Windows Analysis Report
J4zGPhVRV3.exe

Overview

General Information

Sample name: J4zGPhVRV3.exe
renamed because original name is a hash value
Original sample name: 55cb5fa83a98b9d7cc70cad5fe59f44f8d48956b363df2fbf7ad649b9c4970e5.exe
Analysis ID: 1544725
MD5: 3bca758ce1d5c3858ac8e10a2a38b514
SHA1: 0f9de1a1b10f85941f89dbf603cc587323e2c003
SHA256: 55cb5fa83a98b9d7cc70cad5fe59f44f8d48956b363df2fbf7ad649b9c4970e5
Tags: 873901exeRemoteManipulatoruser-JAMESWT_MHT
Infos:

Detection

RMSRemoteAdmin
Score: 88
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries disk information (often used to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Use Short Name Path in Command Line
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected RMS RemoteAdmin tool
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe ReversingLabs: Detection: 26%
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe ReversingLabs: Detection: 26%
Multi AV Scanner detection for submitted file
Source: J4zGPhVRV3.exe ReversingLabs: Detection: 47%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 97.8% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C493760 rmsEncEncryptData, 16_2_6C493760
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C494000 rmsEncRsaPublicDecrypt,memcpy,memcpy,memcpy, 16_2_6C494000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C493D30 rmsEncRsaPrivateDecrypt,memcpy,memcpy,memcpy, 16_2_6C493D30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C4938C0 rmsEncDecryptData, 16_2_6C4938C0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C4942D0 rmsEncRsaPrivateEncrypt,memcpy,memcpy,memcpy, 16_2_6C4942D0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C493AE0 rmsEncRsaPublicEncrypt,memcpy, 16_2_6C493AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C4945A0 rmsEncInitSimpleEncryption,memcpy,memcpy, 16_2_6C4945A0
Source: rfusclient.exe, 00000010.00000000.1422949051.00000000010D9000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_713197f1-4

Compliance
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Unpacked PE file: 16.2.rfusclient.exe.620000.0.unpack
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\ProgramData\Remote Manipulator System\install.log
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf Jump to behavior
Source: J4zGPhVRV3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: J4zGPhVRV3.exe, 00000004.00000002.1304582479.00007FF69E5B8000.00000002.00000001.01000000.00000004.sdmp, J4zGPhVRV3.exe, 00000004.00000000.1278503492.00007FF69E5B8000.00000002.00000001.01000000.00000004.sdmp
Checks for available system drives (often done to infect USB drives)
Source: C:\Windows\System32\msiexec.exe File opened: z: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: x: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: v: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: t: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: r: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: p: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: n: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: l: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: j: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: h: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: f: Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: d: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: b: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: y: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: w: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: u: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: s: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: q: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: o: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: m: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: k: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: i: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: g: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: e: Jump to behavior
Source: C:\Windows\System32\svchost.exe File opened: c: Jump to behavior
Source: C:\Windows\System32\msiexec.exe File opened: a: Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5840BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF69E5840BC
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E59B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF69E59B190
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5AFCA0 FindFirstFileExA, 4_2_00007FF69E5AFCA0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:57244 -> 111.90.140.51:8080
Source: global traffic TCP traffic: 192.168.2.7:57245 -> 65.21.245.7:8080
Source: global traffic TCP traffic: 192.168.2.7:57248 -> 111.90.140.34:5651
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 65.21.245.7 65.21.245.7
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 96.6.160.189
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.51
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 65.21.245.7
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: unknown TCP traffic detected without corresponding DNS query: 111.90.140.34
Source: global traffic HTTP traffic detected: GET /onboarding/smskillreader.txt HTTP/1.1Host: armmf.adobe.comConnection: keep-aliveAccept-Language: en-US,en;q=0.9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ReaderServices/23.6.20320 Chrome/105.0.0.0 Safari/537.36Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brIf-None-Match: "78-5faa31cce96da"If-Modified-Since: Mon, 01 May 2023 15:02:33 GMT
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: x1.i.lencr.org
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1614665709.0000000001FC7000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2204497712.00000000073A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rutserv.exe, 00000015.00000003.2207010706.0000000001FB4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1614665709.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3747982904.0000000001FB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/
Source: rutserv.exe, 00000015.00000002.3747982904.0000000001FB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3755525600.0000000002031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0V
Source: rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.0000000002022000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crlmF
Source: rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1614665709.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.0000000002022000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl
Source: rutserv.exe, 00000015.00000003.1614665709.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl.
