Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
https://bitbucket.org/ziphose/obmen/downloads/Doc.7z

Overview

General Information

Sample URL:https://bitbucket.org/ziphose/obmen/downloads/Doc.7z
Analysis ID:1567220
Infos:

Detection

RMSRemoteAdmin
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Suspicious Double Extension File Execution
Query firmware table information (likely to detect VMs)
Sigma detected: Suspicious Double Extension Files
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the windows directory (C:\Windows)
File is packed with WinRar
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Stores large binary data to the registry
Yara detected RMS RemoteAdmin tool
Yara signature match

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 1100 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 6908 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1948,i,4594804360999435109,6340680699812301939,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • chrome.exe (PID: 6536 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://bitbucket.org/ziphose/obmen/downloads/Doc.7z" MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • OpenWith.exe (PID: 7704 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)
    • 7zFM.exe (PID: 7976 cmdline: "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Downloads\Doc.7z" MD5: 30AC0B832D75598FB3EC37B6F2A8C86A)
      • notepad.exe (PID: 5640 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Temp\7zO82FE46CC\??? 328937.txt MD5: 27F71B12CB585541885A31BE22F61C83)
      • ??????????? ????????.docx.exe (PID: 7312 cmdline: "C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe" MD5: FB8117B1A3F0924100FBC209DBBB1BB1)
        • msiexec.exe (PID: 5952 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)
        • WINWORD.EXE (PID: 1108 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)
  • msiexec.exe (PID: 1064 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 2408 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding DDEE500C14CD0FCDF198576EF1CE5C3F MD5: 9D09DC1EDA745A5F87553048E57620CF)
    • rfusclient.exe (PID: 5844 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi" MD5: CB9BE257064162076EBD4869CD97E166)
    • rutserv.exe (PID: 4536 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
    C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
    • 0x3a1d58:$s1: rman_message
    • 0x453340:$s3: rms_host_
    • 0x453cf8:$s3: rms_host_
    • 0x816eb4:$s4: rman_av_capture_settings
    • 0x45a4c4:$s7: _rms_log.txt
    • 0x4bf3c8:$s8: rms_internet_id_settings
    C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
      C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeMALWARE_Win_RemoteUtilitiesRATRemoteUtilitiesRAT RAT payloadditekSHen
      • 0x39e594:$s1: rman_message
      • 0x46d594:$s3: rms_host_
      • 0x46df4c:$s3: rms_host_
      • 0x82acb0:$s4: rman_av_capture_settings
      • 0x877858:$s5: rman_registry_key
      • 0x8778a4:$s5: rman_registry_key
      • 0x543d6c:$s6: rms_system_information
      • 0x2f1a18:$s7: _rms_log.txt
      • 0x503238:$s8: rms_internet_id_settings
      C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
        Click to see the 3 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000001B.00000000.2321441205.0000000000D75000.00000002.00000001.01000000.00000012.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security
          0000001C.00000000.2413557982.00000000023F1000.00000002.00000001.01000000.00000014.sdmpJoeSecurity_RMSRemoteAdminYara detected RMS RemoteAdmin toolJoe Security

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Double Extension File Execution
            Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe, ParentCommandLine: "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Downloads\Doc.7z", ParentImage: C:\Program Files\7-Zip\7zFM.exe, ParentProcessId: 7976, ParentProcessName: 7zFM.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe" , ProcessId: 7312, ProcessName: ??????????? ????????.docx.exe
            Sigma detected: Suspicious Double Extension Files
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: EventID: 11, Image: C:\Program Files\7-Zip\7zFM.exe, ProcessId: 7976, TargetFilename: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf
            Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.126.53.13:443 -> 192.168.2.16:49728 version: TLS 1.2
            Source: C:\Windows\System32\msiexec.exeFile opened: z:
            Source: C:\Windows\System32\msiexec.exeFile opened: x:
            Source: C:\Windows\System32\msiexec.exeFile opened: v:
            Source: C:\Windows\System32\msiexec.exeFile opened: t:
            Source: C:\Windows\System32\msiexec.exeFile opened: r:
            Source: C:\Windows\System32\msiexec.exeFile opened: p:
            Source: C:\Windows\System32\msiexec.exeFile opened: n:
            Source: C:\Windows\System32\msiexec.exeFile opened: l:
            Source: C:\Windows\System32\msiexec.exeFile opened: j:
            Source: C:\Windows\System32\msiexec.exeFile opened: h:
            Source: C:\Windows\System32\msiexec.exeFile opened: f:
            Source: C:\Windows\System32\msiexec.exeFile opened: b:
            Source: C:\Windows\System32\msiexec.exeFile opened: y:
            Source: C:\Windows\System32\msiexec.exeFile opened: w:
            Source: C:\Windows\System32\msiexec.exeFile opened: u:
            Source: C:\Windows\System32\msiexec.exeFile opened: s:
            Source: C:\Windows\System32\msiexec.exeFile opened: q:
            Source: C:\Windows\System32\msiexec.exeFile opened: o:
            Source: C:\Windows\System32\msiexec.exeFile opened: m:
            Source: C:\Windows\System32\msiexec.exeFile opened: k:
            Source: C:\Windows\System32\msiexec.exeFile opened: i:
            Source: C:\Windows\System32\msiexec.exeFile opened: g:
            Source: C:\Windows\System32\msiexec.exeFile opened: e:
            Source: C:\Windows\System32\msiexec.exeFile opened: c:
            Source: C:\Windows\System32\msiexec.exeFile opened: a:
            Source: winword.exeMemory has grown: Private usage: 6MB later: 56MB
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 23.218.208.109
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
            Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.13
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.53.13
            Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
            Source: global trafficDNS traffic detected: DNS query: bitbucket.org
            Source: global trafficDNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: id72.internetid.ru
            Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
            Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
            Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49715 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 23.218.208.109:443 -> 192.168.2.16:49716 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.16:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 40.126.53.13:443 -> 192.168.2.16:49728 version: TLS 1.2

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3d2fd1.msi
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI34D2.tmp
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipi
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI362B.tmp
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3d2fd4.msi
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3d2fd4.msi
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe
            Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI34D2.tmp
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPEDMatched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
            Source: classification engineClassification label: mal64.evad.win@36/77@7/108
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: NULL
            Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeMutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$16d4
            Source: C:\Program Files\7-Zip\7zFM.exeFile created: C:\Users\user\AppData\Local\Temp\7zO82F2D20C
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
            Source: C:\Windows\System32\OpenWith.exeFile read: C:\Users\desktop.ini
            Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1948,i,4594804360999435109,6340680699812301939,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://bitbucket.org/ziphose/obmen/downloads/Doc.7z"
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1948,i,4594804360999435109,6340680699812301939,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Downloads\Doc.7z"
            Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Downloads\Doc.7z"
            Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Temp\7zO82FE46CC\??? 328937.txt
            Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Local\Temp\7zO82FE46CC\??? 328937.txt
            Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe "C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe"
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
            Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DDEE500C14CD0FCDF198576EF1CE5C3F
            Source: C:\Program Files\7-Zip\7zFM.exeProcess created: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe "C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe"
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding DDEE500C14CD0FCDF198576EF1CE5C3F
            Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess created: unknown unknown
            Source: C:\Windows\System32\OpenWith.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: powrprof.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwmapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pdh.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: umpdc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: actxprxy.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.appdefaults.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.immersive.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uiautomationcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dui70.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: duser.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dwrite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47mrm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: uianimation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d11.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxgi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: d3d10warp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dxcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dcomp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.ui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowmanagementapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: inputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windowscodecs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: thumbcache.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: appresolver.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: bcp47langs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: slc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sppc.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: tiledatarepository.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: staterepository.core.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepository.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: wtsapi32.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.staterepositorycore.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: mrmcorer.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: appxdeploymentclient.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: directmanipulation.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: textshaping.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ninput.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: explorerframe.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: dataexchange.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: msftedit.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.globalization.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: globinputhost.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: xmllite.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: structuredquery.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: atlthunk.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.fileexplorer.common.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: windows.storage.search.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: linkinfo.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: twinapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ntshrui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: cscapi.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: winmm.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: ehstorshell.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: cscui.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: networkexplorer.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: smartscreenps.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: shdocvw.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: pcacli.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\OpenWith.exeSection loaded: sfc_os.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: uxtheme.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sspicli.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textshaping.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.storage.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wldp.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windowscodecs.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: profapi.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: propsys.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: explorerframe.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: cryptbase.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: thumbcache.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: policymanager.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: msvcp110_win.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: textinputframework.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coreuicomponents.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: coremessaging.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: ntmarta.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: wintypes.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dataexchange.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: d3d11.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dcomp.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: dxgi.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: twinapi.appcore.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: edputil.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: urlmon.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: iertutil.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: srvcli.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: netutils.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: appresolver.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: bcp47langs.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: slc.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: userenv.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sppc.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: pcacli.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: mpr.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: mrmcorer.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: textshaping.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: efswrt.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: twinapi.appcore.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: oleacc.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: textinputframework.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: coreuicomponents.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: coremessaging.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: ntmarta.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\notepad.exeSection loaded: msvcp110_win.dll
            Source: C:\Program Files\7-Zip\7zFM.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: dxgidebug.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: sfc_os.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: dwmapi.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: riched20.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: usp10.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: msls31.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: windowscodecs.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: textinputframework.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: coreuicomponents.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: edputil.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: urlmon.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: iertutil.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: srvcli.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: netutils.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: policymanager.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: msvcp110_win.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: appresolver.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: bcp47langs.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: slc.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: sppc.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: pcacli.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: mpr.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: vcruntime140_1.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: vcruntime140.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: msvcp140.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeSection loaded: mlang.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: version.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmm.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wininet.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: oledlg.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wtsapi32.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: shfolder.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wsock32.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msacm32.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winmmbase.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: faultrep.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbghelp.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: dbgcore.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: ntmarta.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: uxtheme.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: winsta.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: libasset32.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: olepro32.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: security.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: secur32.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: sspicli.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: msftedit.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: fwpuclnt.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: idndl.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Windows\System32\msiexec.exeFile written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini
            Source: C:\Windows\System32\OpenWith.exeFile opened: C:\Windows\system32\MsftEdit.dll
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeFile created: C:\intel\__tmp_rar_sfx_access_check_4006453
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
            Source: C:\Program Files\7-Zip\7zFM.exeFile created: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI34D2.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI34D2.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
            Source: C:\Windows\System32\msiexec.exeKey value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\7zFM.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files\7-Zip\7zFM.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeProcess information set: NOGPFAULTERRORBOX
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

            Malware Analysis System Evasion

            barindex
            Query firmware table information (likely to detect VMs)
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeSystem information queried: FirmwareTableInformation
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI34D2.tmpJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exeJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dllJump to dropped file
            Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dllJump to dropped file
            Source: C:\Windows\System32\OpenWith.exe TID: 7708Thread sleep count: 74 > 30
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Program Files\7-Zip\7zFM.exeProcess information queried: ProcessInformation
            Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Program Files\7-Zip\7zFM.exe "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Downloads\Doc.7z"
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
            Source: C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exeProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
            Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
            Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\7zO82FE46CC\??? 328937.txt VolumeInformation
            Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
            Source: C:\Windows\System32\msiexec.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob
            Source: Yara matchFile source: 0000001B.00000000.2321441205.0000000000D75000.00000002.00000001.01000000.00000012.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
            Source: Yara matchFile source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED
            Source: Yara matchFile source: 0000001C.00000000.2413557982.00000000023F1000.00000002.00000001.01000000.00000014.sdmp, type: MEMORY

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Replication Through Removable Media            		Windows Management Instrumentation1
            Registry Run Keys / Startup Folder            		11
            Process Injection            		22
            Masquerading            		OS Credential Dumping1
            Security Software Discovery            		Remote ServicesData from Local System2
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Modify Registry            		LSASS Memory11
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Non-Application Layer Protocol            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		11
            Virtualization/Sandbox Evasion            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            Extra Window Memory Injection            		1
            Disable or Modify Tools            		NTDS11
            Peripheral Device Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Process Injection            		LSA Secrets2
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Software Packing            		Cached Domain Credentials34
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            File Deletion            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Extra Window Memory Injection            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            https://bitbucket.org/ziphose/obmen/downloads/Doc.7z0%Avira URL Cloudsafe

