Edit tour

Windows Analysis Report
442.docx.exe

Overview

General Information

Sample name:	442.docx.exe renamed because original name is a hash value
Original sample name:	.docx.exe
Analysis ID:	1567328
MD5:	fb8117b1a3f0924100fbc209dbbb1bb1
SHA1:	9d18c954eae8e8f8437d4e32d0b685f3f51b982b
SHA256:	beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
Infos:

Detection

RMSRemoteAdmin

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (overwrites its own PE header)

Malicious sample detected (through community Yara rule)

Sigma detected: Suspicious Double Extension File Execution

Suricata IDS alerts for network traffic

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Checks for available system drives (often done to infect USB drives)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

File is packed with WinRar

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

Launches processes in debugging mode, may be used to hinder debugging

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected RMS RemoteAdmin tool

Yara signature match

Classification

Process Tree

System is w10x64

442.docx.exe (PID: 7480 cmdline: "C:\Users\user\Desktop\442.docx.exe" MD5: FB8117B1A3F0924100FBC209DBBB1BB1)

msiexec.exe (PID: 7584 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)

WINWORD.EXE (PID: 7656 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o "" MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

msiexec.exe (PID: 7620 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 7736 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 3A7D5E944AD6C6FD24895B2767E40451 MD5: 9D09DC1EDA745A5F87553048E57620CF)

rfusclient.exe (PID: 1900 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi" MD5: CB9BE257064162076EBD4869CD97E166)

rutserv.exe (PID: 2200 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)

rutserv.exe (PID: 7512 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)

rutserv.exe (PID: 7212 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)

svchost.exe (PID: 7888 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

rutserv.exe (PID: 7796 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)

rfusclient.exe (PID: 8092 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" MD5: CB9BE257064162076EBD4869CD97E166)

rfusclient.exe (PID: 7540 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)

rfusclient.exe (PID: 8140 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray MD5: CB9BE257064162076EBD4869CD97E166)

rutserv.exe (PID: 6104 cmdline: "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall MD5: D563A4D6BFCFE6884D1AC88824CB5C2A)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	MALWARE_Win_RemoteUtilitiesRAT	RemoteUtilitiesRAT RAT payload	ditekSHen	0x3a1d58:$s1: rman_message 0x453340:$s3: rms_host_ 0x453cf8:$s3: rms_host_ 0x816eb4:$s4: rman_av_capture_settings 0x45a4c4:$s7: _rms_log.txt 0x4bf3c8:$s8: rms_internet_id_settings
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	MALWARE_Win_RemoteUtilitiesRAT	RemoteUtilitiesRAT RAT payload	ditekSHen	0x39e594:$s1: rman_message 0x46d594:$s3: rms_host_ 0x46df4c:$s3: rms_host_ 0x82acb0:$s4: rman_av_capture_settings 0x877858:$s5: rman_registry_key 0x8778a4:$s5: rman_registry_key 0x543d6c:$s6: rms_system_information 0x2f1a18:$s7: _rms_log.txt 0x503238:$s8: rms_internet_id_settings

Memory Dumps

Source	Rule	Description	Author
00000012.00000002.3573808248.000000000314A000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000012.00000002.3573808248.0000000003118000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000011.00000002.3572801729.00000000017DA000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000012.00000002.3579027400.0000000004B64000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000011.00000002.3572801729.00000000017B6000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
00000012.00000002.3579027400.0000000004B20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
Process Memory Space: rfusclient.exe PID: 1900	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
Process Memory Space: rutserv.exe PID: 2200	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
Process Memory Space: rutserv.exe PID: 7796	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.0.rfusclient.exe.310000.0.unpack	JoeSecurity_RMSRemoteAdmin	Yara detected RMS RemoteAdmin tool	Joe Security
9.0.rfusclient.exe.310000.0.unpack	MALWARE_Win_RemoteUtilitiesRAT	RemoteUtilitiesRAT RAT payload	ditekSHen	0x3a1d58:$s1: rman_message 0x453340:$s3: rms_host_ 0x453cf8:$s3: rms_host_ 0x816eb4:$s4: rman_av_capture_settings 0x45a4c4:$s7: _rms_log.txt 0x4bf3c8:$s8: rms_internet_id_settings

Sigma Signatures

System Summary

Sigma detected: Suspicious Double Extension File Execution

Source: Process started

Author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\442.docx.exe", CommandLine: "C:\Users\user\Desktop\442.docx.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\442.docx.exe, NewProcessName: C:\Users\user\Desktop\442.docx.exe, OriginalFileName: C:\Users\user\Desktop\442.docx.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Users\user\Desktop\442.docx.exe", ProcessId: 7480, ProcessName: 442.docx.exe

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 111.90.147.125, DestinationIsIpv6: false, DestinationPort: 465, EventID: 3, Image: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Initiated: true, ProcessId: 7796, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49870

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7888, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE Remote Admin Backdoor Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-03T12:48:20.628368+0100	2849354	1	Malware Command and Control Activity Detected	192.168.2.4	49873	111.90.147.125	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.4% probability

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FD245A0 rmsEncInitSimpleEncryption,memcpy,memcpy,	9_2_5FD245A0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FD23760 rmsEncEncryptData,	9_2_5FD23760
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FD23D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy,	9_2_5FD23D30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FD242D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy,	9_2_5FD242D0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FD238C0 rmsEncDecryptData,	9_2_5FD238C0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FD23AE0 rmsEncRsaPublicEncrypt,memcpy,	9_2_5FD23AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FD24000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy,	9_2_5FD24000

Source: rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_09749e9a-1

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Unpacked PE file: 9.2.rfusclient.exe.310000.0.unpack

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

Jump to behavior

Source: 442.docx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: 442.docx.exe, 00000000.00000000.1710698957.00007FF7ED6E8000.00000002.00000001.01000000.00000003.sdmp, 442.docx.exe, 00000000.00000002.1731767290.00007FF7ED6E8000.00000002.00000001.01000000.00000003.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: c:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7ED6B40BC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7ED6CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6DFCA0 FindFirstFileExA,	0_2_00007FF7ED6DFCA0

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then push esi	9_2_600E6B90
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then sub esp, 1Ch	9_2_600EBEB0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 4x nop then push esi	9_2_600E6AD0

Source: winword.exe

Memory has grown: Private usage: 4MB later: 92MB

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2849354 - Severity 1 - ETPRO MALWARE Remote Admin Backdoor Related Activity : 192.168.2.4:49873 -> 111.90.147.125:80

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 111.90.147.125 ports 5651,465,4,5,6,55555,80