Source: rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1614665709.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.0000000002022000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl/
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3816497054.0000000007350000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crl0
Source: rutserv.exe, 00000015.00000003.1612834790.00000000073BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/gsgccr45codesignca2020.crltyD
Source: rutserv.exe, 00000015.00000003.2207010706.0000000001FB4000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1614665709.0000000001FAD000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3747982904.0000000001FB4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/p
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2203008371.0000000002031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: svchost.exe, 0000000A.00000002.2755374124.0000020074212000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.ver)
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1614665709.0000000001FC7000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2204497712.00000000073A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: svchost.exe, 0000000A.00000003.1313129110.0000020074110000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: rfusclient.exe, 00000010.00000000.1420516401.000000000066F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000000.1464455991.00000000004F1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000015.00000003.1552738592.000000007B750000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1563013943.000000007CC50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://madExcept.comU
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1614665709.0000000001FC7000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2204497712.00000000073A7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/
Source: rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/bX
Source: rutserv.exe, 00000015.00000003.1614665709.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.0000000002022000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6N
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: rutserv.exe, 00000015.00000003.2203008371.0000000002031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr45http://crl.globalsign.com/codesigningrootr45.crlOF
Source: rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2206774620.0000000007360000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1612834790.00000000073BD000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3816497054.0000000007360000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2
Source: rutserv.exe, 00000015.00000003.2206774620.0000000007360000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3816497054.0000000007360000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCUABBTLuA3ygnKW%2F7xuSx%2F0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3816497054.0000000007350000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca20200V
Source: rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/gsgccr45codesignca2020http://crl.globalsign.com/gsgccr45codesignca2020.cr
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2203008371.0000000002031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com/rootr3http://crl.globalsign.com/root-r3.crlbBby
Source: rutserv.exe, 00000015.00000002.3747982904.0000000001F48000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.globalsign.com:80
Source: rutserv.exe, 00000012.00000000.1478283984.00000000019E5000.00000002.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000015.00000002.3800200492.0000000004225000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3800200492.00000000041C8000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://rmansys.ru/internet-id/
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: rfusclient.exe, 00000010.00000000.1420516401.000000000066F000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000000.1464455991.00000000004F1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000015.00000003.1552738592.000000007B750000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1563013943.000000007CC50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3755525600.0000000002031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3816497054.0000000007350000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt0=
Source: rutserv.exe, 00000015.00000003.1614665709.0000000002037000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3755525600.0000000002031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45codesignca2020.crt1.3.6.1.5.5.7.48.1http://ocsp.globalsi
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2203008371.0000000002031000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: rfusclient.exe, 00000010.00000000.1422949051.00000000010D9000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000000.1478283984.00000000019E5000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd
Source: svchost.exe, 00000002.00000002.3741897939.0000026853318000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.3740763162.0000026852A87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: rutserv.exe, 00000012.00000000.1464455991.00000000004F1000.00000020.00000001.01000000.0000000D.sdmp String found in binary or memory: http://update.tektonit.ru/upgrade.ini
Source: rutserv.exe, 00000012.00000000.1464455991.00000000004F1000.00000020.00000001.01000000.0000000D.sdmp String found in binary or memory: http://update.tektonit.ru/upgrade_beta.ini
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.flexerasoftware.com0
Source: rfusclient.exe, 00000010.00000003.1451319761.0000000003143000.00000004.00001000.00020000.00000000.sdmp, rfusclient.exe, 00000010.00000000.1420516401.0000000000E7D000.00000020.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000003.1498771327.0000000003713000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000012.00000000.1464455991.0000000001471000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000013.00000003.1532539824.0000000003C03000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000014.00000003.1578680590.0000000003B53000.00000004.00001000.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3759250551.000000000261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.indyproject.org/
Source: rfusclient.exe, 00000010.00000000.1422949051.00000000010D9000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000000.1478283984.00000000019E5000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: http://www.inkscape.org/namespaces/inkscape