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll2%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll2%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe2%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll4%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll2%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll3%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll8%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe13%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe12%ReversingLabsWin32.Trojan.Generic
            C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll0%ReversingLabs
            C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll0%ReversingLabs
            C:\Windows\Installer\MSI34D2.tmp0%ReversingLabs
            C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe0%ReversingLabs
            C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe0%ReversingLabs
            C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe0%ReversingLabs
            C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe0%ReversingLabs
            C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            s3-w.us-east-1.amazonaws.com
            		3.5.30.93
            		truefalse
              		high
              bitbucket.org
              		185.166.143.49
              		truefalse
                		high
                main.internetid.ru
                		95.213.205.83
                		truefalse
                  		unknown
                  www.google.com
                  		142.250.181.100
                  		truefalse
                    		high
                    prod.globalsign.map.fastly.net
                    		151.101.66.133
                    		truefalse
                      		unknown
                      bbuseruploads.s3.amazonaws.com
                      		unknown
                      		unknownfalse
                        		high
                        id72.internetid.ru
                        		unknown
                        		unknownfalse
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          52.113.194.132
                          		unknownUnited States
                          		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          172.217.19.227
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          52.168.117.171
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          172.217.17.67
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          172.217.17.78
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          172.217.17.46
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          52.109.89.18
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          185.166.143.49
                          		bitbucket.orgGermany
                          		16509AMAZON-02USfalse
                          52.111.252.18
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          23.218.208.109
                          		unknownUnited States
                          		6453AS6453USfalse
                          142.250.181.100
                          		www.google.comUnited States
                          		15169GOOGLEUSfalse
                          3.5.30.93
                          		s3-w.us-east-1.amazonaws.comUnited States
                          		14618AMAZON-AESUSfalse
                          64.233.165.84
                          		unknownUnited States
                          		15169GOOGLEUSfalse
                          239.255.255.250
                          		unknownReserved
                          		unknownunknownfalse
                          52.109.89.19
                          		unknownUnited States
                          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                          Private

                          IP
                          192.168.2.16
                          192.168.2.4

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1567220
                          Start date and time:2024-12-03 09:54:32 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Sample URL:https://bitbucket.org/ziphose/obmen/downloads/Doc.7z
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:29
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          Analysis Mode:stream
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal64.evad.win@36/77@7/108

                          Warnings

                          • Exclude process from analysis (whitelisted): svchost.exe
                          • Excluded IPs from analysis (whitelisted): 23.193.114.18, 23.193.114.26
                          • Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, clientservices.googleapis.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtEnumerateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: https://bitbucket.org/ziphose/obmen/downloads/Doc.7z

                          Created / dropped Files

                          C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:Rich Text Format data, version 1, ANSI, code page 1251, default middle east language ID 1025
                          Category:dropped
                          Size (bytes):140524
                          Entropy (8bit):4.705761523836363
                          Encrypted:false
                          SSDEEP:
                          MD5:65B04B706AC06E31210F4FFB1E92994E
                          SHA1:B005637B3DE903CBD7960637D77FF993897C5A63
                          SHA-256:E9ACC22A02BC2148AE07EC7CBE741E6E1CBC90DE3856AAE8F32A31FB5C338566
                          SHA-512:5B708D069434A384738EFD5F4621F257FC79A7F5A32D8AE9C1D29E21EFE1EEB2C393EC67DA39714C0C73F2217B68091EE7196C72331838A0A7ECA872FAF09A09
                          Malicious:false
                          Reputation:unknown
                          Preview:{\rtf1\adeflang1025\ansi\ansicpg1251\uc1\adeff0\deff0\stshfdbch0\stshfloch31506\stshfhich31506\stshfbi31506\deflang1049\deflangfe1049\themelang1049\themelangfe0\themelangcs0{\fonttbl{\f0\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\f1\fbidi \fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f2\fbidi \fmodern\fcharset204\fprq1{\*\panose 02070309020205020404}Courier New;}{\f3\fbidi \froman\fcharset2\fprq2{\*\panose 05050102010706020507}Symbol;}..{\f10\fbidi \fnil\fcharset2\fprq2{\*\panose 05000000000000000000}Wingdings;}{\f34\fbidi \froman\fcharset204\fprq2{\*\panose 02040503050406030204}Cambria Math;}..{\flomajor\f31500\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}{\fdbmajor\f31501\fbidi \froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman{\*\falt Times New Roman};}..{\fhimajor\f31502\fbidi \froman\fcharset204\fprq2{\*\panose 0204

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):15680
                          Entropy (8bit):6.579534230870796
                          Encrypted:false
                          SSDEEP:
                          MD5:C2F009D6317D1BA4E722938A1408478A
                          SHA1:66D702BC9FA98D1E7FE9BBC16AFF9AE711019E9B
                          SHA-256:6A8D4FB6F90B53D986B2AC6BF3BFCC56D6A54A2E8AF5670129566F5D344ED0FA
                          SHA-512:4D8060EC77EB9B95B57BC20AF2685064FA1E1FCC9403EFE95572C37D72ACD39B8005831EA0BAE95C365E945E50962B7FE1BFD964C5776D3E99CE5E474F726BFE
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3.j.]Oj.]Oj.]Og..Oh.]Og..Oh.]Og..Oy.]Og..Oh.]Oc..Oc.]Oj.\OY.]O..Ok.]Og..Ok.]O..Ok.]ORichj.]O........................PE..L......S..................................... ....@..........................`.......J....@.................................."..x....@..................@....P..|....!..8............................!..@............ ...............................text...2........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc..|....P......................@..B................................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):2673984
                          Entropy (8bit):6.865614554810881
                          Encrypted:false
                          SSDEEP:
                          MD5:10CD2135C0C5D9D3E5A0A5B679F2FAAE
                          SHA1:A0617D8C6876F98B9A1819A71F2A56B965C1C75D
                          SHA-256:D7A97387505CA740AC88E85CAC3AA3CA73C666CC3BFD977C7E40B1D9D6CA6C12
                          SHA-512:6A1F81127FF26DCC235D7CE454E69F9A3784AC54BBC8486CB5022AAC47C2FB6003641A0F8AAFDD3B89812FE3C1C90569AD73C1C135687C042CE92C5DD2FFBDD8
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............zz..zz..zz.M...zz.+...zz.+...zz.+...zz.+...zz.f...zz..zz..zz.f..Oxz..z{..{z......zz.f...zz..(...zz..z...zz.f...zz.Rich.zz.........PE..L...h3.\............................5u............@.......................... ).......(...@.................................<.&.......'.H.............(.@.....'..n..................................0:&.@............................................text...5........................... ..`.rdata..............................@..@.data...<.....&..d....&.............@....rsrc...H.....'......8'.............@..@.reloc...n....'..p...>'.............@..B........................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1110848
                          Entropy (8bit):6.491478844569486
                          Encrypted:false
                          SSDEEP:
                          MD5:AB3E77FC94445A18C9376F98CE10102F
                          SHA1:9424736FB3DB517C5584A14A482F84D81A671F8D
                          SHA-256:EEE325D9AC6A7B24B8ED3742110BD042803D6DA065F2E51153151E69D51CE4A3
                          SHA-512:454115C621434E98D39AEC605FCEB349C7AFB938B3E822F5950EE60E54FBFCB5CDBFE750015FE947C07FB991B4E966E535640343294D885ED2661353D3FD6EC9
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........[.:..:..:....l.:....n.7:....o.:..d..:..d...:..d..:..u.V.:..?d...:..?d..:..?d..:..:..T:..?d..:..?d..:..:db.:..?d..:..Rich.:..........................PE..L......\...........!......................................................................@.............................|....&..d.......................@........l......p...............................@............................................text............................... ..`.rdata..p;.......<..................@..@.data...H;...@...*..................@....gfids..$............X..............@..@.rsrc................d..............@..@.reloc...l.......n...f..............@..B........................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):22848
                          Entropy (8bit):6.464002114523214
                          Encrypted:false
                          SSDEEP:
                          MD5:2DE35EAAE57A6BAA02D9E8ED0661F042
                          SHA1:82D14A58D5188F5B7606365BE0E3F968A8E81E93
                          SHA-256:BB43036D202D3DBD765A12D1C4C243E7AB8328FFC1941AEA838D8B1553700E64
                          SHA-512:02F1D530C1469431A94074A057FCE3FE60735D3B15DD767E8F39F29B702B98B061954063D83D5FA426D7684CC86359E87424F0CC54FFB0AC3F388AA7E48D6DE0
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9Gf.}&.I}&.I}&.I;w.I|&.I;w.In&.I;w.Iy&.I;w.Iy&.It^.Ix&.I}&.I?&.I..I|&.Ipt.I|&.I}&.I|&.I..I|&.IRich}&.I................PE..L...k3.\.....................8......e".......0....@.......................................@.................................49..d....`..@............:..@....p......@1..8............................5..@............0...............................text...k........................... ..`.rdata..:....0......................@..@.data........@......................@....rsrc...@....`.......0..............@..@.reloc.......p.......6..............@..B................................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):4005696
                          Entropy (8bit):6.809616089473951
                          Encrypted:false
                          SSDEEP:
                          MD5:2C5987EA1E87A5C073B780F8102AE09C
                          SHA1:78DAA99D8C59A4A2E0D3B59E5427F854D8613080
                          SHA-256:22AC34380064C0FFEE59AD892CA4695E94EE8F97B78C18565251295817A784FE
                          SHA-512:7D6432960C5F3BEC27B13D06D4126C91A1DD7DD702DE97F1001855D8572BE68D6526F419BB58F5E5238E8E8F81C801BDAD8F351EF0AE75564835146F3DD3434D
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 2%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.............3.......3.......3.............................fP8.............,......,.......,...Z...,.......).......,.......Rich....................PE..L......\...........!.....b"..0................"...............................=.....3.=...@.........................pA:......p:.d.....;...............=.@.....;.$.....6.p.....................6.....p.6.@.............".d............................text...9a"......b"................. ..`.rdata..(....."......f".............@..@.data.........:..j...f:.............@....gfids........;.......:.............@..@.tls..........;.......:.............@....rsrc.........;.......:.............@..@.reloc..$.....;.. ....:.............@..B................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:MS Windows icon resource - 6 icons, 32x32, 4 bits/pixel, 16x16, 4 bits/pixel
                          Category:dropped
                          Size (bytes):10134
                          Entropy (8bit):5.364629779133003
                          Encrypted:false
                          SSDEEP:
                          MD5:6F70BD62A17EC5B677EC1129F594EE6F
                          SHA1:4FB95EB83A99C0DA62919C34886B0A3667F3911E
                          SHA-256:FC8570D50C1773A1B34AA4E31143FD0776E26FF032EE3EEB6DB8BFAB42B4A846
                          SHA-512:615A7E8738B2CF1BC47C8D5FC1357C1299080D0BAA1E54129D0DEBDB6BA60CD366364BE0BDAFDABCBA60F16544B0516A50B4B0182E8BCF01F59171003CE9B244
                          Malicious:false
                          Reputation:unknown
                          Preview:...... ..........f...........(...N... ..........v...........h....... .... ............... .h....#..(... ...@.....................................................................................................................................................x..............wx.............ww.............ww.x...........ww.xx..........ww.wxx..........w.wwxx...........wwwxx..........xwwwxx..........xwwwx...........xwww..x.........xww.wx.x........xw.wwwx.x.......x.w|.x.x.x........z.x.ww..x......x.x.ww....x......x..w....x.x......x.....p.x........x................x....................p................................p..........................................................................................................................................................................................................?...........?............(....... ..........................................................................................................x......w......w.x......wx.....wwx.....w