Source: global traffic	TCP traffic: 192.168.2.4:49806 -> 95.213.205.83:5655
Source: global traffic	TCP traffic: 192.168.2.4:49809 -> 109.234.156.179:5655
Source: global traffic	TCP traffic: 192.168.2.4:49871 -> 111.90.147.125:5651
Source: global traffic	TCP traffic: 192.168.2.4:49874 -> 78.138.9.142:5651

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.156.179
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.156.179
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.156.179
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.156.179
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.156.179
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 78.138.9.142
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 109.234.156.179
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.147.125

Source: global traffic

DNS traffic detected: DNS query: id72.internetid.ru

Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024C8000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: rutserv.exe, 00000010.00000003.1960914551.0000000002556000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlB)
Source: rutserv.exe, 00000010.00000003.2572074671.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1960914551.0000000002556000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2095413447.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlF.
Source: rutserv.exe, 00000010.00000003.1960914551.0000000002556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlP)
Source: rutserv.exe, 00000010.00000003.1960578808.0000000002566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlu
Source: rutserv.exe, 00000010.00000003.2572074671.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2095413447.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: rutserv.exe, 00000010.00000003.2572074671.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2095413447.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl:UV
Source: rutserv.exe, 00000010.00000003.2572074671.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2095413447.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crlXW
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: svchost.exe, 00000005.00000002.3419566312.000001C99D400000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024C8000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D658000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D68D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D6D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: rfusclient.exe, 00000009.00000000.1816392501.000000000035F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1929061008.000000007B5F0000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1939132075.000000007CAC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://madExcept.comU
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024C8000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3603820083.00000000044F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/
Source: rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/R
Source: rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45
Source: rutserv.exe, 00000010.00000003.1960578808.0000000002566000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6N
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: rutserv.exe, 00000010.00000003.1960914551.0000000002556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr456)
Source: rutserv.exe, 00000010.00000003.1960914551.0000000002556000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr458.0
Source: rutserv.exe, 00000010.00000003.1960914551.0000000002556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45T.
Source: rutserv.exe, 00000010.00000003.1960914551.0000000002556000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45Z.
Source: rutserv.exe, 00000010.00000003.1960578808.0000000002566000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965487513.0000000002568000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45zF
Source: rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020
Source: rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965487513.0000000002577000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965487513.000000000256F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020P)
Source: rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020T.
Source: rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020Z.
Source: rutserv.exe, 00000010.00000002.3577310653.0000000002561000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2572074671.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2095413447.0000000002559000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965746877.0000000002559000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020http://crl.globalsign.com/gsgccr45codesignca2020.cr
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: rutserv.exe, 00000010.00000002.3574164629.0000000002498000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr31.3.6.1.5.5.7.48.2http://secure.globalsign.com/cacert/root-r3.crtE
Source: rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/rootr3http://crl.globalsign.com/root-r3.crlk
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru///rmansys.ru/
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru///rmansys.ru/;
Source: rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000002.3604652724.000000000482F000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/internet-id/
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/nsys.ru/pf
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/pf
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/rd
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/eb-help/
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://rmansys.ru/web-help/eb-help/D
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: svchost.exe, 00000005.00000003.3118282077.000001C9980B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3419150789.000001C9980B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.dm
Source: rfusclient.exe, 00000009.00000000.1816392501.000000000035F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1929061008.000000007B5F0000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1939132075.000000007CAC0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://update.tektonit.ru/upgrade.ini
Source: rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://update.tektonit.ru/upgrade_beta.ini
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.flexerasoftware.com0
Source: rfusclient.exe, 00000009.00000003.1836674180.0000000003005000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000009.00000000.1816392501.0000000000B6B000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1843751400.0000000001221000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000A.00000003.1880620859.0000000003F75000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000C.00000003.1911028682.0000000003F85000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000F.00000003.1939737722.0000000003F05000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.indyproject.org/
Source: rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp	String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: rutserv.exe, 0000000A.00000002.1895252133.0000000060277000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rutserv.exe, 0000000A.00000002.1895252133.0000000060277000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/hsts.html
Source: rfusclient.exe, 00000009.00000002.1841192165.00000000601A0000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000A.00000002.1895252133.0000000060277000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D73F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D6E3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1765637227.000001C99D728000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1765637227.000001C99D747000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1765637227.000001C99D734000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: rutserv.exe, 0000000A.00000002.1895252133.000000006028F000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D702000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: svchost.exe, 00000005.00000003.1765637227.000001C99D696000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access/
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/
Source: rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/O
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/about/privacy-policy.php
Source: rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/buy/money-back-guarantee.php
Source: rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.remoteutilities.com/support/docs/installing-and-uninstalling/

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164	Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.0.rfusclient.exe.310000.0.unpack, type: UNPACKEDPE	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED	Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6AC2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7ED6AC2F0

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\440b40.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF85.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{77817ADF-D5EC-49C6-B987-6169BBD5345B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI10DE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\440b43.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\440b43.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIF85.tmp

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6CCE88	0_2_00007FF7ED6CCE88
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6A5E24	0_2_00007FF7ED6A5E24
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C1F20	0_2_00007FF7ED6C1F20
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6AF930	0_2_00007FF7ED6AF930
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6B4928	0_2_00007FF7ED6B4928
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D0754	0_2_00007FF7ED6D0754
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6CB190	0_2_00007FF7ED6CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C3484	0_2_00007FF7ED6C3484
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6BA4AC	0_2_00007FF7ED6BA4AC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C2D58	0_2_00007FF7ED6C2D58
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C8DF4	0_2_00007FF7ED6C8DF4
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D0754	0_2_00007FF7ED6D0754
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6E2080	0_2_00007FF7ED6E2080
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6BAF18	0_2_00007FF7ED6BAF18
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6DFA94	0_2_00007FF7ED6DFA94
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6B1A48	0_2_00007FF7ED6B1A48
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6E5AF8	0_2_00007FF7ED6E5AF8
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C2AB0	0_2_00007FF7ED6C2AB0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6A1AA4	0_2_00007FF7ED6A1AA4
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6BC96C	0_2_00007FF7ED6BC96C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C3964	0_2_00007FF7ED6C3964
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D89A0	0_2_00007FF7ED6D89A0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D8C1C	0_2_00007FF7ED6D8C1C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6BBB90	0_2_00007FF7ED6BBB90
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6B5B60	0_2_00007FF7ED6B5B60
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C4B98	0_2_00007FF7ED6C4B98
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6A76C0	0_2_00007FF7ED6A76C0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6E2550	0_2_00007FF7ED6E2550
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6BB534	0_2_00007FF7ED6BB534
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6A4840	0_2_00007FF7ED6A4840
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6DC838	0_2_00007FF7ED6DC838
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6A7288	0_2_00007FF7ED6A7288
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6B126C	0_2_00007FF7ED6B126C
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6AA310	0_2_00007FF7ED6AA310
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6AC2F0	0_2_00007FF7ED6AC2F0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6BF180	0_2_00007FF7ED6BF180
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C21D0	0_2_00007FF7ED6C21D0
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6C53F0	0_2_00007FF7ED6C53F0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_600CDC00	9_2_600CDC00
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_600D5800	9_2_600D5800
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_600CD620	9_2_600CD620
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_6018E260	9_2_6018E260
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_60167080	9_2_60167080
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_600D5AE0	9_2_600D5AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_5FDD6850	9_2_5FDD6850
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_600CCBD0	9_2_600CCBD0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 17_2_0076B9AC	17_2_0076B9AC