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: rutserv.exe, 00000012.00000002.1516529381.000000006C9D7000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: rutserv.exe, 00000012.00000002.1516529381.000000006C9D7000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/docs/hsts.html
Source: rfusclient.exe, 00000010.00000002.1462099404.000000006C910000.00000002.00000001.01000000.0000000C.sdmp, rutserv.exe, 00000012.00000002.1516529381.000000006C9D7000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 0000000A.00000003.1313129110.0000020074169000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 0000000A.00000003.1313129110.0000020074110000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: rutserv.exe, 00000012.00000002.1516529381.000000006C9EF000.00000002.00000001.01000000.0000000C.sdmp String found in binary or memory: https://gcc.gnu.org/bugsrg/bugs/):
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B25A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://rmansys.ru/IS_PREVENT_DOWNGRADE_EXITZ_DOWNGRADE_DETECTED;Z_UPGRADE_DETECTED;COMPANYNAME;INST
Source: rutserv.exe, 00000015.00000002.3759250551.000000000261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://rmansys.ru/remote-access/
Source: rutserv.exe, 00000015.00000002.3759250551.000000000261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/
Source: rutserv.exe, 00000015.00000002.3759250551.000000000261C000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://rmansys.ru/remote-access//rmansys.ru/remote-access/O
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2F2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp, J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2510641067.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.1566536646.0000000001FA5000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3755525600.0000000002031000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2416091502.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2203008371.0000000002031000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2480577049.000000000201D000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3816497054.0000000007350000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3753492646.000000000201D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.globalsign.com/repository/0
Source: rfusclient.exe, 00000010.00000000.1422949051.00000000010D9000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000000.1478283984.00000000019E5000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.remoteutilities.com/about/privacy-policy.php
Source: rfusclient.exe, 00000010.00000000.1422949051.00000000010D9000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000000.1478283984.00000000019E5000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.remoteutilities.com/buy/money-back-guarantee.php
Source: rfusclient.exe, 00000010.00000000.1422949051.00000000010D9000.00000002.00000001.01000000.0000000B.sdmp, rutserv.exe, 00000012.00000000.1478283984.00000000019E5000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: https://www.remoteutilities.com/support/docs/installing-and-uninstalling/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Drops certificate files (DER)
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7 Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD92F95DED26541D3AF7F44DC7914843 Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164 Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C Jump to dropped file

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.0.rfusclient.exe.620000.0.unpack, type: UNPACKEDPE Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED Matched rule: RemoteUtilitiesRAT RAT payload Author: ditekSHen
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E57C2F0: CreateFileW,CloseHandle,wcscpy,wcscpy,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF69E57C2F0
Contains functionality to launch a process as a different user
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Code function: 21_2_0096E6AC CreateProcessAsUserW,CreateProcessAsUserW,CreateProcessW, 21_2_0096E6AC
Creates files inside the system directory
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\41737e.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7E5B.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\SourceHash{827D98D4-CA0D-43D0-8133-225659FBBC61} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\inprogressinstallinfo.ipi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI8830.tmp Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\417381.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\417381.msi Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61} Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\ARPPRODUCTICON.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe Jump to behavior
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_start_C00864331B9D4391A8A26292A601EBE2.exe Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50385F8EB1F713E33924A830D7A2A41C
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_E818918BC57803438E0E0146A88425A7
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4A62E94087F64223B9812F11186592BA
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4A62E94087F64223B9812F11186592BA
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BD92F95DED26541D3AF7F44DC7914843
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BD92F95DED26541D3AF7F44DC7914843
Deletes files inside the Windows folder
Source: C:\Windows\System32\msiexec.exe File deleted: C:\Windows\Installer\MSI7E5B.tmp Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E575E24 4_2_00007FF69E575E24
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E59CE88 4_2_00007FF69E59CE88
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E591F20 4_2_00007FF69E591F20
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A0754 4_2_00007FF69E5A0754
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E584928 4_2_00007FF69E584928
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E57F930 4_2_00007FF69E57F930
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58A4AC 4_2_00007FF69E58A4AC
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E593484 4_2_00007FF69E593484
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E59B190 4_2_00007FF69E59B190
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5B2080 4_2_00007FF69E5B2080
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E592D58 4_2_00007FF69E592D58
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A0754 4_2_00007FF69E5A0754
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E598DF4 4_2_00007FF69E598DF4
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58AF18 4_2_00007FF69E58AF18
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E594B98 4_2_00007FF69E594B98