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):39744
                          Entropy (8bit):6.36744082696392
                          Encrypted:false
                          SSDEEP:
                          MD5:9ED8BAA9DEC76C6AFAFC1C71193A0AE8
                          SHA1:843727F195BF194CFF3736B80FB5249713F1E116
                          SHA-256:CD2C60402D46C339147ADDF110C904F78A783F23106CCAD147EFA156175D66DE
                          SHA-512:40D85540176AB0170B7341D6A8A808FD351B35C6444D468E7707B35D2B2E8F3322DBF0BF31E0578E3A12E1A62B310DD7983B7EFB0F2C72D0C4104AEB0BBCEFF9
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............b..b..b..3...b..3+..b..3*..b..3...b.Z....b...X..b..b..b.Z....b..0...b..b\..b.Z....b.Rich.b.................PE..L....3.\.................D...8.......I.......`....@.......................................@..................................s.......................|..@............b..8............................j..@............`...............................text....C.......D.................. ..`.rdata.......`... ...H..............@..@.data................h..............@....rsrc................l..............@..@.reloc...............t..............@..B........................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):179520
                          Entropy (8bit):5.239011393842513
                          Encrypted:false
                          SSDEEP:
                          MD5:FF197487BFE7E9D3396E0793B83811ED
                          SHA1:D92CA066B79DF28BF22BB051AEDFE10E4FA4A2A6
                          SHA-256:E6D0CA844514FDD105772E72C7C30D47099112AB68A4A5F9E4A2B28C0372A05A
                          SHA-512:33A13B0EE7E3DD038B35B5E4220278016397D003DCEECA56C3EE264608E053940AAFC09AE582C0FD67DFA919F38265883269F6C1A93E5BB9047B97F4A51CACCE
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z............X.1....X......X.3....X........m......}....D3.........D.......5......y....D0....Rich...........................PE..L....3.\.................\..........8........p....@..........................0......T.....@.................................,5.......`..V...............@....... ....z..8...........................(...@............0..,............................text....[.......\.................. ..`.rdata...D...p...F...`..............@..@.data....l..........................@....idata...$...0...&..................@..@.rsrc...V....`......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):53056
                          Entropy (8bit):6.556803642202102
                          Encrypted:false
                          SSDEEP:
                          MD5:A7A19BFD82EEAE7D4DC00144F3B949F4
                          SHA1:FBD6EF10A7D519386CB32B093AE7E42852BAECBD
                          SHA-256:A32A93B71A5628EDFC19FD31D26AC60DAF364E89CFDA2C82071718814042BE55
                          SHA-512:5AC0F6A0FDAAB8B832B0021948101ABD1C8AF8B79E0C02D60770DF22D945D669AE7D588BD3264F9991E11CBAB01A445AAC9B594B47171C68A6A7BDC3FBB8D962
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3..3..3..uO..1..uO.. ..uO,.7..uO..6..3..S..:fb.4.....1..>L*.2..3.f.2.../.2..Rich3..........................PE..L...j3.\.................v...:......Ez............@.................................Ul....@.................................t...x.......@...............@...............8..............................@...............|............................text....u.......v.................. ..`.rdata... ......."...z..............@..@.data...............................@....rsrc...@...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):2772288
                          Entropy (8bit):6.917291195041145
                          Encrypted:false
                          SSDEEP:
                          MD5:9FD469846E628F44A4147743875FFBC0
                          SHA1:6065C496D7C2695F3678D945FFA3FEFFBCD83C53
                          SHA-256:129C2D91F085E54FD9E333C6F580A16907A1D9659D823D6C7CB25F5D3CE55CC8
                          SHA-512:5AF5DD95BE604E039337D153CED2B9D3FE33F2E05818E3A222FDD9F7B3381197CCF3CA39324F46CA95B81DF76624F0EF4A0CF045195640E58B9A233D092F43AB
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 2%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u.&.1fH.1fH.1fH....8fH.w7..<fH.w7..<fH.w7..5fH.w7..6fH.8..$fH.1fI.^gH.1fH.&fH......dH......fH.....,fH.....0fH.<4..0fH.....0fH.Rich1fH.................PE..L...,..[...........!.........j......#......... ...............................*.....N.*...@.........................p.'..:..T.(.......)...............*.@.....).8|..0. .8............................8'.@............. .h............................text............................... ..`.rdata...-.... ....... .............@..@.data........@(..~...0(.............@....rsrc.........).......(.............@..@.reloc..8|....)..~....(.............@..B................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):2991424
                          Entropy (8bit):6.7900679594310915
                          Encrypted:false
                          SSDEEP:
                          MD5:829DD10CD377386A2040897F5288DDB0
                          SHA1:A7B1C7A6C0E1C9641750E8150EE810530FB67DD0
                          SHA-256:5753F66DBC480901955DE247117F3C1E99777B1A610C90931E50C374F8B1D888
                          SHA-512:C6B915EBF7B1C023FBB2E06FB169857539253CFA2B5B5C770DF5A43896AF8A0C847796E3F82C6109778F11D7FE3976DA172E1E0E6EACCD1C82DBAEB80ADAB4F5
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 2%
                          Reputation:unknown
                          Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$............j...j...j..V.u..j...;m..j...;R..j...;o..j...;S..j....!..j..}.o..j...j...j..}.R.3h..}.S..j.._4...j...j..Ah..}.W..j..}.n..j...8i..j...j%..j..}.l..j..Rich.j..........................PE..L....3.\..................!...........!......."...@...........................-.....;.....@...........................+.+.....+.......,.@.............-.@.....,..C...................................w+.@............."..............................text...g.!.......!................. ..`.rdata..$.....".......".............@..@.data....~....,..N....+.............@....rsrc...@.....,......<,.............@..@.reloc...C....,..D...B,.............@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):660128
                          Entropy (8bit):6.339798513733826
                          Encrypted:false
                          SSDEEP:
                          MD5:46060C35F697281BC5E7337AEE3722B1
                          SHA1:D0164C041707F297A73ABB9EA854111953E99CF1
                          SHA-256:2ABF0AAB5A3C5AE9424B64E9D19D9D6D4AEBC67814D7E92E4927B9798FEF2848
                          SHA-512:2CF2ED4D45C79A6E6CEBFA3D332710A97F5CF0251DC194EEC8C54EA0CB85762FD19822610021CCD6A6904E80AFAE1590A83AF1FA45152F28CA56D862A3473F0A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;..h..h..h..[h..h..h..h..Mh..hIAWh..h..Oh..h..qh..h..ph..h..uh..h..Lh..h..Kh..h..Nh..hRich..h................PE..d.....OR.........." .....@...................................................`......a.....`.........................................pU.. ....2..<....@...........G.......>...P.......X..................................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.data........P...8...B..............@....pdata...G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):963232
                          Entropy (8bit):6.634408584960502
                          Encrypted:false
                          SSDEEP:
                          MD5:9C861C079DD81762B6C54E37597B7712
                          SHA1:62CB65A1D79E2C5ADA0C7BFC04C18693567C90D0
                          SHA-256:AD32240BB1DE55C3F5FCAC8789F583A17057F9D14914C538C2A7A5AD346B341C
                          SHA-512:3AA770D6FBA8590FDCF5D263CB2B3D2FAE859E29D31AD482FBFBD700BCD602A013AC2568475999EF9FB06AE666D203D97F42181EC7344CBA023A8534FB13ACB7
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Ck.."..".."..D...".."..-"...s..$ ...s.."...s.."...s.. "...s.."...s.."...s.."..Rich."..........................PE..d.....OR.........." .....h...:.......)..............................................].....`.................................................@...(............@...s...t...>......8...p................................2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@.data...hu.......D..................@....pdata...s...@...t..................@..@.rsrc................^..............@..@.reloc..8............b..............@..B........................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.gpd

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):17415
                          Entropy (8bit):4.618177193109944
                          Encrypted:false
                          SSDEEP:
                          MD5:8EE7FD65170ED9BD408E0C821171B62A
                          SHA1:9D14A87A049C3B576CEC4B28210F0C95B94E08E0
                          SHA-256:EE1E4D9869188CC3FA518C445ECF071845E5BD8BE56767A9F7F7DD3ACE294BA5
                          SHA-512:5740AB3545D2217BA2156C58BA9AF6681D73116AB5DFBEAA5AB615D9CD0C77716C25865E67188E9D7892B340776755D4CBB1A3E98FAEAF8B6BB4B2CCA00D8AE6
                          Malicious:false
                          Reputation:unknown
                          Preview:*GPDSpecVersion: "1.0"..*GPDFileVersion: "1.0"..*GPDFileName: "***.GPD"..*Include: "STDNAMES_VPD.GPD"..*ModelName: "****"..*MasterUnits: PAIR(40800, 117600)..*ResourceDLL: "UNIRES_VPD.DLL"..*PrinterType: PAGE..*MaxCopies: 99....*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }.. *Option: LANDSCAPE_CC270.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: AUTO...*Option: AUTO.. {.. *rcNameID: =AUTO_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "".. }.. }.. *Option: CASSETTE.. {.. *rcNameID:

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.ini

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):41
                          Entropy (8bit):4.479503224130278
                          Encrypted:false
                          SSDEEP:
                          MD5:035B163A3E4C308F617C05E0137FAFD0
                          SHA1:484238C9C05805F1CA5A97FA58950253B7F9FCBE
                          SHA-256:00CA9230DBAC7FF222CA837AA796496FF4B9B15E0552D3D5AD26B040E2BAB8D7
                          SHA-512:3EB65CF86C3C71944C8100F90C60604DB4EA69CB187F8E473601845EB4520148CF3779762EF997DC5C14FE8A2269B928448DDF0338A4F172C0460FA0D6F29798
                          Malicious:false
                          Reputation:unknown
                          Preview:[OEMFiles] ..OEMConfigFile1=rppdui.dll ..

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppd.lng

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):98650
                          Entropy (8bit):4.192473934109759
                          Encrypted:false
                          SSDEEP:
                          MD5:1614E6CDF119FD284D476F7E6723B3AD
                          SHA1:3FF9164C9E5FC47169CC1C6EECA22AAB099F2EA3
                          SHA-256:C8DF350F95FFEEED30060092DC8666EADCE040A4DDCB98E7A9293F87D19387A8
                          SHA-512:8FBCB156B2F9637BC15FA71758A361CB2500F5A19875EE6BE2B52FC3171C38353A6CDC623E36777D052E0B319C7AF934D2D1DBE92E69666C9B9AD749610BA471
                          Malicious:false
                          Reputation:unknown
                          Preview:..[.E.n.g.l.i.s.h.].....L.a.n.g.I.D.=.1.0.3.3.....;. .l.o.o.k. .f.o.r. .l.a.n.g.u.a.g.e. .i.d.e.n.t.i.f.i.e.r.s. .i.n. .M.S.D.N. .-. .'.T.a.b.l.e. .o.f. .L.a.n.g.u.a.g.e. .I.d.e.n.t.i.f.i.e.r.s.'. .t.o.p.i.c.........;. .S.T.A.N.D.A.R.D. .D.I.A.L.O.G. .B.U.T.T.O.N.S.:.........1.=.O.K.....2.=.C.a.n.c.e.l.........;. .P.R.I.N.T.I.N.G. .P.R.E.F.E.R.E.N.C.E.S.:.........;. .C.o.m.m.o.n. .s.t.r.i.n.g.s.....;. .b.i.t.s. .p.e.r. .p.i.x.e.l.....5.0.0.0. .=. .1. .b.i.t. .-. .b.l.a.c.k. .a.n.d. .w.h.i.t.e.....5.0.0.1. .=. .4. .b.i.t.s. .-. .1.6. .c.o.l.o.r.s.....5.0.0.2. .=. .8. .b.i.t.s. .-. .2.5.6. .c.o.l.o.r.s.....5.0.0.3. .=. .2.4. .b.i.t.s. .-. .t.r.u.e. .c.o.l.o.r.........;. .C.o.m.p.r.e.s.s.i.o.n.....5.0.0.4. .=. .N.o.n.e.....5.0.0.5. .=. .A.u.t.o.m.a.t.i.c.....5.0.0.6. .=. .C.C.I.T.T. .m.o.d.i.f.i.e.d. .H.u.f.f.m.a.n. .R.L.E.....5.0.0.7. .=. .C.C.I.T.T. .G.r.o.u.p. .3. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.8. .=. .C.C.I.T.T. .G.r.o.u.p. .4. .f.a.x. .e.n.c.o.d.i.n.g.....5.0.0.9. .=. .L.e.m.p.e.

