown: Private usage: 1MB later: 91MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2849354 - Severity 1 - ETPRO MALWARE Remote Admin Backdoor Related Activity : 192.168.2.5:49803 -> 111.90.147.125:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 111.90.147.125 ports 5651,1,465,5,6,55555,80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 111.90.147.125:5651
Source: global traffic	TCP traffic: 192.168.2.5:49805 -> 78.138.9.142:5651
Source: global traffic	TCP traffic: 192.168.2.5:49823 -> 95.213.205.83:5655
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 109.234.156.179:5655

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125

Source: global traffic

DNS traffic detected: DNS query: id72.internetid.ru

Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127361397.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000B.00000002.3312868171.00000225E405D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3313054301.00000225E408B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicer
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/G
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: rutserv.exe, 00000011.00000003.2981074132.0000000007264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlL
Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl
Source: rutserv.exe, 00000011.00000002.3360847258.00000000072C6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2980151820.00000000072CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl/
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: rutserv.exe, 00000011.00000003.2979233935.000000000079E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlCo.
Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlN
Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlO
Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlP
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com:80/gsgccr45codesignca2020.crlw
Source: svchost.exe, 00000006.00000002.3315438918.00000150A4010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2360021197.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2444894768.00000225E392F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2318378237.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289527010.00000225E390E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000B.00000003.2334351248.00000225E3977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd%
Source: svchost.exe, 0000000B.00000003.2260420296.00000225E390E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0
Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2360021197.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2318378237.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289527010.00000225E390E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 0000000B.00000003.2364814470.00000225E3978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
Source: svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/22otificationses
Source: svchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-u
Source: svchost.exe, 00000006.00000003.2086757016.00000150A3EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://madExcept.comU
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45http://crl.globalsign.com/codesigningrootr45.crl
Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCUABBTLuA3ygnKW%2F7xuSx%2F0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020http://crl.globalsign.com/gsgccr45codesignca2020.cr
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020t.n
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.000000000079E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr3http://crl.globalsign.com/root-r3.crlT/
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru///rmansys.ru/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru///rmansys.ru/;
Source: rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000002.3352551373.0000000004050000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3352551373.000000000413F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/internet-id/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/nsys.ru/pf
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/pf
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/rd
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/eb-help/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/eb-help/D
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: svchost.exe, 0000000B.00000003.2445114928.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: 442.docx.exe, 00000000.00000003.2051892599.000001B53872D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.c
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policye.srf
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scerence
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scst
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee1
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt1.3.6.1.5.5.7.48.1http://ocsp.globalsi
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crtv
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://update.tektonit.ru/upgrade.ini
Source: rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://update.tektonit.ru/upgrade_beta.ini
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.flexerasoftware.com0
Source: rfusclient.exe, 0000000C.00000000.2170437757.00000000014CB000.00000020.00000001.01000000.0000000B.sdmp, rfusclient.exe, 0000000C.00000003.2185022388.0000000001B05000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000003.2243256163.0000000004255000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.2274258179.00000000041D5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2343735575.0000000002645000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/i
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125658502.00000225E3957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: rfusclient.exe, 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000006.00000003.2086757016.00000150A3F33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2086757016.00000150A3EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: rutserv.exe, 0000000E.00000002.2258557114.000000006025F000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.ecur
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3307156538.00000225E313C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000B.00000003.2259782633.00000225E403D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExis
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExisrf?u
Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502logi
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600:Inl
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601ient
Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf%
Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfs
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srfP
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3091000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312868171.00000225E405D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E308E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E30F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E30F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf-asc
Source: svchost.exe, 0000000B.00000002.3306275033.00000225E30F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srfTs
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/pp
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppse
Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsech
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfin.live.
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuera
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfManage
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf://acco
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfice
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfleteAcc
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600gi
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfue
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125658502.00000225E3957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125346792.00000225E395A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfteAc
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3313007133.00000225E407E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000B.00000002.3313007133.00000225E407E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfityCRL
Source: svchost.exe, 0000000B.00000002.3307156538.00000225E313C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comwwCP=
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.micr
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf%
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.micrtonl
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logive.c
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C57C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access/
Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/
Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/O
Source: svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/about/privacy-policy.php
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/buy/money-back-guarantee.php
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/support/docs/installing-and-uninstalling/

Drops certificate files (DER)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPE	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99AC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7C99AC2F0