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58BB90 4_2_00007FF69E58BB90
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E585B60 4_2_00007FF69E585B60
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A8C1C 4_2_00007FF69E5A8C1C
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A89A0 4_2_00007FF69E5A89A0
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E593964 4_2_00007FF69E593964
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58C96C 4_2_00007FF69E58C96C
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E571AA4 4_2_00007FF69E571AA4
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E592AB0 4_2_00007FF69E592AB0
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5AFA94 4_2_00007FF69E5AFA94
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E581A48 4_2_00007FF69E581A48
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5B5AF8 4_2_00007FF69E5B5AF8
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5AC838 4_2_00007FF69E5AC838
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E574840 4_2_00007FF69E574840
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5B2550 4_2_00007FF69E5B2550
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5776C0 4_2_00007FF69E5776C0
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5953F0 4_2_00007FF69E5953F0
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58B534 4_2_00007FF69E58B534
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58F180 4_2_00007FF69E58F180
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5921D0 4_2_00007FF69E5921D0
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E577288 4_2_00007FF69E577288
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58126C 4_2_00007FF69E58126C
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E57A310 4_2_00007FF69E57A310
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E57C2F0 4_2_00007FF69E57C2F0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C546850 16_2_6C546850
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C8D7080 16_2_6C8D7080
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C845AE0 16_2_6C845AE0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Code function: 16_2_6C845800 16_2_6C845800
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Code function: 21_2_0096E6AC 21_2_0096E6AC
PE file contains executable resources (Code or Archives)
Source: unires_vpd.dll.8.dr Static PE information: Resource name: None type: COM executable for DOS
Source: unires_vpd.dll0.8.dr Static PE information: Resource name: None type: COM executable for DOS
Source: rutserv.exe.8.dr Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: rfusclient.exe.8.dr Static PE information: Resource name: RT_STRING type: PDP-11 separate I&D executable not stripped
Source: rfusclient.exe.8.dr Static PE information: Resource name: RT_RCDATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: unidrvui_rppd.dll0.8.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains more sections than normal
Source: libasset32.dll.8.dr Static PE information: Number of sections : 19 > 10
Source: libcodec32.dll.8.dr Static PE information: Number of sections : 20 > 10
Source: rutserv.exe.8.dr Static PE information: Number of sections : 11 > 10
Source: rfusclient.exe.8.dr Static PE information: Number of sections : 11 > 10
PE file does not import any functions
Source: unires_vpd.dll0.8.dr Static PE information: No import functions for PE file found
Source: unires_vpd.dll.8.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B2B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameISRegSvr.dll vs J4zGPhVRV3.exe
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B303000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_IsIcoRes.exe< vs J4zGPhVRV3.exe
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B35A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_IsIcoRes.exe< vs J4zGPhVRV3.exe
Source: J4zGPhVRV3.exe, 00000004.00000003.1298816778.00000183794B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsiexec.exe.muiX vs J4zGPhVRV3.exe
Source: J4zGPhVRV3.exe, 00000004.00000002.1303027978.00000183794B3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamemsiexec.exe.muiX vs J4zGPhVRV3.exe
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_IsIcoRes.exe< vs J4zGPhVRV3.exe
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B277000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameSetAllUsers.dll< vs J4zGPhVRV3.exe
Source: J4zGPhVRV3.exe, 00000004.00000003.1291857327.000001837B3BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilename_IsIcoRes.exe< vs J4zGPhVRV3.exe
Yara signature match
Source: 16.0.rfusclient.exe.620000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED Matched rule: MALWARE_Win_RemoteUtilitiesRAT author = ditekSHen, description = RemoteUtilitiesRAT RAT payload, clamav_sig = MALWARE.Win.Trojan.RemoteUtilitiesRAT
Source: unires_vpd.dll0.8.dr Static PE information: Section .rsrc
Source: unires_vpd.dll.8.dr Static PE information: Section .rsrc
Source: classification engine Classification label: mal88.evad.winEXE@48/135@2/5
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E57B6D8 GetLastError,FormatMessageW,LocalFree, 4_2_00007FF69E57B6D8
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E598624 FindResourceExW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 4_2_00007FF69E598624
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Code function: 21_2_00A03498 StartServiceCtrlDispatcherW, 21_2_00A03498
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Code function: 21_2_00A03498 StartServiceCtrlDispatcherW, 21_2_00A03498
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe File created: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents-journal Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$216c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSTray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$20c0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: NULL
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$213c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$2218
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5832:120:WilError_03
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Mutant created: \BaseNamedObjects\HookTThread$21b0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$218c
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\RManFUSLocal
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Mutant created: \BaseNamedObjects\madExceptSettingsMtx$21b0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$2218
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$2210
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Mutant created: \BaseNamedObjects\madExceptSettingsMtx$21ec
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\madExceptSettingsMtx$f50