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):35648
                          Entropy (8bit):6.365966080243848
                          Encrypted:false
                          SSDEEP:
                          MD5:68EA0EC529B7B9D3284D860F5ABD9BB4
                          SHA1:1A3951538D9E79F09792C8B118F010834A6C1273
                          SHA-256:EE963C5960F6687789004175C3DF0098331BEBBCE992BF9C73EF9EF6ED73C1E0
                          SHA-512:E62D2CFCA2433F4D647A5658141D63093D75491C60D1647F41FFDE74308BDF1A512DEBCC4A4535CE6FC9DE1ACB149D135D89366FE75FC9C52AA709C8887D7A28
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........p.....................i'......i1......i6.........z....i!.............i ......i;..............i&......i#.....Rich............PE..d....4.\.........." .....V..........|P....................................................@..........................................d..W....[..................`....l..@........... ................................................................................text...'U.......V.................. ..`.data...4....p.......Z..............@....pdata..`............b..............@..@.rsrc................f..............@..@.reloc...............j..............@..B........................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):204096
                          Entropy (8bit):5.820956822859452
                          Encrypted:false
                          SSDEEP:
                          MD5:126C2BCC9112266CE33F9835A1E44B9C
                          SHA1:B16C0D19797C7A0CC665BC8346ECF453234A83A4
                          SHA-256:2736C2919966D17F27A34D69A7253CD4C2D09C6F7CF9FC03597F27BC73C0BDC2
                          SHA-512:C25FC46CA2D8DAAD868FA2B5F1BA6CCAAC7F919C8C7CBB86952741B493D27E79EC8C7FD5F124A704B78F4197E6F3812D0FE0F64BC00117EE2AC09B41FAE85308
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 4%
                          Reputation:unknown
                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$................dD....\....c....^....b..........R.......5Zf...5Zb...5Z_....X........5Z]...Rich...........................PE..d....4.\.........." .................~....................................................`..........................................G..l...\H..........(.......<.......@...............................................p............................................text...-........................... ..`.rdata..Z...........................@..@.data...ph...`.......@..............@....pdata..<............X..............@..@.rsrc...(............n..............@..@.reloc..............................@..B................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):102208
                          Entropy (8bit):6.071111727952987
                          Encrypted:false
                          SSDEEP:
                          MD5:CC0E2455CFF19B3585C9FA781428E88E
                          SHA1:93EC9326F0CEE4E7F385525B03DDF0DF89A409E8
                          SHA-256:AF24B7E339CC6B80ECF7B45050533E8227D6491EED2FD8C3FF2BF22406B027AA
                          SHA-512:B995CD999B36B9BD3DC8BE60A7576701CB91D18DF21934521C578047CD135C91F1027058198B1867A4D46804C0514523B370ECEC0E6691A041189011E31166A6
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.."..."..."..+.l.."...st.."...sK.."...sv.."...sJ.."...Z8.."..."..."....N.."...pp.."..."<.."....u.."..Rich."..................PE..d...)4.\.........."............................@....................................R.....`..................................................[..........x............p..@...............8............................7..p...............P............................text...=........................... ..`.rdata...g.......h..................@..@.data........p.......V..............@....pdata...............X..............@..@.rsrc................d..............@..@.reloc...............n..............@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):487232
                          Entropy (8bit):6.340203111317007
                          Encrypted:false
                          SSDEEP:
                          MD5:AD6C433A57BE03EE0C75076D6FE99CD5
                          SHA1:219EE785F2C8127DAA44B298B5B2B096FCCE8D12
                          SHA-256:8A180D92A2C879A3384D24A38EC8C9FD6BFD183935E61DA0B97F1C67A7EC9EA7
                          SHA-512:041FB9165068D0EA879632B883B3E247336A3BB159ED46AE053B60D074A0BB231FA2DEEDD6CB2BA17AACB771413A86A3F970480AF7A2311E51702288D3B9A30E
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................&.....7.......W.... .....0.....!.....:...d......'....."....Rich............................PE..d...w.[J.........." .........8......d..........t.....................................b....@..........................................4..........x....p.......@...(...P..@............!..8............................................0...............................text...O........................... ..`.rdata.......0......................@..@.data...x.... ......................@....pdata...(...@...*..................@..@.rsrc........p.......B..............@..@.reloc...............F..............@..B..[J@...+.[JK.....[JU.....[Jb...+.[JK.....[Jo.....[Jy...........msvcrt.dll.NTDLL.DLL.WINSPOOL.DRV.KERNEL32.dll.ole32.dll.GDI32.dll..............................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):892224
                          Entropy (8bit):6.044434154548935
                          Encrypted:false
                          SSDEEP:
                          MD5:BB98224B0CB6F17D61AA24D7A46A08C5
                          SHA1:DB78D1161EAA0C691DF76D1B6D7CC98793007BCE
                          SHA-256:23A30F94360D710BB020DF76E7846AB991EDD6CA3C7F685AECF6CD1A019D451A
                          SHA-512:D74291E8556911B77588D63EB20DB5D6642C31FEDD9EE186AE62D53C705F0CDBE14725ECBB8FC5FE770F45DFF05731EEBB2063A33BB78DF70B73CDCF4E86C465
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y'..I...I...I..`...I..`...I...H.R.I..`...I..`...I..`...I..`...I...7...I..`...I..`...I.Rich..I.................PE..d.....[J.........." .....$...V.................v....................................O.....@........................................../..{.... .................../...~..@...........`...................................................0............................text...[".......$.................. ..`.data....5...@...0...(..............@....pdata.../.......0...X..............@..@.rsrc...............................@..@.reloc..0............j..............@..B..[J`...+.[Jk...5.[Ju.....[J......[J......[J....+.[Jk.....[J......[J......[J......[J............msvcrt.dll.NTDLL.DLL.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll...............................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):770368
                          Entropy (8bit):5.630939020655746
                          Encrypted:false
                          SSDEEP:
                          MD5:A0D2853BE8043F5FC4FEE04CFE5A8293
                          SHA1:4FDF21E578739ABB4BCC938568F27897E733E229
                          SHA-256:1D8C77B674F8294DB39B2CDE2873BDE5A2F6EBD65E14CAEEB58FBA94C92C1F3D
                          SHA-512:FC5CE23DF55EF277D6DB898D5620697A3A061A5DD9BE63145CE71B966905CAC41B9785121709A2A0DCF8F90B76F484FAB619EB8DB40A873A867468ECF1620F99
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..d.....[J.........." ..........................@...........................................@.............................................................0...............@............................................................................................rsrc...............................@..@........................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):356528
                          Entropy (8bit):5.917051105867173
                          Encrypted:false
                          SSDEEP:
                          MD5:BDD8AE768DBF3E6C65D741CB3880B8A7
                          SHA1:91B01FD48A586822C1D81CA80B950F8639CCE78C
                          SHA-256:602ADD77CBD807D02306DE1D0179CB71A908EECB11677116FC206A7E714AB6D6
                          SHA-512:7840554A66F033E556CF02772B8B3749C593657CA254E0F2DBD93B05F4600E11BA821EBA8FC038115C038B5E5AF2F8D2CF0A5AE1F1362E813CF0B5041BBBFF94
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c...'.@.'.@.'.@....!.@.a...#.@.....&.@.a...%.@.a...*.@.a.../.@..P.. .@.'.A.T.@.a...6.@.a...&.@.a...&.@.a...&.@.Rich'.@.........PE..d...}.OR.........." .....n...........L...................................................`..............................................>...D.......P..........."...2...>...`......................................`...p............................................text....l.......n.................. ..`.rdata...............r..............@..@.data...x....`.......F..............@....pdata...".......$..................@..@minATL.......@......................@..@.rsrc........P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):455328
                          Entropy (8bit):6.698367093574994
                          Encrypted:false
                          SSDEEP:
                          MD5:FD5CABBE52272BD76007B68186EBAF00
                          SHA1:EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
                          SHA-256:87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
                          SHA-512:1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......o...+.N+.N+.N.3wN).N+.N..Nm.aN(.Nm.cN#.Nm.]N..Nm.\Ne.Nm.YN-.Nm.`N*.Nm.gN*.Nm.bN*.NRich+.N........................PE..L....|OR.........."!.........................0.......................................x....@..........................W..L...<...<........................>.......D...................................K..@...............<............................text...<........................... ..`.data....^...0...0... ..............@....idata...............P..............@..@.rsrc................j..............@..@.reloc...D.......F...n..............@..B........................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):970912
                          Entropy (8bit):6.9649735952029515
                          Encrypted:false
                          SSDEEP:
                          MD5:034CCADC1C073E4216E9466B720F9849
                          SHA1:F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
                          SHA-256:86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
                          SHA-512:5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S9...XlA.XlA.XlA..A.XlA.XmA.XlAQ..A.ZlAQ..AvXlAQ..A!XlAQ..A.XlAQ..A.XlAQ..A.XlAQ..A.XlARich.XlA........PE..L....|OR.........."!................D............................................... .....@.........................`........R..(....p...................>......d]..@...8...........................H...@............P...............................text............................... ..`.data...4e.......V..................@....idata.......P......................@....rsrc........p.......0..............@..@.reloc..d].......^...4..............@..B................................................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\ntprint.inf

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:Windows setup INFormation
                          Category:dropped
                          Size (bytes):9698
                          Entropy (8bit):3.8395767056459316
                          Encrypted:false
                          SSDEEP:
                          MD5:6476F7217D9D6372361B9E49D701FB99
                          SHA1:E1155AB2ACC8A9C9B3C83D1E98F816B84B5E7E25
                          SHA-256:6135D3C9956A00C22615E53D66085DABBE2FBB93DF7B0CDF5C4F7F7B3829F58B
                          SHA-512:B27ABD8ED640A72424B662AE5C529CDDA845497DC8BD6B67B0B44AE9CDD5E849F627E1735108B2DF09DD6EF83AD1DE6FAA1AD7A6727B5D7A7985F92A92CA0779
                          Malicious:false
                          Reputation:unknown
                          Preview:..............;. .N.T.P.R.I.N.T...I.N.F. .(.f.o.r. .W.i.n.d.o.w.s. .S.e.r.v.e.r. .2.0.0.3. .f.a.m.i.l.y.).....;.....;. .L.i.s.t. .o.f. .s.u.p.p.o.r.t.e.d. .p.r.i.n.t.e.r.s.,. .m.a.n.u.f.a.c.t.u.r.e.r.s.....;.........[.V.e.r.s.i.o.n.].....S.i.g.n.a.t.u.r.e.=.".$.W.i.n.d.o.w.s. .N.T.$.".....P.r.o.v.i.d.e.r.=.".M.i.c.r.o.s.o.f.t.".....C.l.a.s.s.G.U.I.D.=.{.4.D.3.6.E.9.7.9.-.E.3.2.5.-.1.1.C.E.-.B.F.C.1.-.0.8.0.0.2.B.E.1.0.3.1.8.}.....C.l.a.s.s.=.P.r.i.n.t.e.r.....C.a.t.a.l.o.g.F.i.l.e.=.n.t.p.r.i.n.t...c.a.t.....D.r.i.v.e.r.I.s.o.l.a.t.i.o.n.=.2.....D.r.i.v.e.r.V.e.r.=.0.6./.2.1./.2.0.0.6.,.6...1...7.6.0.0...1.6.3.8.5.........[.M.a.n.u.f.a.c.t.u.r.e.r.].....".M.i.c.r.o.s.o.f.t.".=.M.i.c.r.o.s.o.f.t.,.N.T.a.m.d.6.4.........[.M.i.c.r.o.s.o.f.t...N.T.a.m.d.6.4.].....".{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.". .=. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.E.7.9.F.0.}.,. .{.D.2.0.E.A.3.7.2.-.D.D.3.5.-.4.9.5.0.-.9.E.D.8.-.A.6.3.3.5.A.F.

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):33600
                          Entropy (8bit):6.281064018328684
                          Encrypted:false
                          SSDEEP:
                          MD5:BED53AB8B9E406D1A8D6A85924E44282
                          SHA1:19628BD3DE2BEF0EDC3622E4A7184162BD979040
                          SHA-256:E5A10A74CFC36A4DCFCC9B25573B92A37B55062153EF9120B93154DB5792B3DA
                          SHA-512:6F5C6945B0A982E8C94A826685158286D16173F51B10FDF1F5B9F4F93562240736A09B5F0997E995C0AF07360BACD51FA46CB8E4A3FA319519F3727FF87613E7
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 2%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pZ.Y4;..4;..4;...4..:;..=C'.<;..=C6.9;..4;...;..=C!.7;..=C .5;..=C1.q;......5;..=C&.5;..=C#.5;..Rich4;..........PE..L...,4.\...........!.....F...........D.......`......................................a.....@.........................pU..W....M.......p...............d..@...........................................(...@...............t............................text....E.......F.................. ..`.data...\....`.......J..............@....rsrc........p.......P..............@..@.reloc...............T..............@..B................................................................................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):159552
                          Entropy (8bit):6.178643199247813
                          Encrypted:false
                          SSDEEP:
                          MD5:F0A9D47D76E68883F04E60599EADAE6D
                          SHA1:8F7BB6B9E9CB70529FA4C442ABF507A2F546E6E3
                          SHA-256:2FAB0969C6E131834496428779A0809B97981F3E8D6FBF8A59632CB2DF783687
                          SHA-512:18BBD1A3899C6B2F361BFA575D50D7DA29EAEF0E1C7CB50B318CECFE3150F268C1CDF30FEB5246B9F9B5D7FE36BD4A268E06595D9D3F3D86D933F14F5C43AD43
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.q.\.q.\.q..h..].q....._.q.....P.q.....X.q.....T.q.U...].q.\.p..q.U...K.q..V..V.q..V..D.q..V..].q.Q...].q.\...].q..V..].q.Rich\.q.........PE..L....3.\...........!.....L...N.......0.......`......................................k.....@.........................P...l...............(............P..@.......< ...................................z..@............`...............................text....J.......L.................. ..`.rdata...B...`...D...P..............@..@.data....\..........................@....rsrc...(...........................@..@.reloc..< ......."..................@..B........................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):87360
                          Entropy (8bit):6.424955012685773
                          Encrypted:false
                          SSDEEP:
                          MD5:66C5F108A058B515BBDDE628384990C9
                          SHA1:0FBADFC5106056DFD269DF5EA532F69556CAE68F
                          SHA-256:8D596D33CC3962B33B46D361BBC44A8088F18C09949734F3DEC54828372426AE
                          SHA-512:6060EF07244385516989DF3AAD1C01E9F93B7B45A247D8D70FC5BE7A62BA96BFD22F80F0C78D178443D38796A2C7148CD3ADF4EB1A5FC430DFF5BB393492901E
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G..&...&...&....^..&...wF..&...wy..&...wD..&...wx..&...^...&...&..0&..$.|..&...tB..&...&...&..$.G..&..Rich.&..........PE..L...$4.\.....................n....................@..........................p.......C....@.................................d........@..x............6..@....P..........8...........................P...@............................................text............................... ..`.rdata...F.......H..................@..@.data...p....0......................@....rsrc........@......................@..@.reloc.......P....... ..............@..B................................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\stdnames_vpd.gpd