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c8461.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8991.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8ADA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c8464.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c8464.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI8991.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99AF930	0_2_00007FF7C99AF930
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B4928	0_2_00007FF7C99B4928
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A5E24	0_2_00007FF7C99A5E24
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CCE88	0_2_00007FF7C99CCE88
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C1F20	0_2_00007FF7C99C1F20
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CB190	0_2_00007FF7C99CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BA4AC	0_2_00007FF7C99BA4AC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C3484	0_2_00007FF7C99C3484
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D0754	0_2_00007FF7C99D0754
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A1AA4	0_2_00007FF7C99A1AA4
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C2AB0	0_2_00007FF7C99C2AB0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E5AF8	0_2_00007FF7C99E5AF8
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B1A48	0_2_00007FF7C99B1A48
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DFA94	0_2_00007FF7C99DFA94
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D89A0	0_2_00007FF7C99D89A0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C3964	0_2_00007FF7C99C3964
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BC96C	0_2_00007FF7C99BC96C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D8C1C	0_2_00007FF7C99D8C1C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C4B98	0_2_00007FF7C99C4B98
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BBB90	0_2_00007FF7C99BBB90
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B5B60	0_2_00007FF7C99B5B60
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C8DF4	0_2_00007FF7C99C8DF4
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D0754	0_2_00007FF7C99D0754
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C2D58	0_2_00007FF7C99C2D58
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E2080	0_2_00007FF7C99E2080
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BAF18	0_2_00007FF7C99BAF18
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99AA310	0_2_00007FF7C99AA310
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99AC2F0	0_2_00007FF7C99AC2F0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A7288	0_2_00007FF7C99A7288
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B126C	0_2_00007FF7C99B126C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C21D0	0_2_00007FF7C99C21D0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BF180	0_2_00007FF7C99BF180
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C53F0	0_2_00007FF7C99C53F0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A76C0	0_2_00007FF7C99A76C0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E2550	0_2_00007FF7C99E2550
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BB534	0_2_00007FF7C99BB534
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A4840	0_2_00007FF7C99A4840
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DC838	0_2_00007FF7C99DC838
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFDCBD0	12_2_5FFDCBD0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_6009E260	12_2_6009E260
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_60077080	12_2_60077080
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFE5AE0	12_2_5FFE5AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FCE6850	12_2_5FCE6850
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFDD620	12_2_5FFDD620
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFDDC00	12_2_5FFDDC00
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFE5800	12_2_5FFE5800

PE file contains executable resources (Code or Archives)

Source: unires_vpd.dll.3.dr	Static PE information: Resource name: None type: COM executable for DOS
Source: rutserv.exe.3.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: rfusclient.exe.3.dr	Static PE information: Resource name: MAD type: DOS executable (COM, 0x8C-variant)
Source: rfusclient.exe.3.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: unidrvui_rppd.dll0.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unires_vpd.dll0.3.dr	Static PE information: Resource name: None type: COM executable for DOS

PE file contains more sections than normal

Source: rutserv.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: rfusclient.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: libcodec32.dll.3.dr	Static PE information: Number of sections : 20 > 10
Source: libasset32.dll.3.dr	Static PE information: Number of sections : 19 > 10

PE file does not import any functions

Source: unires_vpd.dll.3.dr	Static PE information: No import functions for PE file found
Source: unires_vpd.dll0.3.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs 442.docx.exe

Yara signature match

Source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT

Source: unires_vpd.dll.3.dr	Static PE information: Section .rsrc
Source: unires_vpd.dll0.3.dr	Static PE information: Section .rsrc

Source: classification engine

Classification label: mal92.troj.evad.winEXE@28/328@1/5

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99AB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7C99AB6D8

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99C8624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF7C99C8624

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\madExceptSettingsMtx$1eb8
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ccc
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\HookTThread$1eb8
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\madExceptSettingsMtx$1ef8
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1f20
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e0c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1f14
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d44
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e98
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1f20
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$c40
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1f14

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF1824809D33FF74D6.TMP

Jump to behavior

Source: 442.docx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\442.docx.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rfusclient.exe	String found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
Source: rfusclient.exe	String found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
Source: rfusclient.exe	String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
Source: rfusclient.exe	String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3

Source: C:\Users\user\Desktop\442.docx.exe

File read: C:\Users\user\Desktop\442.docx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\442.docx.exe "C:\Users\user\Desktop\442.docx.exe"
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1A
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
Source: unknown	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1A	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray

Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\Desktop\442.docx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Doc.LNK.4.dr

LNK file: ..\..\..\..\..\..\..\intel\Doc.docx

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini

Jump to behavior

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: 442.docx.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 442.docx.exe

Static file information: File size 25141051 > 1048576

Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 442.docx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 442.docx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Unpacked PE file: 12.2.rfusclient.exe.c70000.0.unpack

File is packed with WinRar

Source: C:\Users\user\Desktop\442.docx.exe

File created: C:\intel\__tmp_rar_sfx_access_check_5012343

Jump to behavior

PE file contains sections with non-standard names

Source: 442.docx.exe	Static PE information: section name: .didat
Source: 442.docx.exe	Static PE information: section name: _RDATA
Source: vp8encoder.dll.3.dr	Static PE information: section name: .rodata
Source: vp8decoder.dll.3.dr	Static PE information: section name: .rodata
Source: webmvorbisdecoder.dll.3.dr	Static PE information: section name: _RDATA
Source: libasset32.dll.3.dr	Static PE information: section name: /4
Source: libasset32.dll.3.dr	Static PE information: section name: /14
Source: libasset32.dll.3.dr	Static PE information: section name: /29
Source: libasset32.dll.3.dr	Static PE information: section name: /41
Source: libasset32.dll.3.dr	Static PE information: section name: /55
Source: libasset32.dll.3.dr	Static PE information: section name: /67
Source: libasset32.dll.3.dr	Static PE information: section name: /78
Source: libasset32.dll.3.dr	Static PE information: section name: /94
Source: libasset32.dll.3.dr	Static PE information: section name: /110
Source: eventmsg.dll.3.dr	Static PE information: section name: .didata
Source: webmvorbisencoder.dll.3.dr	Static PE information: section name: _RDATA
Source: libcodec32.dll.3.dr	Static PE information: section name: .rodata
Source: libcodec32.dll.3.dr	Static PE information: section name: /4
Source: libcodec32.dll.3.dr	Static PE information: section name: /14
Source: libcodec32.dll.3.dr	Static PE information: section name: /29
Source: libcodec32.dll.3.dr	Static PE information: section name: /41
Source: libcodec32.dll.3.dr	Static PE information: section name: /55
Source: libcodec32.dll.3.dr	Static PE information: section name: /67
Source: libcodec32.dll.3.dr	Static PE information: section name: /78
Source: libcodec32.dll.3.dr	Static PE information: section name: /94
Source: libcodec32.dll.3.dr	Static PE information: section name: /110
Source: vccorlib120.dll.3.dr	Static PE information: section name: minATL
Source: rutserv.exe.3.dr	Static PE information: section name: .didata
Source: rfusclient.exe.3.dr	Static PE information: section name: .didata
Source: vccorlib120.dll0.3.dr	Static PE information: section name: minATL

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E5156 push rsi; retf	0_2_00007FF7C99E5157
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E5166 push rsi; retf	0_2_00007FF7C99E5167
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFF7E30 push eax; mov dword ptr [esp], esi	12_2_5FFF7ED1
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Code function: 17_2_0101C34B push ebx; ret	17_2_0101C354

Source: msvcr120.dll.3.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: VPDAgent.exe.3.dr	Static PE information: section name: .text entropy: 6.812931691200469

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8991.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8991.tmp	Jump to dropped file

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.exe

Static PE information: 442.docx.exe

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Stores large binary data to the registry

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE			Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000E.00000002.2248570000.0000000002788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 00000010.00000002.2364038786.00000000023F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEE
Source: rutserv.exe, 00000010.00000002.2364038786.00000000023F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEDJ

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Window / User API: threadDelayed 1366
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Window / User API: threadDelayed 5542
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Window / User API: threadDelayed 6034
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Window / User API: threadDelayed 3455

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8991.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

API coverage: 5.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 3568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep count: 81 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep time: -81000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7924	Thread sleep time: -50000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7944	Thread sleep time: -35000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7988	Thread sleep time: -240000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8008	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7964	Thread sleep count: 1366 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8128	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 5036	Thread sleep count: 45 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep count: 5542 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep time: -5542000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 7252	Thread sleep time: -3017000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 7252	Thread sleep time: -1727500s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99B40BC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DFCA0 FindFirstFileExA,	0_2_00007FF7C99DFCA0

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99D16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF7C99D16A4