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Mutant created: \Sessions\1\BaseNamedObjects\HookTThread$2210
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4287359 Jump to behavior
Source: J4zGPhVRV3.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_USERS.DEFAULT\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: J4zGPhVRV3.exe ReversingLabs: Detection: 47%
Source: rfusclient.exe String found in binary or memory: ENGINESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3"
Source: rfusclient.exe String found in binary or memory: MODULESDIR: "E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules"
Source: rfusclient.exe String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/engines-3
Source: rfusclient.exe String found in binary or memory: E:/dev/vcpkg/installed/x86-mingw-static/lib/ossl-modules
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe File read: C:\Users\user\Desktop\J4zGPhVRV3.exe Jump to behavior
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Users\user\Desktop\J4zGPhVRV3.exe "C:\Users\user\Desktop\J4zGPhVRV3.exe"
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\file.pdf"
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user~1\AppData\Local\Temp\winrar.msi" /qn
Source: unknown Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1740,i,9168305141304841160,3939740794304371731,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 454D404CF2CD6CFC0CCDA935FCCB9601
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\user~1\AppData\Local\Temp\winrar.msi"
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start
Source: unknown Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -service
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\file.pdf" Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user~1\AppData\Local\Temp\winrar.msi" /qn Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --backgroundcolor=16777215 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 454D404CF2CD6CFC0CCDA935FCCB9601 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" -msi_copy "C:\Users\user~1\AppData\Local\Temp\winrar.msi" Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="ReaderServices/23.6.20320 Chrome/105.0.0.0" --lang=en-US --log-file="C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\debug.log" --mojo-platform-channel-handle=2112 --field-trial-handle=1740,i,9168305141304841160,3939740794304371731,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8 Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe"
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe" /tray
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: tsappcmp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmauto.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: miutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wsmsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pcwum.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: usermgrcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vssapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vsstrace.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: samlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: es.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: w32time.dll
Source: C:\Windows\System32\svchost.exe Section loaded: logoncli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: powrprof.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: umpdc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: gpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winnsi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: webio.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: oleacc.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_is2022.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_g18030.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: c_iscii.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: firewallapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: fwbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: shfolder.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: msacm32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winmmbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: faultrep.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: dbghelp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: dbgcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: ntmarta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winsta.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: libasset32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: olepro32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: security.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: secur32.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: idndl.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: msxml6.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: dwmapi.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: winmm.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: oledlg.dll
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\msiexec.exe File written: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppd.ini Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL
Source: Window Recorder Window detected: More than 3 window changes detected
Source: J4zGPhVRV3.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: J4zGPhVRV3.exe Static file information: File size 25298721 > 1048576
Source: J4zGPhVRV3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: J4zGPhVRV3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: J4zGPhVRV3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: J4zGPhVRV3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: J4zGPhVRV3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: J4zGPhVRV3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: J4zGPhVRV3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: J4zGPhVRV3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: J4zGPhVRV3.exe, 00000004.00000002.1304582479.00007FF69E5B8000.00000002.00000001.01000000.00000004.sdmp, J4zGPhVRV3.exe, 00000004.00000000.1278503492.00007FF69E5B8000.00000002.00000001.01000000.00000004.sdmp
Source: J4zGPhVRV3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: J4zGPhVRV3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: J4zGPhVRV3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: J4zGPhVRV3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: J4zGPhVRV3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
Detected unpacking (overwrites its own PE header)
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Unpacked PE file: 16.2.rfusclient.exe.620000.0.unpack
File is packed with WinRar