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):14366
                          Entropy (8bit):4.1817849062232195
                          Encrypted:false
                          SSDEEP:
                          MD5:7162D8977515A446D2C1E139DA59DED5
                          SHA1:952F696C463B8410B1FA93A3B2B6DAE416A81867
                          SHA-256:2835A439C6AE22074BC3372491CB71E6C2B72D0C87AE3EEE6065C6CAADF1E5C8
                          SHA-512:508F7CA3D4BC298534AB058F182755851051684F8D53306011F03875804C95E427428BD425DD13633EEC79748BB64E78AAD43E75B70CC5A3F0F4E6696DBB6D8E
                          Malicious:false
                          Reputation:unknown
                          Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires_vpd.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):383296
                          Entropy (8bit):6.650287803080611
                          Encrypted:false
                          SSDEEP:
                          MD5:C3F39388BD4E6763F9734BC617388A17
                          SHA1:AF5B4753F99C3F115294662876D7191DC8652786
                          SHA-256:4D1F6A595889165B6A14B68D848C639748C9750C165BB4515CA3C3C67B4BA462
                          SHA-512:BD8D00461E65F156686B0FC799926897845900F072F7AC10B66387E041CC7D3810ADBFB0137E9EA7B24995A11D324707D9E0FCD699D36E62ED089F46CC5ABA58
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3g..3g..3g..:.;.4g..3g...g..:.=.8g..:.<.2g..:.-..g..:.*.sg.....2g..:.:.2g..:.?.2g..Rich3g..........................PE..L...$.[J...........!................-..............m................................Z!....@....................................x.......................@...............8............................t..@.......|.......`............................text...k........................... ..`.data...............................@....rsrc...............................@..@.reloc..............................@..Bo.[J8...K.[JC.....[JP.....[J].....[Jg.....[Jq...........msvcrt.dll.WINSPOOL.DRV.KERNEL32.dll.NTDLL.DLL.ole32.dll.GDI32.dll..............................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.hlp

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                          Category:dropped
                          Size (bytes):21225
                          Entropy (8bit):3.9923245636306675
                          Encrypted:false
                          SSDEEP:
                          MD5:6798F64959C913673BD66CD4E47F4A65
                          SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                          SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                          SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                          Malicious:false
                          Reputation:unknown
                          Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):755520
                          Entropy (8bit):6.198681499104638
                          Encrypted:false
                          SSDEEP:
                          MD5:0822EE0FF996BEB2B31EBBDD6449231B
                          SHA1:7DF7F4978F3C4728CAEF9F95C6EB6C0D8CF8FDAC
                          SHA-256:D727150FA7853748655E9CAA9F19F633E33BD191284703D6609984A64CB39CAB
                          SHA-512:A47D25901FAD0507167E241350EC12C8D545F3F932E1B44E5F167A82263BCB97DA06B09454E8DE815EFC445088F2B1011028C3EAE5BF3F55FACAA3D9EC082815
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..wf..$f..$f..$o.%$n..$f..$...$o.#$u..$o.3$8..$o."$g..$o.4$...$AZ.$g..$o.$$g..$o.!$g..$Richf..$................PE..L......L...........!.....2...2......e........@....(p.....................................@.............................{....3.......p...............h..@....`...0...@..8...............................@............................................text...E1.......2.................. ..`.data........P.......6..............@....rsrc........p.......T..............@..@.reloc...0...`...2...6..............@..B..LX......Lc...o..Ln...&..Lx.....L....n..L....%..L....K..L.......L....r..L............msvcrt.dll.RPCRT4.dll.ole32.dll.USER32.dll.KERNEL32.dll.NTDLL.DLL.VERSION.dll.WINSPOOL.DRV.GDI32.dll.OLEAUT32.dll.......................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):770368
                          Entropy (8bit):5.629918098777896
                          Encrypted:false
                          SSDEEP:
                          MD5:385152D096A96D1966C1042EDE38114F
                          SHA1:A42D0587A2BF156C3F757778397A2E7AC8122E3C
                          SHA-256:5A22FE5AF587540A9840E4F2A515564A2478DDA47AC1C81B687AC2F59C4C2FD0
                          SHA-512:483E8819C6C5C1BCF725A4D6513364A5EE054E1D9100A8F42FFD2DBBFD52910CCA8E6DAF4435103C75AA2EBCA5A608BCC76EE6C531EA67C723267D9445D40256
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 3%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........u..E...E...E...Ll..D...Ll..D...RichE...................PE..L......L...........!..............................@.......................................@............................................................@............................................................................................rsrc...............................@..@........................................................0...8.......P.......................@...........................................r.......s...x...t...8...u.......v.......w...0...x.......y...........(...............................X.......(...............................h...............P....................................................................................................... .......8.......P.......h............................................................................................... .......0...

                          C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):247984
                          Entropy (8bit):6.601853231729306
                          Encrypted:false
                          SSDEEP:
                          MD5:69837E50C50561A083A72A5F8EA1F6A2
                          SHA1:1A4B4C6C3CB6A5164CC1018AC72D0300455B3D8F
                          SHA-256:9C9D4E421C55F7EF4E455E75B58A6639428CCD75C76E5717F448AFE4C21C52BC
                          SHA-512:FD20C6B4EEC972C775681AD7322769D5074108D730727051EF77D779A277D77B12419E1FEE1E2EC0CF376A235573A85AD37975245DBF078DE467953AFD02164A
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0p..Q..Q..Q..)..Q......Q......Q......Q......Q..P...Q..Q...Q......Q......Q......Q......Q..Rich.Q..........PE..L....OR.........."!.................4...............................................:....@.............................e=...A.......`...................>...p...R..0................................/..@............@...............................text............................... ..`.data...xp.......n..................@....idata.......@......."..............@..@minATL.......P.......0..............@..@.rsrc........`.......2..............@..@.reloc...R...p...T...6..............@..B........................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):52312
                          Entropy (8bit):6.450469916547452
                          Encrypted:false
                          SSDEEP:
                          MD5:4E84DF6558C385BC781CDDEA34C9FBA3
                          SHA1:6D63D87C19C11BDBFA484A5835FFFFD7647296C8
                          SHA-256:0526073F28A3B5999528BFA0E680D668922499124F783F02C52A3B25C367EF6D
                          SHA-512:C35DA0744568BFFFEFF09E6590D059E91E5D380C5FEB3A0FBC5B19477CECA007A882884A7033345CE408FCE1DEAC5248AD9B046656478D734FE494B787F8A9F2
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 8%
                          Reputation:unknown
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...r.;`.....................$...................@..........................`....................................... ..q............P..................X....@..................................................................$....................text............................... ..`.itext.............................. ..`.data...<...........................@....bss.....5...............................idata..............................@....didata.$...........................@....edata..q.... ......................@..@.rdata..E....0......................@..@.reloc.......@......................@..B.rsrc........P......................@..@.............`......................@..@........................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):9223040
                          Entropy (8bit):6.355581719432468
                          Encrypted:false
                          SSDEEP:
                          MD5:8A9BDA9B9A84BD1551A09B65DFBC0C74
                          SHA1:14FB48758D664917D789C21DCCB26D9D987F099F
                          SHA-256:1D0F8C96F77C339A5F01822B9375131B0B0A49D6CAC45589CDB4B749DAA79773
                          SHA-512:BBFB78B3652532E97F66E2DE7BFBEEFCB59254D9E626C62FF1B2E735AF2549B5483AB07739F6C9A686304C5042CDA79312028293959500BAC2A1EFE91B7732DB
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...=..f..i.t......!...*.~G...e..0............G...(m..........................j..........@... ......................Pc......`c.0"....c.............x..../....c............................`.S.....................|ec..............................text....}G......~G.................`..`.data...,o....G..p....G.............@....rdata........H..0....G.............@..@/4...........0U......$U.............@..@.bss......... c..........................edata.......Pc.......c.............@..@.idata..0"...`c..$....c.............@....CRT....0.....c......8c.............@....tls..........c......:c.............@....rsrc.........c......<c.............@..@.reloc.......c......@c.............@..B/14..........`f.......e.............@..B/29..........pf.......e.............@..B/41......b...0h..d....g.............@..B/55...........h.......g.............@..B/67..........`i.......h.

                          C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):7137640
                          Entropy (8bit):6.481515443983134
                          Encrypted:false
                          SSDEEP:
                          MD5:0DF9039CE4896584A206A40F48A07C6A
                          SHA1:34F0F9AEFD5E37B6B02D062B8AB967DC0F3D2F21
                          SHA-256:1DDE27F0410E59561EAB79A6C8EF6DF2ACEC52E92C9AC646135CD91940F2BE05
                          SHA-512:FCF74DD6BF3491D2E56A963ABF028EDA8DF17C11ABB793E6E3DAAD3C1E6C1AEE2F731B23CE243872B588CDF7B1B6382804F6B5204DFFC04F266BE3A329945FA4
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...L..f..T.i......!...*.(E..*Q..:...........@E...0g..........................U.....7.m...@... ......................`P......pP.......P.............`.l../....P..#...........................FH......................rP.L............................text...`.E.......E.................`..`.rodata.@....0E......$E............. ..`.data...,(...@E..*....E.............@....rdata.......pE......XE.............@..@/4......L.....I.......H.............@..@.bss....X9... P..........................edata.......`P.......O.............@..@.idata.......pP.......O.............@....CRT....0.....P.......P.............@....tls..........P.......P.............@....rsrc.........P.......P.............@..@.reloc...#....P..$....P.............@..B/14...........Q......:Q.............@..B/29...........Q......BQ.............@..B/41......Y....S..Z....R.............@..B/55...........S......(S.

                          C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):11132168
                          Entropy (8bit):6.740943395722077
                          Encrypted:false
                          SSDEEP:
                          MD5:CB9BE257064162076EBD4869CD97E166
                          SHA1:49A8CACD48036784A413D63A242ED178BD75CBE9
                          SHA-256:8A3822D52B4D460430B9E8E0FA6E6BD2C458598E4DBC2529DF7F2BDF902D2DD2
                          SHA-512:013B7E7CCC77531C0D6FA81083B2F16CD0A2B2124105B2F855A478F1F114D3DBA75259B82596645E6BABD91E129E7F7F60AA85ECA32BD95F454B1A8A63B52EFB
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security
                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 13%
                          Reputation:unknown
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................H...b#.....DW.......`....@.................................!....@......@..............................RX...@..|................/.......v......................................................t........w...................text............................. ..`.itext...X.......Z................. ..`.data...\....`.......L..............@....bss....................................idata..RX.......Z.................@....didata..w.......x...4..............@....edata..............................@..@.tls....h................................rdata..]...........................@..@.reloc...v.......v..................@..B.rsrc...|....@.......&..............@..@....................................@..@................