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 50000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 60000

Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT*
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTcpV6VMWare
Source: svchost.exe, 00000006.00000002.3315800908.00000150A4058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3305630779.00000225E30D7000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982524280.0000000007280000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.0000000007270000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3359972532.0000000007280000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.3305641563.000001509EA2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: rfusclient.exe, 0000000C.00000002.2187015900.00000000019ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99D3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7C99D3170

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99E0D20 GetProcessHeap,

0_2_00007FF7C99E0D20

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C99D3170
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7C99D2510
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D3354 SetUnhandledExceptionFilter,	0_2_00007FF7C99D3354
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C99D76D8

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7C99CB190

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall	Jump to behavior

Source: rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp

Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99BDC70 cpuid

0_2_00007FF7C99BDC70

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF7C99CA2CC

Queries the installation date of Windows

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the product ID of Windows

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99D0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7C99D0754

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99B4EB0 GetVersionExW,

0_2_00007FF7C99B4EB0

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp	Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 0000000E.00000002.2248570000.0000000002788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe

Adds / modifies Windows certificates

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Jump to behavior

Yara detected RMS RemoteAdmin tool

Source: Yara match	File source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3309338966.0000000003858000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3320249204.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3304532933.000000000206A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3304532933.0000000002046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3309338966.000000000388A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3320249204.0000000005464000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rfusclient.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rutserv.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rutserv.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
111.90.147.125	unknown	Malaysia	45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true
109.234.156.179	unknown	Russian Federation	49505	SELECTELRU	false
78.138.9.142	unknown	United Kingdom	8513	SKYVISIONGB	false
95.213.205.83	main.internetid.ru	Russian Federation	50340	SELECTEL-MSKRU	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
bg.microsoft.map.fastly.net	199.232.210.172	true
main.internetid.ru	95.213.205.83	true
prod.globalsign.map.fastly.net	151.101.130.133	true
id72.internetid.ru	unknown	unknown

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.8% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC345A0 rmsEncInitSimpleEncryption,memcpy,memcpy,	12_2_5FC345A0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC33760 rmsEncEncryptData,	12_2_5FC33760
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC33D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy,	12_2_5FC33D30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC338C0 rmsEncDecryptData,	12_2_5FC338C0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC342D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy,	12_2_5FC342D0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC33AE0 rmsEncRsaPublicEncrypt,memcpy,	12_2_5FC33AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FC34000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy,	12_2_5FC34000

Source: rfusclient.exe, 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_0ea94acd-6

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Unpacked PE file: 12.2.rfusclient.exe.c70000.0.unpack

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

Jump to behavior

Source: 442.docx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99B40BC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DFCA0 FindFirstFileExA,	0_2_00007FF7C99DFCA0

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then push esi	12_2_5FFF6B90
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then push esi	12_2_5FFF6AD0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then sub esp, 1Ch	12_2_5FFFBEB0

Source: winword.exe

Memory has grown: Private usage: 1MB later: 91MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2849354 - Severity 1 - ETPRO MALWARE Remote Admin Backdoor Related Activity : 192.168.2.5:49803 -> 111.90.147.125:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 111.90.147.125 ports 5651,1,465,5,6,55555,80

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49802 -> 111.90.147.125:5651
Source: global traffic	TCP traffic: 192.168.2.5:49805 -> 78.138.9.142:5651
Source: global traffic	TCP traffic: 192.168.2.5:49823 -> 95.213.205.83:5655
Source: global traffic	TCP traffic: 192.168.2.5:49842 -> 109.234.156.179:5655