Source: unires_vpd.dll.2.dr	Static PE information: Resource name: None type: COM executable for DOS
Source: rutserv.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: rfusclient.exe.2.dr	Static PE information: Resource name: MAD type: DOS executable (COM, 0x8C-variant)
Source: rfusclient.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: unidrvui_rppd.dll0.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: unires_vpd.dll0.2.dr	Static PE information: Resource name: None type: COM executable for DOS

Source: libasset32.dll.2.dr	Static PE information: Number of sections : 19 > 10
Source: rutserv.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: rfusclient.exe.2.dr	Static PE information: Number of sections : 11 > 10
Source: libcodec32.dll.2.dr	Static PE information: Number of sections : 20 > 10

Source: unires_vpd.dll0.2.dr	Static PE information: No import functions for PE file found
Source: unires_vpd.dll.2.dr	Static PE information: No import functions for PE file found

Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB730000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB6C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB673000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameISRegSvr.dll vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs 442.docx.exe
Source: 442.docx.exe, 00000000.00000003.1722235136.000001E8BB5E6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSetAllUsers.dll< vs 442.docx.exe

Source: 9.0.rfusclient.exe.310000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED	Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT

Source: unires_vpd.dll0.2.dr	Static PE information: Section .rsrc
Source: unires_vpd.dll.2.dr	Static PE information: Section .rsrc

Source: classification engine

Classification label: mal92.troj.evad.winEXE@27/327@1/5

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6AB6D8 GetLastError,FormatMessageW,LocalFree,

0_2_00007FF7ED6AB6D8

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6C8624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

0_2_00007FF7ED6C8624

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office

Jump to behavior

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: NULL
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$898
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d74
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\madExceptSettingsMtx$1e74
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1c2c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\HookTThread$1e74
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \BaseNamedObjects\madExceptSettingsMtx$17d8
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1fcc
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1f9c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1d58
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$1fcc
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$76c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$1f9c

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFC37BCDF51AD3764F.TMP

Jump to behavior

Source: 442.docx.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\442.docx.exe

File read: C:\Windows\win.ini

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rfusclient.exe	String found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
Source: rfusclient.exe	String found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
Source: rfusclient.exe	String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
Source: rfusclient.exe	String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3

Source: C:\Users\user\Desktop\442.docx.exe

File read: C:\Users\user\Desktop\442.docx.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\442.docx.exe "C:\Users\user\Desktop\442.docx.exe"
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3A7D5E944AD6C6FD24895B2767E40451
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
Source: unknown	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 3A7D5E944AD6C6FD24895B2767E40451	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray

Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: dxgidebug.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sxs.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: textshaping.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dataexchange.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: d3d11.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dcomp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dxgi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: twinapi.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Section loaded: sxs.dll

Source: C:\Users\user\Desktop\442.docx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32

Jump to behavior

Source: Doc.LNK.3.dr

LNK file: ..\..\..\..\..\..\..\intel\Doc.docx

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini

Jump to behavior

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: 442.docx.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 442.docx.exe

Static file information: File size 25141051 > 1048576

Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 442.docx.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 442.docx.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 442.docx.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 442.docx.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Unpacked PE file: 9.2.rfusclient.exe.310000.0.unpack

Source: C:\Users\user\Desktop\442.docx.exe

File created: C:\intel\__tmp_rar_sfx_access_check_4457687

Jump to behavior

Source: 442.docx.exe	Static PE information: section name: .didat
Source: 442.docx.exe	Static PE information: section name: _RDATA
Source: vp8encoder.dll.2.dr	Static PE information: section name: .rodata
Source: vp8decoder.dll.2.dr	Static PE information: section name: .rodata
Source: webmvorbisdecoder.dll.2.dr	Static PE information: section name: _RDATA
Source: libasset32.dll.2.dr	Static PE information: section name: /4
Source: libasset32.dll.2.dr	Static PE information: section name: /14
Source: libasset32.dll.2.dr	Static PE information: section name: /29
Source: libasset32.dll.2.dr	Static PE information: section name: /41
Source: libasset32.dll.2.dr	Static PE information: section name: /55
Source: libasset32.dll.2.dr	Static PE information: section name: /67
Source: libasset32.dll.2.dr	Static PE information: section name: /78
Source: libasset32.dll.2.dr	Static PE information: section name: /94
Source: libasset32.dll.2.dr	Static PE information: section name: /110
Source: libcodec32.dll.2.dr	Static PE information: section name: .rodata
Source: libcodec32.dll.2.dr	Static PE information: section name: /4
Source: libcodec32.dll.2.dr	Static PE information: section name: /14
Source: libcodec32.dll.2.dr	Static PE information: section name: /29
Source: libcodec32.dll.2.dr	Static PE information: section name: /41
Source: libcodec32.dll.2.dr	Static PE information: section name: /55
Source: libcodec32.dll.2.dr	Static PE information: section name: /67
Source: libcodec32.dll.2.dr	Static PE information: section name: /78
Source: libcodec32.dll.2.dr	Static PE information: section name: /94
Source: libcodec32.dll.2.dr	Static PE information: section name: /110
Source: eventmsg.dll.2.dr	Static PE information: section name: .didata
Source: webmvorbisencoder.dll.2.dr	Static PE information: section name: _RDATA
Source: vccorlib120.dll.2.dr	Static PE information: section name: minATL
Source: rutserv.exe.2.dr	Static PE information: section name: .didata
Source: rfusclient.exe.2.dr	Static PE information: section name: .didata
Source: vccorlib120.dll0.2.dr	Static PE information: section name: minATL

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6E5166 push rsi; retf	0_2_00007FF7ED6E5167
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6E5156 push rsi; retf	0_2_00007FF7ED6E5157
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Code function: 9_2_600E7E30 push eax; mov dword ptr [esp], esi	9_2_600E7ED1
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Code function: 16_2_00D2C34B push ebx; ret	16_2_00D2C354

