Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    02-05-2022 03:37

General

  • Target

    81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe

  • Size

    5.3MB

  • MD5

    1dcb867334b4730911d6eb729bce78bf

  • SHA1

    5912be93c7427a40634b8fb9895459092e039662

  • SHA256

    81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db

  • SHA512

    f7e7707d9164861a67d0b5b54ada0e4b6876bc516e002dbba4bd7110465e2f6a3a1652d2c6493fa1b59fdc4f758229f170dddc4cf5ee10ae86b68032f583c893

Malware Config

Signatures

  • RMS

    Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.

  • Executes dropped EXE 14 IoCs
  • Sets file to hidden 1 TTPs

    Modifies file attributes to stop it showing in Explorer etc.

  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
  • Runs .reg file with regedit 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe
    "C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\ProgramData\CardWindows\WinDevInstall.exe
      "C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4072
      • C:\ProgramData\CardWindows\start1.exe
        "C:\ProgramData\CardWindows\start1.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\ProgramData\CardWindows\start.exe
          "C:\ProgramData\CardWindows\start.exe"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2680
          • C:\ProgramData\CardWindows\Builder.exe
            "C:\ProgramData\CardWindows\Builder.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1032
          • C:\ProgramData\CardWindows\Builder2.exe
            "C:\ProgramData\CardWindows\Builder2.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3272
          • C:\ProgramData\CardWindows\WinUpdate.exe
            "C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4344
            • C:\ProgramData\CardWindows\WinUpdate1.exe
              "C:\ProgramData\CardWindows\WinUpdate1.exe"
              6⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3448
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
                7⤵
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4724
                • C:\Windows\SysWOW64\attrib.exe
                  attrib +s +h "C:\ProgramData\CardWindows"
                  8⤵
                  • Views/modifies file attributes
                  PID:5096
                • C:\Windows\SysWOW64\sc.exe
                  sc delete NPackStereo
                  8⤵
                    PID:748
                  • C:\Windows\SysWOW64\taskkill.exe
                    taskkill /im rfusclient.exe /f
                    8⤵
                    • Kills process with taskkill
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3120
                  • C:\Windows\SysWOW64\sc.exe
                    sc delete AMIHardware
                    8⤵
                      PID:1144
                    • C:\Windows\SysWOW64\sc.exe
                      sc delete IntelDriver
                      8⤵
                        PID:1828
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im rutserv.exe /f
                        8⤵
                        • Kills process with taskkill
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4768
                      • C:\Windows\SysWOW64\sc.exe
                        sc delete ServiceWork
                        8⤵
                          PID:4784
                        • C:\Windows\SysWOW64\sc.exe
                          sc delete VDeviceCard
                          8⤵
                            PID:816
                          • C:\Windows\SysWOW64\regedit.exe
                            regedit /s "C:\ProgramData\CardWindows\config_set.reg"
                            8⤵
                            • Runs .reg file with regedit
                            PID:4000
                          • C:\ProgramData\CardWindows\CDevice.exe
                            "C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
                            8⤵
                            • Executes dropped EXE
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            PID:3172
                          • C:\Windows\SysWOW64\reg.exe
                            reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
                            8⤵
                              PID:3200
                            • C:\Windows\SysWOW64\sc.exe
                              sc delete RManService
                              8⤵
                                PID:4272
                              • C:\Windows\SysWOW64\sc.exe
                                sc stop AMIHardware
                                8⤵
                                  PID:2412
                                • C:\ProgramData\CardWindows\CDevice.exe
                                  "C:\ProgramData\CardWindows\CDevice.exe" /firewall
                                  8⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4496
                                • C:\Windows\SysWOW64\sc.exe
                                  sc stop IntelDriver
                                  8⤵
                                    PID:3328
                                  • C:\Windows\SysWOW64\sc.exe
                                    sc stop ServiceWork
                                    8⤵
                                      PID:1708
                                    • C:\Windows\SysWOW64\sc.exe
                                      sc stop NPackStereo
                                      8⤵
                                        PID:2224
                                      • C:\Windows\SysWOW64\sc.exe
                                        sc stop VDeviceCard
                                        8⤵
                                          PID:2116
                                        • C:\Windows\SysWOW64\sc.exe
                                          sc stop RManService
                                          8⤵
                                            PID:2376
                                          • C:\Windows\SysWOW64\regedit.exe
                                            regedit /s "C:\ProgramData\CardWindows\config_set.reg"
                                            8⤵
                                            • Runs .reg file with regedit
                                            PID:4384
                                          • C:\Windows\SysWOW64\sc.exe
                                            sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
                                            8⤵
                                              PID:3776
                                            • C:\ProgramData\CardWindows\CDevice.exe
                                              "C:\ProgramData\CardWindows\CDevice.exe" /start
                                              8⤵
                                              • Executes dropped EXE
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              • Suspicious use of SetWindowsHookEx
                                              PID:3836
                                            • C:\Windows\SysWOW64\sc.exe
                                              sc config VDeviceCard obj= LocalSystem type= interact type= own
                                              8⤵
                                                PID:1932
                                              • C:\Windows\SysWOW64\attrib.exe
                                                attrib +s +h "C:\ProgramData\CardWindows\*.*"
                                                8⤵
                                                • Views/modifies file attributes
                                                PID:3656
                                • C:\ProgramData\CardWindows\CDevice.exe
                                  C:\ProgramData\CardWindows\CDevice.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Suspicious use of SetWindowsHookEx
                                  PID:3848
                                  • C:\ProgramData\CardWindows\sysdevices.exe
                                    C:\ProgramData\CardWindows\sysdevices.exe /tray
                                    2⤵
                                    • Executes dropped EXE
                                    PID:4532
                                  • C:\ProgramData\CardWindows\sysdevices.exe
                                    C:\ProgramData\CardWindows\sysdevices.exe
                                    2⤵
                                    • Executes dropped EXE
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:3132
                                    • C:\ProgramData\CardWindows\sysdevices.exe
                                      C:\ProgramData\CardWindows\sysdevices.exe /tray
                                      3⤵
                                      • Executes dropped EXE
                                      • Suspicious behavior: SetClipboardViewer
                                      PID:372