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125

Source: global traffic

DNS traffic detected: DNS query: id72.internetid.ru

Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127361397.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
Source: svchost.exe, 0000000B.00000003.2260648618.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 0000000B.00000002.3312868171.00000225E405D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb:pp
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3313054301.00000225E408B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicer
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/G
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: rutserv.exe, 00000011.00000003.2981074132.0000000007264000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlL
Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl
Source: rutserv.exe, 00000011.00000002.3360847258.00000000072C6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2980151820.00000000072CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl/
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: rutserv.exe, 00000011.00000003.2979233935.000000000079E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlCo.
Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlN
Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlO
Source: rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlP
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com:80/gsgccr45codesignca2020.crlw
Source: svchost.exe, 00000006.00000002.3315438918.00000150A4010000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2360021197.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2444894768.00000225E392F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2318378237.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289527010.00000225E390E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 0000000B.00000003.2334351248.00000225E3977000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd%
Source: svchost.exe, 0000000B.00000003.2260420296.00000225E390E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd0
Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdxmlns:
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2360021197.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2334960702.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2318378237.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289097781.00000225E3976000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2289527010.00000225E390E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 0000000B.00000003.2260338207.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 0000000B.00000003.2364814470.00000225E3978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 0000000B.00000003.2168247282.00000225E3955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdst=
Source: svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: svchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/22otificationses
Source: svchost.exe, 0000000B.00000002.3311853387.00000225E3979000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2445200328.00000225E3978000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418338685.00000225E3978000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-u
Source: svchost.exe, 00000006.00000003.2086757016.00000150A3EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://madExcept.comU
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982270718.0000000000788000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3351298149.0000000003D80000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007DF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45http://crl.globalsign.com/codesigningrootr45.crl
Source: rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCUABBTLuA3ygnKW%2F7xuSx%2F0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020http://crl.globalsign.com/gsgccr45codesignca2020.cr
Source: rutserv.exe, 00000011.00000002.3359972532.000000000728A000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020t.n
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.000000000079E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr3http://crl.globalsign.com/root-r3.crlT/
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru///rmansys.ru/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru///rmansys.ru/;
Source: rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000002.3352551373.0000000004050000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3352551373.000000000413F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/internet-id/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/nsys.ru/pf
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/pf
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/rd
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/eb-help/
Source: rutserv.exe, 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/eb-help/D
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: svchost.exe, 0000000B.00000003.2445114928.00000225E390E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309654301.00000225E390F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.mi
Source: 442.docx.exe, 00000000.00000003.2051892599.000001B53872D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.c
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2311900213.000000007B910000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2288569554.00000225E3929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policye.srf
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scerence
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scst
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3309861822.00000225E3913000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2168505928.00000225E3953000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee1
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260920520.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 0000000B.00000002.3311154783.00000225E3937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustce
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: rutserv.exe, 00000011.00000003.2981074132.000000000728A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt1.3.6.1.5.5.7.48.1http://ocsp.globalsi
Source: rutserv.exe, 00000011.00000002.3303616204.00000000007CB000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2979233935.00000000007C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crtv
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://update.tektonit.ru/upgrade.ini
Source: rutserv.exe, 0000000E.00000000.2203086600.0000000000B11000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://update.tektonit.ru/upgrade_beta.ini
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.flexerasoftware.com0
Source: rfusclient.exe, 0000000C.00000000.2170437757.00000000014CB000.00000020.00000001.01000000.0000000B.sdmp, rfusclient.exe, 0000000C.00000003.2185022388.0000000001B05000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000003.2243256163.0000000004255000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000003.2274258179.00000000041D5000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2343735575.0000000002645000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E3077000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3076000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.or
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/i
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125658502.00000225E3957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: rfusclient.exe, 0000000C.00000002.2199882753.00000000600B0000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000E.00000002.2258557114.0000000060247000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000006.00000003.2086757016.00000150A3F33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2086757016.00000150A3EC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: rutserv.exe, 0000000E.00000002.2258557114.000000006025F000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.ecur
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312588974.00000225E403B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3307156538.00000225E313C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: svchost.exe, 0000000B.00000003.2259782633.00000225E403D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExis
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExisrf?u
Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502logi
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600:Inl
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601ient
Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf%
Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfs
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srfP
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2418909334.00000225E3091000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312868171.00000225E405D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E308E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E30F6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E30F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf-asc
Source: svchost.exe, 0000000B.00000002.3306275033.00000225E30F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srfTs
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/pp
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppse
Source: svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsech
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srfin.live.
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srff
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srfuera
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2260759594.00000225E3969000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfManage
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf://acco
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srfX
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfice
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srfleteAcc
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600gi
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125904317.00000225E396B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
Source: svchost.exe, 0000000B.00000003.2359941655.00000225E396E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3311304617.00000225E395F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfue
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125658502.00000225E3957000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125346792.00000225E395A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127172153.00000225E392A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2126273573.00000225E392C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2127219002.00000225E3956000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125380247.00000225E3952000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srfteAc
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 0000000B.00000003.2125263594.00000225E304F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2419640428.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3306275033.00000225E3102000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 0000000B.00000003.2319478531.00000225E3952000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3313007133.00000225E407E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 0000000B.00000002.3313007133.00000225E407E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srfityCRL
Source: svchost.exe, 0000000B.00000002.3307156538.00000225E313C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comwwCP=
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.micr
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf%
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 0000000B.00000003.2125747666.00000225E3963000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304526585.00000225E305F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125578153.00000225E393B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 0000000B.00000003.2126273573.00000225E3927000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfMM
Source: svchost.exe, 0000000B.00000002.3304172341.00000225E3040000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 0000000B.00000003.2125320391.00000225E3910000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.micrtonl
Source: svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://logive.c
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C57C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access/
Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/
Source: rutserv.exe, 00000011.00000002.3317620536.00000000020EE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/O
Source: svchost.exe, 0000000B.00000003.2125682030.00000225E3940000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C64C000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/about/privacy-policy.php
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/buy/money-back-guarantee.php
Source: rfusclient.exe, 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000011.00000003.2328361611.0000000006C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/support/docs/installing-and-uninstalling/