Source: msvcr120.dll.2.dr	Static PE information: section name: .text entropy: 6.95576372950548
Source: VPDAgent.exe.2.dr	Static PE information: section name: .text entropy: 6.812931691200469

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF85.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	Jump to dropped file

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF85.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

File created: C:\ProgramData\Remote Manipulator System\install.log

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.exe

Static PE information: 442.docx.exe

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Source: C:\Windows\System32\msiexec.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE			Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: rutserv.exe, 0000000A.00000000.1843751400.0000000001221000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000F.00000002.1951137481.0000000002238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 0000000F.00000002.1951137481.0000000002238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEE
Source: rutserv.exe, 0000000A.00000002.1885182179.00000000022E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEI
Source: rutserv.exe, 0000000F.00000002.1951137481.0000000002238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXE<
Source: rutserv.exe, 0000000A.00000002.1885182179.00000000022E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEA
Source: rutserv.exe, 0000000A.00000002.1885182179.00000000022E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OLLYDBG.EXEW

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe

Window / User API: threadDelayed 6337

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF85.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	Jump to dropped file

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_9-6556

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

API coverage: 5.8 %

Source: C:\Windows\System32\svchost.exe TID: 7916	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2132	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 7992	Thread sleep time: -50000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8124	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8112	Thread sleep count: 6337 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8112	Thread sleep time: -63370s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8072	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 6740	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8124	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6B40BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7ED6B40BC
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7ED6CB190
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6DFCA0 FindFirstFileExA,	0_2_00007FF7ED6DFCA0

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6D16A4 VirtualQuery,GetSystemInfo,

0_2_00007FF7ED6D16A4

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 50000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Thread delayed: delay time: 60000

Source: svchost.exe, 00000005.00000002.3418863473.000001C99802B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: svchost.exe, 00000005.00000002.3419675889.000001C99D457000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3574164629.00000000024C8000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1965487513.0000000002577000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.2094884831.0000000002577000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1960578808.0000000002566000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rfusclient.exe, 00000009.00000002.1838575078.000000000145D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6D76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7ED6D76D8

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6E0D20 GetProcessHeap,

0_2_00007FF7ED6E0D20

Source: C:\Windows\System32\msiexec.exe

Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start

Jump to behavior

Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7ED6D76D8
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7ED6D3170
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7ED6D2510
Source: C:\Users\user\Desktop\442.docx.exe	Code function: 0_2_00007FF7ED6D3354 SetUnhandledExceptionFilter,	0_2_00007FF7ED6D3354

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6CB190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7ED6CB190

Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn	Jump to behavior
Source: C:\Users\user\Desktop\442.docx.exe	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\intel\Doc.docx" /o ""	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall	Jump to behavior

Source: rfusclient.exe, 00000009.00000000.1816392501.000000000035F000.00000020.00000001.01000000.0000000B.sdmp

Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6BDC70 cpuid

0_2_00007FF7ED6BDC70

Source: C:\Users\user\Desktop\442.docx.exe

Code function: GetLocaleInfoW,GetNumberFormatW,

0_2_00007FF7ED6CA2CC

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6D0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7ED6D0754

Source: C:\Users\user\Desktop\442.docx.exe

Code function: 0_2_00007FF7ED6B4EB0 GetVersionExW,

0_2_00007FF7ED6B4EB0

Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: rutserv.exe, 0000000A.00000000.1843751400.0000000001221000.00000020.00000001.01000000.0000000D.sdmp	Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 0000000F.00000002.1951137481.0000000002238000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ollydbg.exe

Source: C:\Windows\System32\msiexec.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob