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_4287359 Jump to behavior
PE file contains sections with non-standard names
Source: J4zGPhVRV3.exe Static PE information: section name: .didat
Source: J4zGPhVRV3.exe Static PE information: section name: _RDATA
Source: eventmsg.dll.8.dr Static PE information: section name: .didata
Source: webmvorbisencoder.dll.8.dr Static PE information: section name: _RDATA
Source: vp8encoder.dll.8.dr Static PE information: section name: .rodata
Source: vp8decoder.dll.8.dr Static PE information: section name: .rodata
Source: webmvorbisdecoder.dll.8.dr Static PE information: section name: _RDATA
Source: libasset32.dll.8.dr Static PE information: section name: /4
Source: libasset32.dll.8.dr Static PE information: section name: /14
Source: libasset32.dll.8.dr Static PE information: section name: /29
Source: libasset32.dll.8.dr Static PE information: section name: /41
Source: libasset32.dll.8.dr Static PE information: section name: /55
Source: libasset32.dll.8.dr Static PE information: section name: /67
Source: libasset32.dll.8.dr Static PE information: section name: /78
Source: libasset32.dll.8.dr Static PE information: section name: /94
Source: libasset32.dll.8.dr Static PE information: section name: /110
Source: libcodec32.dll.8.dr Static PE information: section name: .rodata
Source: libcodec32.dll.8.dr Static PE information: section name: /4
Source: libcodec32.dll.8.dr Static PE information: section name: /14
Source: libcodec32.dll.8.dr Static PE information: section name: /29
Source: libcodec32.dll.8.dr Static PE information: section name: /41
Source: libcodec32.dll.8.dr Static PE information: section name: /55
Source: libcodec32.dll.8.dr Static PE information: section name: /67
Source: libcodec32.dll.8.dr Static PE information: section name: /78
Source: libcodec32.dll.8.dr Static PE information: section name: /94
Source: libcodec32.dll.8.dr Static PE information: section name: /110
Source: vccorlib120.dll.8.dr Static PE information: section name: minATL
Source: rutserv.exe.8.dr Static PE information: section name: .didata
Source: rfusclient.exe.8.dr Static PE information: section name: .didata
Source: vccorlib120.dll0.8.dr Static PE information: section name: minATL
Source: eventmsg.dll.21.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5B5156 push rsi; retf 4_2_00007FF69E5B5157
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5B5166 push rsi; retf 4_2_00007FF69E5B5167
Source: VPDAgent.exe.8.dr Static PE information: section name: .text entropy: 6.812931691200469
Source: msvcr120.dll.8.dr Static PE information: section name: .text entropy: 6.95576372950548
Drops PE files
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7E5B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\ProgramData\Remote Manipulator System\eventmsg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\libasset32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_start_C00864331B9D4391A8A26292A601EBE2.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\ProgramData\Remote Manipulator System\eventmsg.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\MSI7E5B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_start_C00864331B9D4391A8A26292A601EBE2.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe File created: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe File created: C:\ProgramData\Remote Manipulator System\install.log
Source: C:\Windows\System32\msiexec.exe File created: C:\Program Files (x86)\Remote Manipulator System - Host\EULA.rtf Jump to behavior
Creates or modifies windows services
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Remote Manipulator System - host\Remote Manipulator System - host service
Modifies existing windows services
Source: C:\Windows\System32\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Code function: 21_2_00A03498 StartServiceCtrlDispatcherW, 21_2_00A03498
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Stores large binary data to the registry
Source: C:\Windows\System32\msiexec.exe Key value created or modified: HKEY_LOCAL_MACHINE\SYSTEM\RMS Host Installer Security Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Windows\System32\svchost.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe System information queried: FirmwareTableInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: rutserv.exe, 00000012.00000000.1464455991.0000000000EF1000.00000020.00000001.01000000.0000000D.sdmp, rutserv.exe, 00000014.00000002.1613537037.0000000002148000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 00000012.00000002.1504952203.0000000001C28000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000014.00000002.1613537037.0000000002148000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXEE
Source: rutserv.exe, 00000012.00000002.1504952203.0000000001C28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE
Source: rutserv.exe, 00000012.00000002.1504952203.0000000001C28000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OLLYDBG.EXE9
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Window / User API: threadDelayed 1576
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Window / User API: threadDelayed 1747
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Window / User API: threadDelayed 3038
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Window / User API: threadDelayed 9535
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\VPDAgent.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\MSI7E5B.tmp Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrv_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcr120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\emf2pdf.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_stop_27D7873393984316BEA10FB36BB4D2F9.exe Jump to dropped file