                          C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):21764872
                          Entropy (8bit):6.6100525724973656
                          Encrypted:false
                          SSDEEP:
                          MD5:D563A4D6BFCFE6884D1AC88824CB5C2A
                          SHA1:710C0369915390737ED9BC19252F517D2D2939ED
                          SHA-256:DE0FA71C1CFF03D657CB65A86072E964060C628AA4EB709CBE914DD772EF298D
                          SHA-512:219D6307697CB12FA56020E6B2DC8FF5D13904FD318E2ED3646B294FAA1A613D838D0350E59B911023EA6F6D62CE53E402F975CAD4311D9A7DA58BD675AE2DB6
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                          • Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security
                          • Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 12%
                          Reputation:unknown
                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......f.................4....R.....<N.......P....@..........................`X.......L...@......@...............................b....!.8X7...........K../...0..`............................ ...............................p..:....................text............................... ..`.itext..`........................... ..`.data........P.......8..............@....bss.....................................idata...b.......d..................@....didata.:....p.......8..............@....edata..............................@..@.tls....h................................rdata..].... ......................@..@.reloc..`....0......................@..B.rsrc...8X7...!..Z7.................@..@..............G.......:.............@..@................

                          C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):388696
                          Entropy (8bit):6.639766301981685
                          Encrypted:false
                          SSDEEP:
                          MD5:E247666CDEA63DA5A95AEBC135908207
                          SHA1:4642F6C3973C41B7D1C9A73111A26C2D7AC9C392
                          SHA-256:B419ED0374E3789B4F83D4AF601F796D958E366562A0AAEA5D2F81E82ABDCF33
                          SHA-512:06DA11E694D5229783CFB058DCD04D855A1D0758BEEAA97BCD886702A1502D0BF542E7890AA8F2E401BE36CCF70376B5C091A5D328BB1ABE738BC0798AB98A54
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................g......"............#.O...T8.....T8..................T8.....'....................Rich............................PE..L...v..T...........!..... ...........2.......0......................................A...............................@q.......q..........................X........(...1..8............................U..@............0...............................text............ .................. ..`.rdata...J...0...L...$..............@..@.data...H>...........p..............@....rodata.............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B........................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):1640536
                          Entropy (8bit):6.686577023894573
                          Encrypted:false
                          SSDEEP:
                          MD5:D5C2A6AC30E76B7C9B55ADF1FE5C1E4A
                          SHA1:3D841EB48D1A32B511611D4B9E6EED71E2C373EE
                          SHA-256:11C7004851E6E6624158990DC8ABE3AA517BCAB708364D469589AD0CA3DBA428
                          SHA-512:3C1C7FB535E779AC6C0D5AEF2D4E9239F1C27136468738A0BD8587F91B99365A38808BE31380BE98FD74063D266654A6AC2C2E88861A3FE314A95F1296699E1D
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:J<A[$oA[$oA[$o...o@[$o...o.[$o...op[$o...o.[$o...oC[$o...oL[$oA[%o.[$oA[$op[$o...o@[$oL..o.[$oL..o@[$oL..o@[$oL..o@[$oRichA[$o................PE..L...}..T...........!.........>.......*..............................................5.......................................(............7..............X..............................................@............................................text............................... ..`.rdata..............................@..@.data...$r......."..................@....rodata.............................@..@.rsrc....7.......8...0..............@..@.reloc..............h..............@..B................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):265816
                          Entropy (8bit):6.521007214956242
                          Encrypted:false
                          SSDEEP:
                          MD5:49C51ACE274D7DB13CAA533880869A4A
                          SHA1:B539ED2F1A15E2D4E5C933611D736E0C317B8313
                          SHA-256:1D6407D7C7FFD2642EA7F97C86100514E8E44F58FF522475CB42BCC43A1B172B
                          SHA-512:13440009E2F63078DCE466BF2FE54C60FEB6CEDEED6E9E6FC592189C50B0780543C936786B7051311089F39E9E3CCB67F705C54781C4CAE6D3A8007998BEFBF6
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@~..!..!..!...p...!...p..!...p..+!..M...!..M...!..!...!..M...!..s..!..s..!..s..!..s..!..Rich.!..................PE..L...{..T...........!.........N.......k.......................................0..............................................4...x.......................X......../..................................Ha..@...............l............................text............................... ..`.rdata..v...........................@..@.data....B......."..................@....rsrc...............................@..@.reloc.../.......0..................@..B........................................................................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):373336
                          Entropy (8bit):6.7704943019914845
                          Encrypted:false
                          SSDEEP:
                          MD5:EDA07083AF5B6608CB5B7C305D787842
                          SHA1:D1703C23522D285A3CCDAF7BA2EB837D40608867
                          SHA-256:C4683EB09D65D692CA347C0C21F72B086BD2FAF733B13234F3A6B28444457D7D
                          SHA-512:BE5879621D544C4E2C4B0A5DB3D93720623E89E841B2982C7F6C99BA58D30167E0DD591A12048ED045F19EC45877AA2EF631B301B903517EFFA17579C4B7C401
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Mm..,...,...,...}...,...}...,...}...,.......,.......,...,..,.......,...~...,...~...,...~...,...~...,..Rich.,..........................PE..L...t..T...........!................b.....................................................@..........................M......@N..d.......0...............X.......d&..................................p/..@...............T............................text...=........................... ..`.rdata...E.......F..................@..@.data...|<...`.......H..............@..._RDATA...............d..............@..@.rsrc...0............j..............@..@.reloc..d&.......(...n..............@..B........................................................................................................................................................................................................................................................

                          C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):880216
                          Entropy (8bit):5.239371133407635
                          Encrypted:false
                          SSDEEP:
                          MD5:642DC7E57F0C962B9DB4C8FB346BC5A7
                          SHA1:ACEE24383B846F7D12521228D69135E5704546F6
                          SHA-256:63B4B5DB4A96A8ABEC82B64034F482B433CD4168C960307AC5CC66D2FBF67EDE
                          SHA-512:FB163A0CE4E3AD0B0A337F5617A7BF59070DF05CC433B6463384E8687AF3EDC197E447609A0D86FE25BA3EE2717FD470F2620A8FC3A2998A7C3B3A40530D0BAE
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A....u...u...u..C$G.3u..C$y.Iu..C$x..u...V..u...S..u...u..ju...H..u...'}.&u...'D..u...'C..u...'F..u..Rich.u..........................PE..L...s..T...........!.........R..............0......................................:W....@.........................`...........d....P..p............R..X....`...D......................................@............0..T............................text...}........................... ..`.rdata.......0......."..............@..@.data...|<..........................@..._RDATA.......@......................@..@.rsrc...p....P......................@..@.reloc...D...`...F..................@..B........................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):521377
                          Entropy (8bit):4.9084889265453135
                          Encrypted:false
                          SSDEEP:
                          MD5:C37972CBD8748E2CA6DA205839B16444
                          SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
                          SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
                          SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
                          Malicious:false
                          Reputation:unknown
                          Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

                          C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
                          Category:dropped
                          Size (bytes):773040
                          Entropy (8bit):6.55939673749297
                          Encrypted:false
                          SSDEEP:
                          MD5:4296A064B917926682E7EED650D4A745
                          SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
                          SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
                          SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
                          Malicious:false
                          Reputation:unknown
                          Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

                          C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):4542
                          Entropy (8bit):3.9992782657465145
                          Encrypted:false
                          SSDEEP:
                          MD5:5DF7DF38FB2A56D7ABC4C5A4DCEB634D
                          SHA1:65A56EBB42FE93C5C665A1AA4C927EEB576C36B6
                          SHA-256:1A7B57055C8746F87C05C7337FC079CED20BF47416BBDA6FC340DD8BCB1ADE4A
                          SHA-512:F6C92D78CA47CC2F0FCBA0326F5610C5773519C8D2E6BCC22322D72AD633F919E3CDDD60556C9B90BEEAA8CDC1238847317AA21D9DA26C0BC5F25BDE04CC681E
                          Malicious:false
                          Reputation:unknown
                          Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".8.S.j.P.l.G.F.F.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.Q.e.e.T.3.l.

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7FECC2F6.jpeg

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 220x220, segment length 16, baseline, precision 8, 1428x2020, components 3
                          Category:dropped
                          Size (bytes):217242
                          Entropy (8bit):7.641248072397463
                          Encrypted:false
                          SSDEEP:
                          MD5:6CFFBB054A1BD06B3B1018684467A551
                          SHA1:347CECCBDFCE4CB2AA96F90735C2F5975E9ABC3F
                          SHA-256:E0967AD8F4F2DF25AD1343AABF1C144E48D83BC3E61E2122F5BBF9A83EA63709
                          SHA-512:24726671FEFA5228737C2E3E2CC159ECA90CD770022051A07C4C059B5378DA251E70568C956CB00631E12424FF5218E7A9A9BE30B0F4D47C277FC470218F88F0
                          Malicious:false
                          Reputation:unknown
                          Preview:......JFIF.............C....................................................................C............................................................................"............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..:(......(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(...(..

                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B7F9C524-0CB4-49E1-8E67-D4EF1644EA78}.tmp

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):1536
                          Entropy (8bit):0.09783851312991518
                          Encrypted:false
                          SSDEEP:
                          MD5:881EE5BD27A267B0F01FD15E90AC4309
                          SHA1:39D217D0F4BDE69A9A163E9F6C5728FDE81907F7
                          SHA-256:90305EA213DDD5187AC57A744160391E8F9CD88FE8C355170291294739AAE912
                          SHA-512:870D03A7DE2D66778F5199708387802196419BCA134EF50F6279715EC0EEFCB01AAE209ABCB790397A855301409EC6403A3B002214CB5B07153AD4CBD7B556B7
                          Malicious:false
                          Reputation:unknown
                          Preview:../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe

                          Download File
                          Process:C:\Program Files\7-Zip\7zFM.exe
                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                          Category:dropped
                          Size (bytes):25141051
                          Entropy (8bit):7.998140922332344
                          Encrypted:true
                          SSDEEP:
                          MD5:FB8117B1A3F0924100FBC209DBBB1BB1
                          SHA1:9D18C954EAE8E8F8437D4E32D0B685F3F51B982B
                          SHA-256:BEAA1498A67BAB02BC4C08F00BDE36489AAA86AD8B01EE70B477452A08D360EC
                          SHA-512:FCABA4304F26EEFA476202E17CA85C3F994D2086F78FA86F1D73F7D6C926825A4AC3B02CEAE2D8CDE3583F02FDBF87139741035368F6D4B77C4F8C790DF330FD
                          Malicious:true
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i..i.\.i..b.\.i..g.\.`.].C.\..Y.R.\..\.a.\...a.\..^.a.\.Rich`.\.........PE..d...#.@f.........."....!.h.....................@.............................p............`.............................................4......P........U......l0...........`..p....6..T....................7..(......@....................... ....................text...ng.......h.................. ..`.rdata...(.......*...l..............@..@.data...\...........................@....pdata..l0.......2..................@..@.didat..`...........................@..._RDATA..\...........................@..@.rsrc....U.......V..................@..@.reloc..p....`.......>..............@..B........................................................................................................................................