Jump to behavior

Source: Yara match	File source: 9.0.rfusclient.exe.310000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.3573808248.000000000314A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3573808248.0000000003118000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3572801729.00000000017DA000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3579027400.0000000004B64000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.3572801729.00000000017B6000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.3579027400.0000000004B20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rfusclient.exe PID: 1900, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rutserv.exe PID: 2200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rutserv.exe PID: 7796, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	2 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Obfuscated Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Extra Window Memory Injection	12 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	12 Process Injection	1 DLL Side-Loading	NTDS	67 System Information Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Extra Window Memory Injection	Cached Domain Credentials	241 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	122 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	121 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	121 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	12 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll	2%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll	2%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe	2%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll	4%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll	2%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll	3%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll	8%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe	13%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe	12%	ReversingLabs	Win32.Trojan.Generic
C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll	0%	ReversingLabs
C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll	0%	ReversingLabs
C:\Windows\Installer\MSIF85.tmp	0%	ReversingLabs
C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\ARPPRODUCTICON.exe	0%	ReversingLabs
C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe	0%	ReversingLabs
C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe	0%	ReversingLabs
C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_start_C00864331B9D4391A8A26292A601EBE2.exe	0%	ReversingLabs
C:\Windows\Installer\{77817ADF-D5EC-49C6-B987-6169BBD5345B}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
http://rmansys.ru/rd	0%	Avira URL Cloud	safe
http://rmansys.ru/web-help/eb-help/D	0%	Avira URL Cloud	safe
http://schemas.dm	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
main.internetid.ru	95.213.205.83	true	false	unknown
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	84.201.208.103	true	false	high
id72.internetid.ru	unknown	unknown	false	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.remoteutilities.com/support/docs/installing-and-uninstalling/	rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp	false		high
http://rmansys.ru///rmansys.ru/	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false		high
https://curl.se/docs/http-cookies.html	rfusclient.exe, 00000009.00000002.1841192165.00000000601A0000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 0000000A.00000002.1895252133.0000000060277000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://update.tektonit.ru/upgrade.ini	rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp	false		high
http://update.tektonit.ru/upgrade_beta.ini	rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp	false		high
http://madExcept.comU	rfusclient.exe, 00000009.00000000.1816392501.000000000035F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1929061008.000000007B5F0000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1939132075.000000007CAC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	rfusclient.exe, 00000009.00000000.1816392501.000000000035F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1843751400.0000000000821000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1929061008.000000007B5F0000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000003.1939132075.000000007CAC0000.00000004.00001000.00020000.00000000.sdmp	false		high
http://rmansys.ru/rd	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rmansys.ru/web-help/eb-help/	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crl.ver)	svchost.exe, 00000005.00000002.3419566312.000001C99D400000.00000004.00000020.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2.C:	svchost.exe, 00000005.00000003.1765637227.000001C99D6E3000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1765637227.000001C99D728000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1765637227.000001C99D747000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.1765637227.000001C99D734000.00000004.00000800.00020000.00000000.sdmp	false		high
http://rmansys.ru/pf	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.indyproject.org/	rfusclient.exe, 00000009.00000003.1836674180.0000000003005000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000009.00000000.1816392501.0000000000B6B000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1843751400.0000000001221000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 0000000A.00000003.1880620859.0000000003F75000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000C.00000003.1911028682.0000000003F85000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 0000000F.00000003.1939737722.0000000003F05000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://curl.se/docs/alt-svc.html	rutserv.exe, 0000000A.00000002.1895252133.0000000060277000.00000002.00000001.01000000.0000000C.sdmp	false		high
http://www.symauth.com/cps0(	442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	false		high
http://rmansys.ru/internet-id/	rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000002.3604652724.000000000482F000.00000004.00001000.00020000.00000000.sdmp	false		high
http://rmansys.ru/web-help/eb-help/D	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://curl.se/docs/hsts.html	rutserv.exe, 0000000A.00000002.1895252133.0000000060277000.00000002.00000001.01000000.0000000C.sdmp	false		high
https://g.live.com/odclientsettings/Prod.C:	svchost.exe, 00000005.00000003.1765637227.000001C99D73F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gcc.gnu.org/bugsrg/bugs/):	rutserv.exe, 0000000A.00000002.1895252133.000000006028F000.00000002.00000001.01000000.0000000C.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2	svchost.exe, 00000005.00000003.1765637227.000001C99D702000.00000004.00000800.00020000.00000000.sdmp	false		high
https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96	svchost.exe, 00000005.00000003.1765637227.000001C99D702000.00000004.00000800.00020000.00000000.sdmp	false		high
http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd	rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp	false		high
http://www.symauth.com/rpa00	442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rmansys.ru/remote-access//rmansys.ru/remote-access/	rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	false		high
https://rmansys.ru/remote-access//rmansys.ru/remote-access/O	rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://rmansys.ru/	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false		high
https://rmansys.ru/remote-access/	rutserv.exe, 00000010.00000002.3578675457.0000000002A6E000.00000004.00001000.00020000.00000000.sdmp	false		high
http://rmansys.ru/nsys.ru/pf	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.flexerasoftware.com0	442.docx.exe, 00000000.00000003.1722235136.000001E8BB661000.00000004.00000020.00020000.00000000.sdmp, 442.docx.exe, 00000000.00000003.1722235136.000001E8BB623000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST	442.docx.exe, 00000000.00000003.1722235136.000001E8BB591000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.inkscape.org/namespaces/inkscape	rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp	false		high
https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6	svchost.exe, 00000005.00000003.1765637227.000001C99D702000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.remoteutilities.com/buy/money-back-guarantee.php	rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.remoteutilities.com/about/privacy-policy.php	rfusclient.exe, 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.dm	svchost.exe, 00000005.00000003.3118282077.000001C9980B1000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3419150789.000001C9980B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://rmansys.ru///rmansys.ru/;	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false		high
http://rmansys.ru/web-help/	rutserv.exe, 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
109.234.156.179	unknown	Russian Federation	49505	SELECTELRU	false
111.90.147.125	unknown	Malaysia	45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true
78.138.9.142	unknown	United Kingdom	8513	SKYVISIONGB	false
95.213.205.83	main.internetid.ru	Russian Federation	50340	SELECTEL-MSKRU	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567328
Start date and time:	2024-12-03 12:46:00 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	442.docx.exe renamed because original name is a hash value
Original Sample Name:	.docx.exe
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@27/327@1/5
EGA Information:	Successful, ratio: 83.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 23.218.208.109, 52.109.89.19, 84.201.208.103, 52.111.252.17, 52.111.252.15, 52.111.252.16, 52.111.252.18, 52.182.143.208, 95.101.110.60, 95.101.110.34, 95.101.110.24, 95.101.110.31, 95.101.110.27, 23.32.238.192, 23.32.238.169, 104.18.21.226, 104.18.20.226
Excluded domains from analysis (whitelisted): binaries.templates.cdn.office.net.edgesuite.net, slscr.update.microsoft.com, cdn.globalsigncdn.com.cdn.cloudflare.net, templatesmetadata.office.net.edgekey.net, weu-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, ocsp.globalsign.com, a1847.dscg2.akamai.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, onedscolprdcus04.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod-all.naturallanguageeditorservice.osi.office.net.akadns.net, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod-inc-resolver.naturallanguageeditorservice.osi.office.net.akadns.n
Execution Graph export aborted for target rutserv.exe, PID 2200 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 442.docx.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
95.213.205.83	ExeFile (206).exe	Get hash	malicious	RMSRemoteAdmin, Xmrig	Browse
	winserv.exe	Get hash	malicious	RMSRemoteAdmin, xRAT	Browse
	winserv.exe	Get hash	malicious	RMSRemoteAdmin, xRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
main.internetid.ru	https://bitbucket.org/ziphose/obmen/downloads/Doc.7z	Get hash	malicious	RMSRemoteAdmin	Browse	95.213.205.83
	ExeFile (206).exe	Get hash	malicious	RMSRemoteAdmin, Xmrig	Browse	95.213.205.83
	winserv.exe	Get hash	malicious	RMSRemoteAdmin, xRAT	Browse	95.213.205.83
	winserv.exe	Get hash	malicious	RMSRemoteAdmin, xRAT	Browse	95.213.205.83
	3C77C16EE21FF2F584B1EB5DF4882976A934D50D1D4E0.exe	Get hash	malicious	RMSRemoteAdmin	Browse	95.213.205.83
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	84.201.208.99
	SPP_14667098030794_8611971920#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	84.201.208.101
	rAttached_updat.vbs	Get hash	malicious	GuLoader, Remcos	Browse	84.201.211.40
	1d5sraR1S1.exe	Get hash	malicious	AgentTesla	Browse	84.201.211.39
	file.exe	Get hash	malicious	Stealc	Browse	217.20.56.100
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	217.20.56.102
	Employee_Important_Message.pdf	Get hash	malicious	Unknown	Browse	84.201.208.106
	Scan_6090402.pdf	Get hash	malicious	Unknown	Browse	217.20.56.101
	kingsmaker_6.ca.ps1	Get hash	malicious	Ducktail	Browse	84.201.208.102
	Demande de proposition du Regional Development Network .pdf	Get hash	malicious	Unknown	Browse	84.201.208.67