Drops certificate files (DER)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPE	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen

Contains functionality to communicate with device drivers

Source: C:\Users\user\Desktop\442.docx.exe

0_2_00007FF7C99AC2F0

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c8461.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8991.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8ADA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c8464.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c8464.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI8991.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99AF930	0_2_00007FF7C99AF930
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B4928	0_2_00007FF7C99B4928
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A5E24	0_2_00007FF7C99A5E24
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CCE88	0_2_00007FF7C99CCE88
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C1F20	0_2_00007FF7C99C1F20
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CB190	0_2_00007FF7C99CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BA4AC	0_2_00007FF7C99BA4AC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C3484	0_2_00007FF7C99C3484
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D0754	0_2_00007FF7C99D0754
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A1AA4	0_2_00007FF7C99A1AA4
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C2AB0	0_2_00007FF7C99C2AB0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E5AF8	0_2_00007FF7C99E5AF8
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B1A48	0_2_00007FF7C99B1A48
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DFA94	0_2_00007FF7C99DFA94
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D89A0	0_2_00007FF7C99D89A0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C3964	0_2_00007FF7C99C3964
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BC96C	0_2_00007FF7C99BC96C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D8C1C	0_2_00007FF7C99D8C1C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C4B98	0_2_00007FF7C99C4B98
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BBB90	0_2_00007FF7C99BBB90
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B5B60	0_2_00007FF7C99B5B60
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C8DF4	0_2_00007FF7C99C8DF4
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D0754	0_2_00007FF7C99D0754
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C2D58	0_2_00007FF7C99C2D58
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E2080	0_2_00007FF7C99E2080
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BAF18	0_2_00007FF7C99BAF18
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99AA310	0_2_00007FF7C99AA310
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99AC2F0	0_2_00007FF7C99AC2F0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A7288	0_2_00007FF7C99A7288
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B126C	0_2_00007FF7C99B126C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C21D0	0_2_00007FF7C99C21D0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BF180	0_2_00007FF7C99BF180
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99C53F0	0_2_00007FF7C99C53F0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A76C0	0_2_00007FF7C99A76C0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E2550	0_2_00007FF7C99E2550
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99BB534	0_2_00007FF7C99BB534
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99A4840	0_2_00007FF7C99A4840
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DC838	0_2_00007FF7C99DC838
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFDCBD0	12_2_5FFDCBD0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_6009E260	12_2_6009E260
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_60077080	12_2_60077080
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFE5AE0	12_2_5FFE5AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FCE6850	12_2_5FCE6850
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFDD620	12_2_5FFDD620
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFDDC00	12_2_5FFDDC00
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFE5800	12_2_5FFE5800

PE file contains executable resources (Code or Archives)

Source: unires_vpd.dll.3.dr	Static PE information: Resource name: None type: COM executable for DOS
Source: rutserv.exe.3.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: rfusclient.exe.3.dr	Static PE information: Resource name: MAD type: DOS executable (COM, 0x8C-variant)
Source: rfusclient.exe.3.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: unidrvui_rppd.dll0.3.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unires_vpd.dll0.3.dr	Static PE information: Resource name: None type: COM executable for DOS

PE file contains more sections than normal

Source: rutserv.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: rfusclient.exe.3.dr	Static PE information: Number of sections : 11 > 10
Source: libcodec32.dll.3.dr	Static PE information: Number of sections : 20 > 10
Source: libasset32.dll.3.dr	Static PE information: Number of sections : 19 > 10