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Dropped PE file which has not been started: C:\ProgramData\Remote Manipulator System\eventmsg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmmux.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\ARPPRODUCTICON.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrvui_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdpm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\UNINST_Uninstall_R_3B1E3C8B7D0945898DA82CEEED02F0C7.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unires_vpd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcr120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\rppdui.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\setupdrv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\vccorlib120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unidrv_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisencoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpd_sdk.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_config_C8E9A92497A149D695F92E4E3AE550F0.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\vccorlib120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\progressbar.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\setupdrv.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdpm.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Windows\Installer\{827D98D4-CA0D-43D0-8133-225659FBBC61}\server_start_C00864331B9D4391A8A26292A601EBE2.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\fwproc.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\MessageBox.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\msvcp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\libcodec32.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\eventmsg.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\properties.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8decoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\webmvorbisdecoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\vpdisp.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\unidrvui_rppd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\unires_vpd.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\pdfout.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\common\srvinst.exe Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x64\msvcp120.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\vp8encoder.dll Jump to dropped file
Source: C:\Windows\System32\msiexec.exe Dropped PE file which has not been started: C:\Program Files (x86)\Remote Manipulator System - Host\Printer\x86\rppdui.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe API coverage: 1.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\svchost.exe TID: 7640 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7660 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8656 Thread sleep count: 1576 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8656 Thread sleep time: -1576000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8680 Thread sleep time: -50000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8752 Thread sleep time: -180000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8772 Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8736 Thread sleep count: 1747 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8904 Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8628 Thread sleep count: 40 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8628 Thread sleep count: 51 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8628 Thread sleep count: 40 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8656 Thread sleep count: 3038 > 30
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe TID: 8656 Thread sleep time: -3038000s >= -30000s
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe TID: 9036 Thread sleep time: -4767500s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5840BC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF69E5840BC
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E59B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF69E59B190
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5AFCA0 FindFirstFileExA, 4_2_00007FF69E5AFCA0
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A16A4 VirtualQuery,GetSystemInfo, 4_2_00007FF69E5A16A4
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Thread delayed: delay time: 50000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Thread delayed: delay time: 60000
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Thread delayed: delay time: 60000
Source: svchost.exe, 0000000A.00000002.2747249915.000002006EC2B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW l%t
Source: rfusclient.exe, 00000010.00000002.1454050125.000000000178C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllw
Source: svchost.exe, 00000001.00000002.3737049606.0000022CEE24E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Device\HarddiskVolume1\??\Volume{ad6cc5d8-f1a9-4873-be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 00000001.00000002.3736668443.0000022CEE238000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: rutserv.exe, 00000012.00000000.1478283984.00000000015A8000.00000002.00000001.01000000.0000000D.sdmp Binary or memory string: +YQEmU0
Source: svchost.exe, 00000001.00000002.3738500353.0000022CEE285000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000001.00000002.3736668443.0000022CEE22B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000001.00000002.3738141196.0000022CEE265000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000g
Source: svchost.exe, 0000000A.00000002.2755702839.0000020074254000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2206774620.0000000007352000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000002.3747982904.0000000001F48000.00000004.00000020.00020000.00000000.sdmp, rutserv.exe, 00000015.00000003.2207010706.0000000001F7A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000001.00000002.3736339596.0000022CEE200000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000001.00000002.3736668443.0000022CEE22B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000001.00000002.3739147823.0000022CEE302000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000001.00000002.3737049606.0000022CEE24E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000C.00000002.3739280742.000002699A431000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF69E5A76D8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5B0D20 GetProcessHeap, 4_2_00007FF69E5B0D20
Launches processes in debugging mode, may be used to hinder debugging
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /start Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A76D8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF69E5A76D8
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A3354 SetUnhandledExceptionFilter, 4_2_00007FF69E5A3354
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A2510 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00007FF69E5A2510
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A3170 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_00007FF69E5A3170
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E59B190 EndDialog,SetDlgItemTextW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,EndDialog,GetDlgItem,SendMessageW,SendMessageW,SetFocus,GetLastError,GetLastError,GetTickCount,GetLastError,GetCommandLineW,CreateFileMappingW,MapViewOfFile,ShellExecuteExW,Sleep,UnmapViewOfFile,CloseHandle,SetDlgItemTextW,SetWindowTextW,SetDlgItemTextW,SetWindowTextW,GetDlgItem,GetWindowLongPtrW,SetWindowLongPtrW,SetDlgItemTextW,SendMessageW,SendDlgItemMessageW,GetDlgItem,SendMessageW,GetDlgItem,SetDlgItemTextW,SetDlgItemTextW,DialogBoxParamW,EndDialog,EnableWindow,SendMessageW,SetDlgItemTextW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SendDlgItemMessageW,FindFirstFileW,FindClose,SendDlgItemMessageW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF69E59B190