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
SKYVISIONGB	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	83.229.59.112
	https://www.google.ml/url?fvg=1YI3fC8whlGPBCiMyiuQ&bhtBf=8EQhXbuMThqowIo0zyCX&sa=t&ndg=afydNw3nDHf9A6uq2MCH&url=amp%2Fiestpcanipaco.edu.pe%2F.r%2Fu1kOgE-SURELILYYWRhcnNoLm1hbGhvdHJhQGphdG8uY29t	Get hash	malicious	HTMLPhisher	Browse	78.138.9.37
	arm4.elf	Get hash	malicious	Mirai	Browse	217.194.146.92
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	217.194.158.58
	shipping documents_pdf.exe	Get hash	malicious	FormBook	Browse	83.229.19.82
	https://bread.nfpt.adfixagency.co.in/	Get hash	malicious	Unknown	Browse	78.138.9.37
	https://bread1.nfpt.adfixagency.co.in/landingv2	Get hash	malicious	Unknown	Browse	78.138.9.37
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	Vendor Agreement Ready for Your Signature November 22 2024 at 084923 PM.msg	Get hash	malicious	HTMLPhisher	Browse	101.99.75.104
	http://amz-account-unlock-dashboard4.duckdns.org	Get hash	malicious	Unknown	Browse	111.90.149.151
	https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==	Get hash	malicious	Unknown	Browse	111.90.141.53
	Ssc Executed Docs#962297(Revised).docx	Get hash	malicious	Unknown	Browse	111.90.146.230
	amen.m68k.elf	Get hash	malicious	Unknown	Browse	101.99.125.192
	botnet.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	124.217.225.17
	0438.pdf.exe	Get hash	malicious	Unknown	Browse	111.90.140.76
SELECTELRU	nabppc.elf	Get hash	malicious	Unknown	Browse	85.119.147.53
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	176.113.115.37
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.37
	file.exe	Get hash	malicious	Unknown	Browse	176.113.115.177
	qlI3ReINCV.exe	Get hash	malicious	Stealc, Vidar	Browse	176.113.115.215
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	176.113.115.203
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse	176.113.115.37
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse	176.113.115.37

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe	https://bitbucket.org/ziphose/obmen/downloads/Doc.7z	Get hash	malicious	RMSRemoteAdmin	Browse
	J4zGPhVRV3.exe	Get hash	malicious	RMSRemoteAdmin	Browse
	J4zGPhVRV3.exe	Get hash	malicious	RMSRemoteAdmin	Browse
	SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe	Get hash	malicious	RMSRemoteAdmin	Browse
	SecuriteInfo.com.PUA.Tool.RemoteControl.20.28594.18180.exe	Get hash	malicious	RMSRemoteAdmin	Browse
	044f.pdf.scr	Get hash	malicious	RMSRemoteAdmin	Browse
	3e#U043c.scr	Get hash	malicious	RMSRemoteAdmin	Browse

Input	Output
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " , \" \"", "prominent_button_name": "Got it", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": " , \" \"", "prominent_button_name": "Got it", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false, "contains_chinese_text": false }

URL: Screenshot id: 4 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }
URL: Screenshot id: 5 Model: Joe Sandbox AI	{ "brands": [ "Microsoft Office" ] }
	{ "brands": [ "Microsoft Office" ] }

Process:	C:\Windows\System32\msiexec.exe
File Type:	data
Category:	modified
Size (bytes):	33259
Entropy (8bit):	5.289166899208134
Encrypted:	false
SSDEEP:	768:n5t4t4t+ZXTWBwp1KwUXciM01HuECHgCg4gcgblFljY3TY3s8:qCBwpswUXceHuECHgCg4gcgblFlE3U3j
MD5:	22641644251074FE8A4B2152864D3A5A
SHA1:	5D06BEE490179007C4E4E626080AC3E5E3747FCF
SHA-256:	E061FEF209F79109F2B24C96C3517946F1EFCD24252678AAB6A00EB2442F16E1
SHA-512:	D1F495B16EE2E775F39985EB4FBA4AFEC8D4094339D6EF2B13353CF5151A97436280835A80F6FC3D241782E6FC94064A9B7D0B0D2E01D291987FF2A1C1EB185C
Malicious:	false
Preview:	...@IXOS.@.....@.5.Y.@.....@.....@.....@.....@.....@......&.{77817ADF-D5EC-49C6-B987-6169BBD5345B} .Remote Manipulator System - Host..Word.msi.@.....@.....@.....@......ARPPRODUCTICON.exe..&.{134AA6F2-2A49-44F2-A7A5-B7B9233956FA}.....@.....@.....@.....@.......@.....@.....@.......@.... .Remote Manipulator System - Host......Rollback....B.:.0.B. .4.5.9.A.B.2.8.O.:...[1]..RollbackCleanup..#.4.0.;.5.=.8.5. .2.@.5.<.5.=.=.K.E. .D.0.9.;.>.2...$.0.9.;.:. .[.1.].....ProcessComponents"...1.=.>.2.;.5.=.8.5. .@.5.3.8.A.B.@.0.F.8.8. .:.>.<.?.>.=.5.=.B.>.2...&.{74F2505E-B20A-4AED-968F-AE5B278DB38A}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{26EAB54E-4659-47E8-86F9-4CB74F7E03BE}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{596F4636-5D51-49F5-B3B4-F3C366E9DC23}&.{00000000-0000-0000-0000-000000000000}.@......&.{182310A2-CD9E-4171-ACD1-3AEDD260A15F}&.{77817ADF-D5EC-49C6-B987-6169BBD5345B}.@......&.{3244CD

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	118
Entropy (8bit):	3.5700810731231707
Encrypted:	false
SSDEEP:	3:QaklTlAlXMLLmHlIlFLlmIK/5lTn84vlJlhlXlDHlA6l3l6Als:QFulcLk04/5p8GVz6QRq
MD5:	573220372DA4ED487441611079B623CD
SHA1:	8F9D967AC6EF34640F1F0845214FBC6994C0CB80
SHA-256:	BE84B842025E4241BFE0C9F7B8F86A322E4396D893EF87EA1E29C74F47B6A22D
SHA-512:	F19FA3583668C3AF92A9CEF7010BD6ECEC7285F9C8665F2E9528DBA606F105D9AF9B1DB0CF6E7F77EF2E395943DC0D5CB37149E773319078688979E4024F9DD7
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.H.e.a.r.t.b.e.a.t.C.a.c.h.e./.>.