                          C:\Users\user\AppData\Local\Temp\7zO82FE46CC\??? 328937.txt

                          Download File
                          Process:C:\Program Files\7-Zip\7zFM.exe
                          File Type:Unicode text, UTF-8 text, with no line terminators
                          Category:dropped
                          Size (bytes):113
                          Entropy (8bit):3.8974005416305917
                          Encrypted:false
                          SSDEEP:
                          MD5:B1D03E061EA3F826FA2361679AEBF88E
                          SHA1:A196075946B4274E96C37F975958BF0C097877F1
                          SHA-256:D4186C77462EB297EF3137527B0027436BB3B34873B72E5D348EEB58D80A1458
                          SHA-512:63F76DDC09698BCF62A56D20C4BE4C12903A56A57FF09525DFC65CF2D1C3180F15951CE29C058ABB0B91FB6F2F8B137B084E869152ED3EC75FC4EB4B0D957459
                          Malicious:false
                          Reputation:unknown
                          Preview:... .......... ................ ........... ... .......: 328937

                          C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733216211251768100_A3BDBA87-1875-4759-8DF8-8E65B7AF1503.log

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:ASCII text, with very long lines (1311), with CRLF line terminators
                          Category:dropped
                          Size (bytes):20971520
                          Entropy (8bit):0.014930469559945191
                          Encrypted:false
                          SSDEEP:
                          MD5:D34B8741EDA6512A4B4CEFE44E7356E2
                          SHA1:F8C43260562D27B8DDEF194B59591DD520FDF1A0
                          SHA-256:CB13F751E6452C1554581095347C2E4AF311EF5BBEF2F170BC6557B57D46967D
                          SHA-512:4531EB9E25ACAD8B0A028B3D9B8653B5E2871529D6BB481F33E27151000600B52D864CB50A809400C08824245C56C5B143F777250702E27D194B1538F9F318D2
                          Malicious:false
                          Reputation:unknown
                          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/03/2024 08:56:51.322.WINWORD (0x454).0xC78.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"Time":"2024-12-03T08:56:51.322Z","Contract":"Office.System.Activity","Activity.CV":"h7q9o3UYWUeN+I5lt68VAw.7.1","Activity.Duration":136,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Activity.Result.Code":-2147024890,"Activity.Result.Type":"HRESULT","Activity.Result.Tag":528307459}...12/03/2024 08:56:51.322.WINWORD (0x454).0xC78.Microsoft Word.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.ProcessIdleQueueJob","Flags":33777014401990913,"InternalSequenceNumber":23,"Time":"2024-12-03T08:56:51.322Z","Contract":"Office.System.Activity","Activity.CV":"h7q9o3UYWUeN+I5lt68VAw.7","Activity.Duration":422,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":false,"Data.FailureDiagno

                          C:\Users\user\AppData\Local\Temp\Diagnostics\WINWORD\App1733216211252444500_A3BDBA87-1875-4759-8DF8-8E65B7AF1503.log

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):20971520
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                          Malicious:false
                          Reputation:unknown
                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Doc.LNK

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Dec 3 07:56:47 2024, mtime=Tue Dec 3 07:56:52 2024, atime=Mon Dec 2 20:13:15 2024, length=230038, window=hide
                          Category:dropped
                          Size (bytes):600
                          Entropy (8bit):4.594746489131921
                          Encrypted:false
                          SSDEEP:
                          MD5:CA4D296CB157D56F304309A79B820573
                          SHA1:4EE23DA7CE60FE84C08ACECD5B4C451F5F7A661C
                          SHA-256:5AE4AAE83FBD61A73DD528E7D4D49DA92FD977898A5D34B43CF03C189DFD18E4
                          SHA-512:36EC901C5FBAF01CAE9B11D5165AAF6E9C1B46F16362B33CEEA5D985B16DB15976AAD8D266922BE81F8ECC5743A5489796B396F54394A9F11B208197D882FDA3
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.... ...(..HaE....KaE......D...............................P.O. .:i.....+00.../C:\...................P.1......Y.G..intel.<......Y.G.Y.G.....Z......................^.i.n.t.e.l.....Z.2......Y.. .DOC~1.DOC.B......Y.G.Y.G.....Z....................,dE.D.o.c...d.o.c.x.......@...............-.......?............F.......C:\intel\Doc.docx..#.....\.....\.....\.....\.....\.....\.....\.i.n.t.e.l.\.D.o.c...d.o.c.x.`.......X.......721680...........hT..CrF.f4... .Q..uT.........%..hT..CrF.f4... .Q..uT.........%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:Generic INItialization configuration [folders]
                          Category:dropped
                          Size (bytes):41
                          Entropy (8bit):4.247557492317427
                          Encrypted:false
                          SSDEEP:
                          MD5:CE7BCCD008058E0D96C85995FABBDC9F
                          SHA1:939A8927196DC4C5E90B32234C1484B72052F5A1
                          SHA-256:2AD83E8B46EF787ABC53DC07C6D648975AF14441067BCC46017DA2B1A3DEE6CC
                          SHA-512:6D2B32C16C0B0E330EDC39C20F0666CC128F5A16D82E34837D7951FE71E02B8A5BA20CD3F0ECAA58D570B110FFCCA113FC87D4CA5C4ACBE3B557B21F20CAB872
                          Malicious:false
                          Reputation:unknown
                          Preview:[misc]..Doc.LNK=0..[folders]..Doc.LNK=0..

                          C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):14
                          Entropy (8bit):2.699513850319966
                          Encrypted:false
                          SSDEEP:
                          MD5:C5A12EA2F9C2D2A79155C1BC161C350C
                          SHA1:75004B4B6C6C4EE37BE7C3FD7EE4AF4A531A1B1A
                          SHA-256:61EC0DAA23CBC92167446DADEFB919D86E592A31EBBD0AB56E64148EBF82152D
                          SHA-512:B3D5AF7C4A9CB09D27F0522671503654D06891740C36D3089BB5CB21E46AB235B0FA3DC2585A383B9F89F5C6DAE78F49F72B0AD58E6862DE39F440C4D6FF460B
                          Malicious:false
                          Reputation:unknown
                          Preview:..c.a.l.i.....

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IHAN56WFBSAJOFPPKBPX.temp

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):12
                          Entropy (8bit):0.41381685030363374
                          Encrypted:false
                          SSDEEP:
                          MD5:E4A1661C2C886EBB688DEC494532431C
                          SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                          SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                          SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                          Malicious:false
                          Reputation:unknown
                          Preview:............

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms (copy)

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):0
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:E4A1661C2C886EBB688DEC494532431C
                          SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                          SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                          SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                          Malicious:false
                          Reputation:unknown
                          Preview:............

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RF3959a.TMP (copy)

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):0
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:E4A1661C2C886EBB688DEC494532431C
                          SHA1:A2AE2A7DB83B33DC95396607258F553114C9183C
                          SHA-256:B76875C50EF704DBBF7F02C982445971D1BBD61AEBE2E4B28DDC58A1D66317D5
                          SHA-512:EFDCB76FB40482BC94E37EAE3701E844BF22C7D74D53AEF93AC7B6AE1C1094BA2F853875D2C66A49A7075EA8C69F5A348B786D6EE0FA711669279D04ADAAC22C
                          Malicious:false
                          Reputation:unknown
                          Preview:............

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 07:55:06 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2673
                          Entropy (8bit):3.9855245811188396
                          Encrypted:false
                          SSDEEP:
                          MD5:5FB7BBF42DB215E98FECC7FC23C6E561
                          SHA1:EDCC7D5C6F616E205C3D2C4535F3C065DDD955AA
                          SHA-256:5B2FD732945617E0304B724491DD237A9E96382D6BA9889BC1FA595B9ED6D537
                          SHA-512:BE0D3F9EEFE90B7467B2A4BD961A95D99C4593685FD40B3C24593428C881A24E2CF5BBF2DB132647C165FF3B04B2DFAAA37ACE8941600EB9EDFCEE2F977926E1
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,....e<k.aE..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2689
                          Entropy (8bit):4.012164436639995
                          Encrypted:false
                          SSDEEP:
                          MD5:A7EABA00CF369BCF57057FFC126CD336
                          SHA1:2DE127A49F323880AA795ECBBD835FCFEA248AE7
                          SHA-256:55E3BE63B18DCA1A15EBE5A7A3D91029A5D391D50D51ECEB7E6FFE7860D9A571
                          SHA-512:B0A8E48DC7C4781B153476F313AAD24ABCB2373EACF59FF65E06CED6888A78A2EFFED732A0B24F22F87AA7AF6489E5C7F3BD043D0EA51BE0601957C6566090C4
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 07:55:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2677
                          Entropy (8bit):3.988677940812602
                          Encrypted:false
                          SSDEEP:
                          MD5:51A7A114C1528098306A19774B5B2988
                          SHA1:E8E5CDA5C359E0A184F20B11E09DBE24BB40A439
                          SHA-256:9F134EC8249C60F630A4FDDCCD0C0AD0333C0D0AB220F1FC4B4D6574B8CBBFCF
                          SHA-512:8AA0B88134602441B2C130C5B96F7765C8213A3EE289122F4DDAB0A0251629036B59BFE84F620284DF7824688EB62C1E39F5BB332AA39509E5C497A7F2D0F2B4
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,......e.aE..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 07:55:05 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                          Category:dropped
                          Size (bytes):2679
                          Entropy (8bit):3.999519281059729
                          Encrypted:false
                          SSDEEP:
                          MD5:507AFDBF9871E171CEDAE28A8586B344
                          SHA1:DAE1AA86166D06C2AE7478AA01B76FE20FCB10D2
                          SHA-256:CCFFA957E08E4A2F50248B8FFC7670A17EFA0670FA891C330E9B682FD40F16D4
                          SHA-512:C7A6193C90926E6996B5A6D2D1347246E89E163B50B65B71B46A2D69E2FE1FB12CE5921BB1B02409523F603F398FA989E97A21547B8975D40A35A054C79EDEFE
                          Malicious:false
                          Reputation:unknown
                          Preview:L..................F.@.. ...$+.,......P.aE..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.F....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.F....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.F....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.F..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.F...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..................C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                          C:\Users\user\Downloads\Doc.7z (copy)

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):0
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:FAB64F2E9CDCE2818163BD11B0F91875
                          SHA1:C25062581CB66B586498CB093F4A076C779DE368
                          SHA-256:9A9C460F026CC09385B91C1CA1D8C89C0310808B0848B4A8E29BA52FEBD7BBA7
                          SHA-512:35DE1C27E6E731F2D1C9284259574DDB1CAAEC4723E3D4777929FE51BB0BE46207241B81112ED9E7FD5D0BC2EB894302460870429627DBED1F2A6391874B6924
                          Malicious:false
                          Reputation:unknown
                          Preview:7z..'...s<...9{.....%.........."...PK...........Y..............1.......... ....../up-..`..7........... ......../PK........o..Y..x./{../{.2.a.......... ....../......... .......docx.rarup]....q............ ......../........... .........docx.rarRar!......8.!.....6.6.s.....sbG..#Y)......!qcQ.A.....[.&..O...^71\e.....V.[y...k.E|.L.G.P1.....50....L.....4.......:.i9sEJ.Z._.w.......b9.l.\M\.pT#.......y...&.~>!...zV.7..'20o...w..99....qx...7Q...m.ag.rk.A...F...t..........8w...VX3.;.;S.~...C...eK=....'%.B....R..i....5.....5.{Z.J..N2..~.n.8..)............}.sZ..d.C.(.C.p\..b=.=..8!z....JlS.^....f......KU...cL..b.5H.FF...HR..($.2K.@9...z.?.....1Mq....._+.............O*[<Z...<=...7z.n..n`...1.}.3.z._.}%.<;. ^...x..b.8t.<m.9)ho.'.f ...R4?..c4o...U...`..-M..CM...c..y...D....>{....f.Q..o...y..G........&.......U...f.....OO....#v.Sm>..Q..d..s..3...2AH(.8=...?..H.m.....C.+...j.......=.e.<IZ....`x.w..%Y..1...g..S

                          C:\Users\user\Downloads\Doc.7z.crdownload

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):24853040
                          Entropy (8bit):7.9999935730427065
                          Encrypted:true
                          SSDEEP:
                          MD5:FAB64F2E9CDCE2818163BD11B0F91875
                          SHA1:C25062581CB66B586498CB093F4A076C779DE368
                          SHA-256:9A9C460F026CC09385B91C1CA1D8C89C0310808B0848B4A8E29BA52FEBD7BBA7
                          SHA-512:35DE1C27E6E731F2D1C9284259574DDB1CAAEC4723E3D4777929FE51BB0BE46207241B81112ED9E7FD5D0BC2EB894302460870429627DBED1F2A6391874B6924
                          Malicious:false
                          Reputation:unknown
                          Preview:7z..'...s<...9{.....%.........."...PK...........Y..............1.......... ....../up-..`..7........... ......../PK........o..Y..x./{../{.2.a.......... ....../......... .......docx.rarup]....q............ ......../........... .........docx.rarRar!......8.!.....6.6.s.....sbG..#Y)......!qcQ.A.....[.&..O...^71\e.....V.[y...k.E|.L.G.P1.....50....L.....4.......:.i9sEJ.Z._.w.......b9.l.\M\.pT#.......y...&.~>!...zV.7..'20o...w..99....qx...7Q...m.ag.rk.A...F...t..........8w...VX3.;.;S.~...C...eK=....'%.B....R..i....5.....5.{Z.J..N2..~.n.8..)............}.sZ..d.C.(.C.p\..b=.=..8!z....JlS.^....f......KU...cL..b.5H.FF...HR..($.2K.@9...z.?.....1Mq....._+.............O*[<Z...<=...7z.n..n`...1.}.3.z._.}%.<;. ^...x..b.8t.<m.9)ho.'.f ...R4?..c4o...U...`..-M..CM...c..y...D....>{....f.Q..o...y..G........&.......U...f.....OO....#v.Sm>..Q..d..s..3...2AH(.8=...?..H.m.....C.+...j.......=.e.<IZ....`x.w..%Y..1...g..S