PE file does not import any functions

Source: unires_vpd.dll.3.dr	Static PE information: No import functions for PE file found
Source: unires_vpd.dll0.3.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C5D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C65E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C71B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C6B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.2038083286.000001B53C60E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs 442.docx.exe

Yara signature match

Source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT

Source: unires_vpd.dll.3.dr	Static PE information: Section .rsrc
Source: unires_vpd.dll0.3.dr	Static PE information: Section .rsrc

Source: classification engine

Classification label: mal92.troj.evad.winEXE@28/328@1/5

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99AB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7C99AB6D8

Source: C:\Users\user\Desktop\442.docx.exe

0_2_00007FF7C99C8624

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\madExceptSettingsMtx$1eb8
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1ccc
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\HookTThread$1eb8
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\madExceptSettingsMtx$1ef8
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1f20
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e0c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1f14
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d44
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1e98
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1f20
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$c40
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1f14

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF1824809D33FF74D6.TMP

Jump to behavior

Source: 442.docx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\442.docx.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rfusclient.exe	String found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
Source: rfusclient.exe	String found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
Source: rfusclient.exe	String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
Source: rfusclient.exe	String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3

Source: C:\Users\user\Desktop\442.docx.exe

File read: C:\Users\user\Desktop\442.docx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\442.docx.exe "C:\Users\user\Desktop\442.docx.exe"
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1A
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
Source: unknown	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 684489E62C864DF5C283E9DB67C8FC1A	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray

Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptprov.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dhcpcsvc.dll

Source: C:\Users\user\Desktop\442.docx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Doc.LNK.4.dr

LNK file: ..\..\..\..\..\..\..\intel\Doc.docx

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini

Jump to behavior

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: 442.docx.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 442.docx.exe

Static file information: File size 25141051 > 1048576

Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 442.docx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 442.docx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Unpacked PE file: 12.2.rfusclient.exe.c70000.0.unpack

File is packed with WinRar

Source: C:\Users\user\Desktop\442.docx.exe

File created: C:\intel\__tmp_rar_sfx_access_check_5012343

Jump to behavior

PE file contains sections with non-standard names

Source: 442.docx.exe	Static PE information: section name: .didat
Source: 442.docx.exe	Static PE information: section name: _RDATA
Source: vp8encoder.dll.3.dr	Static PE information: section name: .rodata
Source: vp8decoder.dll.3.dr	Static PE information: section name: .rodata
Source: webmvorbisdecoder.dll.3.dr	Static PE information: section name: _RDATA
Source: libasset32.dll.3.dr	Static PE information: section name: /4
Source: libasset32.dll.3.dr	Static PE information: section name: /14
Source: libasset32.dll.3.dr	Static PE information: section name: /29
Source: libasset32.dll.3.dr	Static PE information: section name: /41
Source: libasset32.dll.3.dr	Static PE information: section name: /55
Source: libasset32.dll.3.dr	Static PE information: section name: /67
Source: libasset32.dll.3.dr	Static PE information: section name: /78
Source: libasset32.dll.3.dr	Static PE information: section name: /94
Source: libasset32.dll.3.dr	Static PE information: section name: /110
Source: eventmsg.dll.3.dr	Static PE information: section name: .didata
Source: webmvorbisencoder.dll.3.dr	Static PE information: section name: _RDATA
Source: libcodec32.dll.3.dr	Static PE information: section name: .rodata
Source: libcodec32.dll.3.dr	Static PE information: section name: /4
Source: libcodec32.dll.3.dr	Static PE information: section name: /14
Source: libcodec32.dll.3.dr	Static PE information: section name: /29
Source: libcodec32.dll.3.dr	Static PE information: section name: /41
Source: libcodec32.dll.3.dr	Static PE information: section name: /55
Source: libcodec32.dll.3.dr	Static PE information: section name: /67
Source: libcodec32.dll.3.dr	Static PE information: section name: /78
Source: libcodec32.dll.3.dr	Static PE information: section name: /94
Source: libcodec32.dll.3.dr	Static PE information: section name: /110
Source: vccorlib120.dll.3.dr	Static PE information: section name: minATL
Source: rutserv.exe.3.dr	Static PE information: section name: .didata
Source: rfusclient.exe.3.dr	Static PE information: section name: .didata
Source: vccorlib120.dll0.3.dr	Static PE information: section name: minATL