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.363788168458258
Encrypted:	false
SSDEEP:	6:6xPoaaD0JOCEfMuaaD0JOCEfMKQmDNOxPoaaD0JOCEfMuaaD0JOCEfMKQmDN:1aaD0JcaaD0JwQQbaaD0JcaaD0JwQQ
MD5:	0E72F896C84F1457C62C0E20338FAC0D
SHA1:	9C071CC3D15E5BD8BF603391AE447202BD9F8537
SHA-256:	686DC879EA8690C42D3D5D10D0148AE7110FA4D8DCCBF957FB8E41EE3D4A42B3
SHA-512:	AAA5BE088708DABC2EC9A7A6632BDF5700BE719D3F72B732BD2DFD1A3CFDD5C8884BFA4951DB0C499AF423EC30B14A49A30FBB831D1B0A880FE10053043A4251
Malicious:	false
Preview:	*.>...........&.....D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................................................&.............................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Desktop\442.docx.exe
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	230038
Entropy (8bit):	7.636957641054668
Encrypted:	false
SSDEEP:	3072:nzyKKhARKP6+FeRJhaigk8Ukyhxv8vyNrwyJN2EiXo4EaCNSltkprZvyYqZtGVVu:nzyKKhEKBSf/vv8vyNjz9oltkyYzcZ
MD5:	773D2787D661474A840B907C8A22D4E9
SHA1:	A6A0E3C4AB4063BC74C65D6EC0CB43B67F1D767F
SHA-256:	BA82FE356B21118D92B04A74EF8466A59F4802FD9B061F6E9A28E16CF7A5A8B3
SHA-512:	7EC868F9B7B47A757BBB5ABF5639F97C47D79AC55DD07954F3EEE93384B555F7C4C817B687C8C486DC97F4174A8CC04DEED342E8ADD6EA2EDB5EE381FC612BEA
Malicious:	false
Preview:	PK..........!..A..f...T.......[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................n.0.E........tQUUH.},.HM?...../....;@..(..I6H0s.=.xF..V..\|...d..H..[!M....[.H....LY.9.B ....h.u..T...E......Y.....z."...:..X..~0x...&... ....l.b.......$.Mc....+..@.j<.p.a.).Y.:].q@..2T.=a!].........}...R@2e>.3.]tm....Fev....-...Wn.[.!.w.*k+.I.....q. \.....Qp...s/...W..c..R`...\....xj.....mNEb..[.p.....?..:...(O.um"Z.=.T.@.8.M.8........PK..........!.........N......._rels/.rels ...(...........................

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	7.998140922332344
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	442.docx.exe
File size:	25'141'051 bytes
MD5:	fb8117b1a3f0924100fbc209dbbb1bb1
SHA1:	9d18c954eae8e8f8437d4e32d0b685f3f51b982b
SHA256:	beaa1498a67bab02bc4c08f00bde36489aaa86ad8b01ee70b477452a08d360ec
SHA512:	fcaba4304f26eefa476202e17ca85c3f994d2086f78fa86f1d73f7d6c926825a4ac3b02ceae2d8cde3583f02fdbf87139741035368f6d4b77c4f8c790df330fd
SSDEEP:	393216:bnD8YsCFVxnq/mIhNAl2543UCCCQrTTNi5NRmclImNm/U29ieL:bgYlFV8/1AbOrXNihH29LL
TLSH:	14473325EE400AB1E2FAD47098159413D63C3C5DC228B2A722F997287FF7B755B67388
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$.2.`.\.`.\.`.\..y..h.\..y....\..y..m.\.....b.\...X.r.\..._.j.\...Y.Y.\.i...i.\.i...b.\.i...g.\.`.].C.\...Y.R.\...\.a.\.....a.\

Entrypoint:	0x140032ee0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x66409723 [Sun May 12 10:17:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	b1c5b1beabd90d9fdabd1df0779ea832

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x597a0	0x34	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x597d4	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x1558c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x6a000	0x306c	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x86000	0x970	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x536c0	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x53780	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4b3f0	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x48000	0x508	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x588bc	0x120	.rdata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4676e	0x46800	f06bb06e02377ae8b223122e53be35c2	False	0.5372340425531915	data	6.47079645411382	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x48000	0x128c4	0x12a00	2de06d4a6920a6911e64ff20000ea72f	False	0.4499003775167785	data	5.273999097784603	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b000	0xe75c	0x1a00	0dbdb901a7d477980097e42e511a94fb	False	0.28275240384615385	data	3.2571023907881185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x6a000	0x306c	0x3200	b0ce0f057741ad2a4ef4717079fa34e9	False	0.483359375	data	5.501810413666288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat	0x6e000	0x360	0x400	1fcc7b1d7a02443319f8fcc2be4ca936	False	0.2578125	data	3.0459938492946015	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
_RDATA	0x6f000	0x15c	0x200	3f331ec50f09ba861beaf955b33712d5	False	0.408203125	data	3.3356393424384843	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x1558c	0x15600	50f0a4d841d0856138dbb9d7187108bf	False	0.1905953033625731	data	5.443581422941128	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x86000	0x970	0xa00	77a9ddfc47a5650d6eebbcc823e39532	False	0.52421875	data	5.336289720085303	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
PNG	0x70554	0xb45	PNG image data, 93 x 302, 8-bit/color RGB, non-interlaced	1.0027729636048528
PNG	0x7109c	0x15a9	PNG image data, 186 x 604, 8-bit/color RGB, non-interlaced	0.9363390441839495
RT_ICON	0x72648	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 15118 x 15118 px/m	0.06374955637051934
RT_DIALOG	0x82e70	0x2ba	data	0.5286532951289399
RT_DIALOG	0x8312c	0x13a	data	0.6560509554140127
RT_DIALOG	0x83268	0xf2	data	0.71900826446281
RT_DIALOG	0x8335c	0x14a	data	0.6
RT_DIALOG	0x834a8	0x314	data	0.47588832487309646
RT_DIALOG	0x837bc	0x24a	data	0.6279863481228669
RT_STRING	0x83a08	0x1fc	data	0.421259842519685
RT_STRING	0x83c04	0x246	data	0.41924398625429554
RT_STRING	0x83e4c	0x1a6	data	0.514218009478673
RT_STRING	0x83ff4	0xdc	data	0.65
RT_STRING	0x840d0	0x470	data	0.3873239436619718
RT_STRING	0x84540	0x164	data	0.5056179775280899
RT_STRING	0x846a4	0x110	data	0.5772058823529411
RT_STRING	0x847b4	0x158	data	0.4563953488372093
RT_STRING	0x8490c	0xe8	data	0.5948275862068966
RT_STRING	0x849f4	0x1c6	data	0.5242290748898678
RT_STRING	0x84bbc	0x268	data	0.4837662337662338
RT_GROUP_ICON	0x84e24	0x14	data	1.15
RT_MANIFEST	0x84e38	0x753	XML 1.0 document, ASCII text, with CRLF line terminators	0.39786666666666665