                          C:\Users\user\Downloads\b80df904-1bb8-4976-8f73-a8730592631e.tmp

                          Download File
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:7-zip archive data, version 0.4
                          Category:dropped
                          Size (bytes):16849
                          Entropy (8bit):7.985205744149854
                          Encrypted:false
                          SSDEEP:
                          MD5:C349903AE842B299E11EB72A3C775E13
                          SHA1:43AA2DADF7805DAD91B23AA6D8CE28F18C039549
                          SHA-256:1E68C9C9B4EF008FC2D859D93713426CBCFAF331F9620F954560BDA8C8D54686
                          SHA-512:FA4A3A9F0343BF1E107523F61FAD6D6E31D5E0037EE8CE5149350D827D694B174B7B544A4CEDB2375B752F33B6411A2890024F7E9DBFAB1670C88F2FDC6CC72C
                          Malicious:false
                          Reputation:unknown
                          Preview:7z..'...s<...9{.....%.........."...PK...........Y..............1.......... ....../up-..`..7........... ......../PK........o..Y..x./{../{.2.a.......... ....../......... .......docx.rarup]....q............ ......../........... .........docx.rarRar!......8.!.....6.6.s.....sbG..#Y)......!qcQ.A.....[.&..O...^71\e.....V.[y...k.E|.L.G.P1.....50....L.....4.......:.i9sEJ.Z._.w.......b9.l.\M\.pT#.......y...&.~>!...zV.7..'20o...w..99....qx...7Q...m.ag.rk.A...F...t..........8w...VX3.;.;S.~...C...eK=....'%.B....R..i....5.....5.{Z.J..N2..~.n.8..)............}.sZ..d.C.(.C.p\..b=.=..8!z....JlS.^....f......KU...cL..b.5H.FF...HR..($.2K.@9...z.?.....1Mq....._+.............O*[<Z...<=...7z.n..n`...1.}.3.z._.}%.<;. ^...x..b.8t.<m.9)ho.'.f ...R4?..c4o...U...`..-M..CM...c..y...D....>{....f.Q..o...y..G........&.......U...f.....OO....#v.Sm>..Q..d..s..3...2AH(.8=...?..H.m.....C.+...j.......=.e.<IZ....`x.w..%Y..1...g..S

                          C:\Windows\Installer\MSI34D2.tmp

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):169896
                          Entropy (8bit):6.068969720857241
                          Encrypted:false
                          SSDEEP:
                          MD5:B5ADF92090930E725510E2AAFE97434F
                          SHA1:EB9AFF632E16FCB0459554979D3562DCF5652E21
                          SHA-256:1F6F0D9F136BC170CFBC48A1015113947087AC27AED1E3E91673FFC91B9F390B
                          SHA-512:1076165011E20C2686FB6F84A47C31DA939FA445D9334BE44BDAA515C9269499BD70F83EB5FCFA6F34CF7A707A828FF1B192EC21245EE61817F06A66E74FF509
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._`,"..Bq..Bq..Bq..q..Bq<.q..Bq..q..Bq..q/.Bq..qh.Bq.y.q..Bq.y.q..Bq..Cq..Bq..q..Bq..q..Bq..q..Bq...q..Bq..q..BqRich..Bq........PE..L.....,a...........!.....p...$......................................................U..................................m............`..p............x.......p..........................................@............................................text....o.......p.................. ..`.rdata..M............t..............@..@.data....1... ......................@....rsrc...p....`.......$..............@..@.reloc...L...p...N...*..............@..B................................................................................................................................................................................................................................................................................................

                          C:\Windows\Installer\MSI362B.tmp

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):1447471
                          Entropy (8bit):4.935934028347299
                          Encrypted:false
                          SSDEEP:
                          MD5:388B4241495191F9BA05B09885F7DD3B
                          SHA1:858068B242225C45DA6A64C9BD17890B873E7DBD
                          SHA-256:109FA8C40E39CE1329F97699B5FF18C1D94830E8DE681CABCF837E10822EDDFD
                          SHA-512:05BBDB69C34F4F582F86991A1A1F73C9B5D703B7D3988F18A5D37C322AE0EE9A3BFC7125343D1D263B261173543E3CEBE2D19EA82277DD94327E6C9C791C7734
                          Malicious:false
                          Reputation:unknown
                          Preview:...@IXOS.@.....@...Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.]....@.......@........ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2....@.....@.....@.]....&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}8.C:\Program Files (x86)\Remote Manipulator System - Host\.@.......@.....@.....@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}...@.......@.....@.....@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}...@.......@.....@.....@...........@....&.{00000000-0000-0000-0000-000000000000}.@.....@.....@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}D.C:\Program Files (x86)\Remote Manip

                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):79000
                          Entropy (8bit):5.817675016279098
                          Encrypted:false
                          SSDEEP:
                          MD5:E8CBBBE641AA6205C0E028CE7DC72CFE
                          SHA1:E845FB6044E5F611F4F990B76AA4762FAB6E96C9
                          SHA-256:61481606FE3FF53C9483586B4A95181D96F5679667ACCD582166069B10233D77
                          SHA-512:D12E6BBA83F1B41BB2B937B315C5CDD3ADFA60C318AD1E958D99251822810739D2C6EC75B664BBC3116B0CDBBBFA4BEBA234B8C604F303391E21CDA0C24767E5
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.........................................................................4T..(.......t0...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...t0.......@..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):70808
                          Entropy (8bit):5.60723121147002
                          Encrypted:false
                          SSDEEP:
                          MD5:F0F36966AD2B91DBE0C8B9D4E0A1AB0E
                          SHA1:B7787445DDD42A3B4753AFC0B02B270DDC1693FC
                          SHA-256:BE3C9594F315F2CE2698DFF54F7B41F012B25BF208DD88CEA7AC92936EC84AE9
                          SHA-512:B178A35B3F0A3CA67D632901C1F0AF309F51267DFA827AE029475C63BCF2BA51694C717C94989D7E457E915DAE74B43C3C6B405113249A7B1FF0E9BAE67E0949
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...`...............P....@.........................................................................4T..(.......\................d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc...\........ ..................@..@................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):423064
                          Entropy (8bit):4.6899574334599645
                          Encrypted:false
                          SSDEEP:
                          MD5:6A9AA00C428A946F9A5C5546A458ECA0
                          SHA1:06A70B197DEE2FC106576C6719CFF046D2747396
                          SHA-256:16601981E37F2FE16B8E0EA4626ABF57013458B63D1A71C8FA3B5080F3C191F5
                          SHA-512:EADDEE089D18ED744BB1DCAAA98A8F6E201022432C55D037D2A7EF994532197EF595E44DEEF9DB0CFAE8ACA50F4AB90CEEDB49F8E920E6B4FAF6C60B6EFEDD51
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................v.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):423064
                          Entropy (8bit):4.690218208041496
                          Encrypted:false
                          SSDEEP:
                          MD5:AB85C5EEAD096C4E5D0A2914C24F59B2
                          SHA1:E189F9BA583B0A4EEE1C817C9DA8A5D72A038A83
                          SHA-256:F4F656CC3CD99ABC4CFC1A70BD77C52E36D59852987BE530E131CEF8238F4BA7
                          SHA-512:E70ACF9FCA9F0378FAC97421550984FF166D8D1D83F423400B108E804CA876EA6D7517398637D64C34CC0E46C14048BB9F50C8268D993FA983DB6B0E44A9C352
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@.................................>.......................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Category:dropped
                          Size (bytes):423064
                          Entropy (8bit):4.690232052098797
                          Encrypted:false
                          SSDEEP:
                          MD5:03A18CE97AA1C45D834524B8A408BC17
                          SHA1:72ABD8B4AC974928684B6D089F8573C70D431808
                          SHA-256:0ACFCA29B6128E0161B4E6D93FFF7686A96128016846625763DAB7F9CE059DEF
                          SHA-512:2A2DC903E4179EC83BB4FA557FFCCE8BA3D8FC175E9C817D34BA186704ECF06A281D96D35B12B8D54FE35683030942FDC9A3A1FDFDBEAA755A60436F3C7B3483
                          Malicious:true
                          Antivirus:
                          • Antivirus: ReversingLabs, Detection: 0%
                          Reputation:unknown
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............C...C...C...C...CD..C...C...C...C=..C...C...C...C...C...CRich...C........................PE..L.....-a.................@...................P....@........................................................................4T..(........u...............d...........................................................P...............................text....5.......@.................. ..`.rdata.......P.......P..............@..@.data....)...`...0...`..............@....rsrc....u..........................@..@................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):454234
                          Entropy (8bit):5.3561618160310305
                          Encrypted:false
                          SSDEEP:
                          MD5:5255FAE0C97F0F6F9163C893A0CA2804
                          SHA1:7F42A3B2981DDC523353F173DDE12B98729ED14F
                          SHA-256:7A9DB568032171AF0E977757D505483B52BF2CBDDAC25017107C85CE1D4309AD
                          SHA-512:E9450DD1AAC36011552885A8516625A997C2A9AFB52FE95AF28AC050BADBC6B30029DC19D2002494709CD8E141B22F407A9CD8E616A081A5AEB7B7CA8A60655F
                          Malicious:false
                          Reputation:unknown
                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                          C:\Windows\Temp\~DF08FEAE2886BF2F34.TMP

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):512
                          Entropy (8bit):0.0
                          Encrypted:false
                          SSDEEP:
                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                          Malicious:false
                          Reputation:unknown
                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\Windows\Temp\~DFE6453215AB4F8170.TMP

                          Download File
                          Process:C:\Windows\System32\msiexec.exe
                          File Type:Composite Document File V2 Document, Cannot read section info
                          Category:dropped
                          Size (bytes):32768
                          Entropy (8bit):1.5174305193951056
                          Encrypted:false
                          SSDEEP:
                          MD5:72BAAB66B6ECF9CF1B04CC024B81E97F
                          SHA1:154951A607636D33FBED597D32F73B794DE9D30B
                          SHA-256:A8494A773004734785C80DBB10971CA19C0C3750C090C1E8057A0907B436A983
                          SHA-512:726032AE56F5ABA3AE3F19F7A2CBC46294504FA943DFAA12284578EC54C407730FE286E84AB8F543F03E7FFDFCD2A7BBD78C596055637E229C98FD32189A3E67
                          Malicious:false
                          Reputation:unknown
                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                          C:\intel\Doc.docx

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\7zO82F5F96D\??????????? ????????.docx.exe
                          File Type:Microsoft Word 2007+
                          Category:dropped
                          Size (bytes):230038
                          Entropy (8bit):7.636957641054668
                          Encrypted:false
                          SSDEEP:
                          MD5:773D2787D661474A840B907C8A22D4E9
                          SHA1:A6A0E3C4AB4063BC74C65D6EC0CB43B67F1D767F
                          SHA-256:BA82FE356B21118D92B04A74EF8466A59F4802FD9B061F6E9A28E16CF7A5A8B3
                          SHA-512:7EC868F9B7B47A757BBB5ABF5639F97C47D79AC55DD07954F3EEE93384B555F7C4C817B687C8C486DC97F4174A8CC04DEED342E8ADD6EA2EDB5EE381FC612BEA
                          Malicious:false
                          Reputation:unknown
                          Preview:PK..........!..A..f...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E........tQUUH.},.HM?...../....;@..(..I6H0s.=.xF..V..|...d..H..[!M....[.H....LY.9.B ....h.u..T...E......Y.....z."...:..X..~0x...&... ....l.b.......$.Mc....+..@.j<.p.a.).Y.:].q@..2T.=a!].........}...R@2e>.3.]tm....Fev....-...Wn.[.!.w.*k+.I.....q. \.....Qp...s/...W..c..R`...\....xj.....mNEb..[.p.....?..:...(O.um"Z.=.T.@.8.M.8........PK..........!.........N......._rels/.rels ...(...........................

                          C:\intel\~$Doc.docx

                          Download File
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):162
                          Entropy (8bit):4.626342686902221
                          Encrypted:false
                          SSDEEP:
                          MD5:CB5EB582ADDE5CA94DEA5BE01E400386
                          SHA1:01FE8FE11D092676C950011DA141BD33037E5046
                          SHA-256:2DB3A24CF23608E5FFDB3B6890BCE0E72DEEFD425836FDE3F42FCA2ECE2C71FC
                          SHA-512:54A85D4C7E9EFC6AFA14AE01C75FE90275C7A5C881D0AD4B672B6D821745D03B0AEAA6C64D4C0F31D89DB64173D5882A49AED647834692BC7AF21E06DE91AC37
                          Malicious:false
                          Reputation:unknown
                          Preview:..........................................................m......6..o......Y]lW..R.KIY..R.+k.m.Yv2.}...Ou{=.W.^m.7E}'...C..EaE......;.E....}."j.....X...=.i

                          Static File Info

                          No static file info