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E5156 push rsi; retf	0_2_00007FF7C99E5157
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99E5166 push rsi; retf	0_2_00007FF7C99E5167
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 12_2_5FFF7E30 push eax; mov dword ptr [esp], esi	12_2_5FFF7ED1
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Code function: 17_2_0101C34B push ebx; ret	17_2_0101C354

Source: msvcr120.dll.3.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: VPDAgent.exe.3.dr	Static PE information: section name: .text entropy: 6.812931691200469

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8991.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8991.tmp	Jump to dropped file

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.exe

Static PE information: 442.docx.exe

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Stores large binary data to the registry

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE			Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000E.00000002.2248570000.0000000002788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 00000010.00000002.2364038786.00000000023F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEE
Source: rutserv.exe, 00000010.00000002.2364038786.00000000023F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEDJ

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Window / User API: threadDelayed 1366
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Window / User API: threadDelayed 5542
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Window / User API: threadDelayed 6034
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Window / User API: threadDelayed 3455

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8991.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	Jump to dropped file

Found evasive API chain (date check)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

API coverage: 5.8 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\svchost.exe TID: 3568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep count: 81 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep time: -81000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7924	Thread sleep time: -50000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7944	Thread sleep time: -35000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7988	Thread sleep time: -240000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8008	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7964	Thread sleep count: 1366 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8128	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 5036	Thread sleep count: 45 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep count: 5542 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7896	Thread sleep time: -5542000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 7252	Thread sleep time: -3017000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 7252	Thread sleep time: -1727500s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99B40BC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7C99CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99DFCA0 FindFirstFileExA,	0_2_00007FF7C99DFCA0

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99D16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF7C99D16A4

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 50000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 60000

Source: rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT*
Source: svchost.exe, 0000000B.00000002.3312472664.00000225E4013000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NXTcpV6VMWare
Source: svchost.exe, 00000006.00000002.3315800908.00000150A4058000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3303786936.00000225E302B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.3305630779.00000225E30D7000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2982524280.0000000007280000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000003.2981074132.0000000007270000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3297940665.00000000006F9000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000011.00000002.3359972532.0000000007280000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000006.00000002.3305641563.000001509EA2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: rfusclient.exe, 0000000C.00000002.2187015900.00000000019ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99D3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7C99D3170

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99E0D20 GetProcessHeap,

0_2_00007FF7C99E0D20

Launches processes in debugging mode, may be used to hinder debugging

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C99D3170
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7C99D2510
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D3354 SetUnhandledExceptionFilter,	0_2_00007FF7C99D3354
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7C99D76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7C99D76D8

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\Desktop\442.docx.exe

0_2_00007FF7C99CB190

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall	Jump to behavior

Source: rfusclient.exe, 0000000C.00000000.2170437757.0000000000CBF000.00000020.00000001.01000000.0000000B.sdmp

Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99BDC70 cpuid

0_2_00007FF7C99BDC70

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\442.docx.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF7C99CA2CC

Queries the installation date of Windows

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the product ID of Windows

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\442.docx.exe

0_2_00007FF7C99D0754

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7C99B4EB0 GetVersionExW,

0_2_00007FF7C99B4EB0

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: rutserv.exe, 0000000E.00000000.2203086600.0000000001511000.00000020.00000001.01000000.0000000D.sdmp	Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 0000000E.00000002.2248570000.0000000002788000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe

Adds / modifies Windows certificates

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Jump to behavior

Yara detected RMS RemoteAdmin tool

Source: Yara match	File source: 12.0.rfusclient.exe.c70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.3309338966.0000000003858000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3320249204.0000000005420000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3304532933.000000000206A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000000.2219293441.0000000001FD1000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.3304532933.0000000002046000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3309338966.000000000388A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.3320249204.0000000005464000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3317620536.0000000002198000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.2172554360.0000000001725000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rfusclient.exe PID: 7372, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rutserv.exe PID: 7492, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rutserv.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED

ID:	1567177
Product:	CloudBasic
Start time:	08:46:15
Start date:	03.12.2024
Sample:	442.docx.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	fb8117b1a3f0924100fbc209dbbb1bb1
SHA1:	9d18c954eae8e8f8437d4e32d0b685f3f51b982b
SHA256:	beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
Filetype:	Win64 Executable GUI (202006/5) 92.65%

Windows Analysis Report
442.docx.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report 442.docx.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
442.docx.exe