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Process created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe "C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe" "C:\Users\user~1\AppData\Local\Temp\file.pdf" Jump to behavior
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user~1\AppData\Local\Temp\winrar.msi" /qn Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" /silentinstall Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process created: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe "C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe" -firewall Jump to behavior
Source: rfusclient.exe, 00000010.00000000.1420516401.000000000066F000.00000020.00000001.01000000.0000000B.sdmp Binary or memory string: Shell_TrayWndTrayNotifyWndSV
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E58DC70 cpuid 4_2_00007FF69E58DC70
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: GetLocaleInfoW,GetNumberFormatW, 4_2_00007FF69E59A2CC
Queries the installation date of Windows
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the product ID of Windows
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe Code function: 21_2_00CFB958 CreateNamedPipeW,ConnectNamedPipe,ReadFile,DisconnectNamedPipe, 21_2_00CFB958
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E5A0754 GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,MapViewOfFile,UnmapViewOfFile,CloseHandle,SetEnvironmentVariableW,GetLocalTime,swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,OleUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 4_2_00007FF69E5A0754
Source: C:\Users\user\Desktop\J4zGPhVRV3.exe Code function: 4_2_00007FF69E584EB0 GetVersionExW, 4_2_00007FF69E584EB0
Source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE Jump to behavior
AV process strings found (often used to terminate AV products)
Source: rutserv.exe, 00000012.00000000.1464455991.0000000000EF1000.00000020.00000001.01000000.0000000D.sdmp Binary or memory string: OLLYDBG.EXE
Source: svchost.exe, 00000003.00000002.3742830304.000001D0D1D02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: rutserv.exe, 00000014.00000002.1613537037.0000000002148000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ollydbg.exe
Adds / modifies Windows certificates
Source: C:\Windows\System32\msiexec.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD Blob Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Yara detected RMS RemoteAdmin tool
Source: Yara match File source: 16.0.rfusclient.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.1422949051.00000000010D9000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3760276212.0000000004DF8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3745548454.000000000329A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3748231450.000000000325A000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.3745548454.0000000003276000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3800200492.00000000041C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3748231450.0000000003228000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.3760276212.0000000004E3C000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000003.1568447250.0000000005E6A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.1478283984.00000000019E5000.00000002.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3759250551.00000000026C8000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: rfusclient.exe PID: 8384, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rutserv.exe PID: 8508, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: rutserv.exe PID: 8624, type: MEMORYSTR
Source: Yara match File source: C:\Program Files (x86)\Remote Manipulator System - Host\rfusclient.exe, type: DROPPED
Source: Yara match File source: C:\Program Files (x86)\Remote Manipulator System - Host\rutserv.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544725 Sample: J4zGPhVRV3.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 88 59 x1.i.lencr.org 2->59 61 time.windows.com 2->61 73 Malicious sample detected (through community Yara rule) 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 2 other signatures 2->79 9 msiexec.exe 92 95 2->9         started        12 rutserv.exe 2->12         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 49 server_stop_27D787...EA10FB36BB4D2F9.exe, PE32 9->49 dropped 51 server_start_C0086...8A26292A601EBE2.exe, PE32 9->51 dropped 53 server_config_C8E9...5F92E4E3AE550F0.exe, PE32 9->53 dropped 57 41 other files (10 malicious) 9->57 dropped 20 rutserv.exe 9->20         started        23 rfusclient.exe 9->23         started        25 rutserv.exe 9->25         started        35 2 other processes 9->35 63 111.90.140.34, 5651, 57248, 57251 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 12->63 65 111.90.140.51, 5651, 57244, 57246 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 12->65 67 65.21.245.7, 5651, 57245, 57249 CP-ASDE United States 12->67 55 C:\ProgramData\...\eventmsg.dll, PE32 12->55 dropped 87 Query firmware table information (likely to detect VMs) 12->87 27 rfusclient.exe 12->27         started        29 rutserv.exe 12->29         started        31 rfusclient.exe 12->31         started        89 Changes security center settings (notifications, updates, antivirus, firewall) 16->89 33 MpCmdRun.exe 16->33         started        69 127.0.0.1 unknown unknown 18->69 37 2 other processes 18->37 file6 signatures7 process8 signatures9 81 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->81 83 Query firmware table information (likely to detect VMs) 27->83 39 rfusclient.exe 27->39         started        42 conhost.exe 33->42         started        44 AcroCEF.exe 104 37->44         started        process10 signatures11 85 Query firmware table information (likely to detect VMs) 39->85 46 AcroCEF.exe 44->46         started        process12 dnsIp13 71 96.6.160.189, 443, 49742 AKAMAI-ASUS United States 46->71
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
111.90.140.51
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY false
111.90.140.34
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY false
96.6.160.189
 unknown United States
16625 AKAMAI-ASUS false
65.21.245.7
 unknown United States
199592 CP-ASDE false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
x1.i.lencr.org unknown unknown
time.windows.com unknown unknown