DLL	Import
KERNEL32.dll	LocalFree, GetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, GetCurrentProcessId, CreateDirectoryW, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, GetVersionExW, GetModuleFileNameW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, ExpandEnvironmentStringsW, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, GlobalMemoryStatusEx, LoadResource, SizeofResource, GetTimeFormatW, GetDateFormatW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetNumberFormatW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindNextFileA, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, InitializeCriticalSectionAndSpinCount, WaitForSingleObjectEx, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, RtlPcToFileHeader, RtlUnwindEx, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, GetStringTypeW, HeapReAlloc, LCMapStringW, FindFirstFileExA
OLEAUT32.dll	SysAllocString, SysFreeString, VariantClear
gdiplus.dll	GdipCloneImage, GdipFree, GdipDisposeImage, GdipCreateBitmapFromStream, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipAlloc

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 3, 2024 12:47:24.735080004 CET	53809	53	192.168.2.4	1.1.1.1
Dec 3, 2024 12:47:25.149568081 CET	53	53809	1.1.1.1	192.168.2.4

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.208.103	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.208.71	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.208.99	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.211.37	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.59.37	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.211.39	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.211.35	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:07.237148046 CET	1.1.1.1	192.168.2.4	0xb7f5	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.56.102	A (IP address)	IN (0x0001)	false
Dec 3, 2024 12:47:17.780982971 CET	1.1.1.1	192.168.2.4	0x6f02	No error (0)	templatesmetadata.office.net	templatesmetadata.office.net.edgekey.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 3, 2024 12:47:25.149568081 CET	1.1.1.1	192.168.2.4	0xd074	No error (0)	id72.internetid.ru	main.internetid.ru		CNAME (Canonical name)	IN (0x0001)	false
Dec 3, 2024 12:47:25.149568081 CET	1.1.1.1	192.168.2.4	0xd074	No error (0)	main.internetid.ru		95.213.205.83	A (IP address)	IN (0x0001)	false

Timestamp	Bytes transferred	Direction	Data
Dec 3, 2024 12:48:18.986464024 CET	6	OUT	Data Raw: 00 00 00 07 Data Ascii:
Dec 3, 2024 12:48:18.986479044 CET	6	OUT	Data Raw: 00 00 00 03 Data Ascii:
Dec 3, 2024 12:48:20.628106117 CET	4	IN	Data Raw: 00 01 12 7e Data Ascii: ~
Dec 3, 2024 12:48:20.628274918 CET	6	OUT	Data Raw: 00 01 12 7e Data Ascii: ~
Dec 3, 2024 12:48:20.628309965 CET	6	OUT	Data Raw: 00 00 00 01 Data Ascii:
Dec 3, 2024 12:48:20.628328085 CET	6	OUT	Data Raw: 2d 2d 0d 0a Data Ascii: --
Dec 3, 2024 12:48:20.628346920 CET	6	OUT	Data Raw: 00 00 00 2e Data Ascii: .
Dec 3, 2024 12:48:20.628367901 CET	46	OUT	Data Raw: 22 00 43 00 6f 00 6d 00 70 00 75 00 74 00 65 00 72 00 20 00 6e 00 61 00 6d 00 65 00 3a 00 20 00 39 00 39 00 32 00 35 00 34 00 37 00 22 00 Data Ascii: "Computer name: 992547"
Dec 3, 2024 12:48:21.465563059 CET	4	IN	Data Raw: 00 00 00 00 Data Ascii:
Dec 3, 2024 12:48:22.469597101 CET	4	IN	Data Raw: 00 00 00 00 Data Ascii:

Target ID:	0
Start time:	06:46:56
Start date:	03/12/2024
Path:	C:\Users\user\Desktop\442.docx.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\442.docx.exe"
Imagebase:	0x7ff7ed6a0000
File size:	25'141'051 bytes
MD5 hash:	FB8117B1A3F0924100FBC209DBBB1BB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	06:46:57
Start date:	03/12/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\intel\Word.msi" /qn
Imagebase:	0x7ff6b6330000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	06:46:59
Start date:	03/12/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding 3A7D5E944AD6C6FD24895B2767E40451
Imagebase:	0xe60000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	06:47:01
Start date:	03/12/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Imagebase:	0x7ff6eef20000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	06:47:06
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\intel\Word.msi"
Imagebase:	0x310000
File size:	11'132'168 bytes
MD5 hash:	CB9BE257064162076EBD4869CD97E166
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000009.00000000.1818406969.0000000000DC5000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: Joe Security Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, Author: ditekSHen
Antivirus matches:	Detection: 13%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	10
Start time:	06:47:09
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
Imagebase:	0x820000
File size:	21'764'872 bytes
MD5 hash:	D563A4D6BFCFE6884D1AC88824CB5C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 0000000A.00000000.1856486408.0000000001CE1000.00000002.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: Joe Security Rule: MALWARE_Win_RemoteUtilitiesRAT, Description: RemoteUtilitiesRAT RAT payload, Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, Author: ditekSHen
Antivirus matches:	Detection: 12%, ReversingLabs
Reputation:	low
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 442.docx.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Config.Msi\440b42.rbs

C:\Program Files (x86)\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\HeartbeatCache.xml

C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\printer.ico

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe

C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\rppd.lng

Windows Analysis Report
442.docx.exe

Target ID:	12
Start time:	06:47:14
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Imagebase:	0x820000
File size:	21'764'872 bytes
MD5 hash:	D563A4D6BFCFE6884D1AC88824CB5C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Target ID:	15
Start time:	06:47:16
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
Imagebase:	0x820000
File size:	21'764'872 bytes
MD5 hash:	D563A4D6BFCFE6884D1AC88824CB5C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	16
Start time:	06:47:17
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
Imagebase:	0x820000
File size:	21'764'872 bytes
MD5 hash:	D563A4D6BFCFE6884D1AC88824CB5C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000010.00000002.3578675457.0000000002B18000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000010.00000003.1936056705.0000000006601000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Target ID:	17
Start time:	06:47:18
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Imagebase:	0x310000
File size:	11'132'168 bytes
MD5 hash:	CB9BE257064162076EBD4869CD97E166
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000011.00000002.3572801729.00000000017DA000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RMSRemoteAdmin, Description: Yara detected RMS RemoteAdmin tool, Source: 00000011.00000002.3572801729.00000000017B6000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Target ID:	19
Start time:	06:47:26
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Imagebase:	0x310000
File size:	11'132'168 bytes
MD5 hash:	CB9BE257064162076EBD4869CD97E166
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Has exited:	true

Target ID:	20
Start time:	06:48:08
Start date:	03/12/2024
Path:	C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Imagebase:	0x820000
File size:	21'764'872 bytes
MD5 hash:	D563A4D6BFCFE6884D1AC88824CB5C2A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Has exited:	true

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	26

Execution Coverage:	6.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	82
Total number of Limit Nodes:	7

Execution Coverage:	5.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	32
Total number of Limit Nodes:	2

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	23
Total number of Limit Nodes:	1