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\ProgramData\CardWindows\Builder.exe

                                  Filesize

                                  997KB

                                  MD5

                                  2f92eed4e2061af0961f379e9ded70d6

                                  SHA1

                                  8b58dcd428759d3633a14bcfc62a8cb6deb66de5

                                  SHA256

                                  52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f

                                  SHA512

                                  909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

                                • C:\ProgramData\CardWindows\Builder.exe

                                  Filesize

                                  997KB

                                  MD5

                                  2f92eed4e2061af0961f379e9ded70d6

                                  SHA1

                                  8b58dcd428759d3633a14bcfc62a8cb6deb66de5

                                  SHA256

                                  52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f

                                  SHA512

                                  909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

                                • C:\ProgramData\CardWindows\Builder2.exe

                                  Filesize

                                  368KB

                                  MD5

                                  5bc1cdb63ab6345843d7254ee51eb3cd

                                  SHA1

                                  54b5ec6185bbb3d33c17fd24c6143cf9372168b2

                                  SHA256

                                  5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae

                                  SHA512

                                  6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

                                • C:\ProgramData\CardWindows\Builder2.exe

                                  Filesize

                                  368KB

                                  MD5

                                  5bc1cdb63ab6345843d7254ee51eb3cd

                                  SHA1

                                  54b5ec6185bbb3d33c17fd24c6143cf9372168b2

                                  SHA256

                                  5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae

                                  SHA512

                                  6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

                                • C:\ProgramData\CardWindows\CDevice.exe

                                  Filesize

                                  6.0MB

                                  MD5

                                  60478b65ab22e759c71f1923edb1bbab

                                  SHA1

                                  4268fc2bf9ff27ec280416b12bb0de96e9ae718d

                                  SHA256

                                  047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

                                  SHA512

                                  2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

                                • C:\ProgramData\CardWindows\CDevice.exe

                                  Filesize

                                  6.0MB

                                  MD5

                                  60478b65ab22e759c71f1923edb1bbab

                                  SHA1

                                  4268fc2bf9ff27ec280416b12bb0de96e9ae718d

                                  SHA256

                                  047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

                                  SHA512

                                  2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

                                • C:\ProgramData\CardWindows\CDevice.exe

                                  Filesize

                                  6.0MB

                                  MD5

                                  60478b65ab22e759c71f1923edb1bbab

                                  SHA1

                                  4268fc2bf9ff27ec280416b12bb0de96e9ae718d

                                  SHA256

                                  047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

                                  SHA512

                                  2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

                                • C:\ProgramData\CardWindows\CDevice.exe

                                  Filesize

                                  6.0MB

                                  MD5

                                  60478b65ab22e759c71f1923edb1bbab

                                  SHA1

                                  4268fc2bf9ff27ec280416b12bb0de96e9ae718d

                                  SHA256

                                  047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

                                  SHA512

                                  2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

                                • C:\ProgramData\CardWindows\CDevice.exe

                                  Filesize

                                  6.0MB

                                  MD5

                                  60478b65ab22e759c71f1923edb1bbab

                                  SHA1

                                  4268fc2bf9ff27ec280416b12bb0de96e9ae718d

                                  SHA256

                                  047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0

                                  SHA512

                                  2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

                                • C:\ProgramData\CardWindows\Russian.lg

                                  Filesize

                                  48KB

                                  MD5

                                  e44e34bc285b709f08f967325d9c8be1

                                  SHA1

                                  e73f05c6a980ec9d006930c5343955f89579b409

                                  SHA256

                                  1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b

                                  SHA512

                                  576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

                                • C:\ProgramData\CardWindows\SysInstall.bat

                                  Filesize

                                  1KB

                                  MD5

                                  a00d1b7d978dcd3728e14c3f0e2386df

                                  SHA1

                                  596deee85bd6521c9d3fb7ffe3654aa0b386e9ed

                                  SHA256

                                  00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5

                                  SHA512

                                  fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

                                • C:\ProgramData\CardWindows\SysInstall2.bat

                                  Filesize

                                  269B

                                  MD5

                                  ad964d1f40f1ab48e26d9ff0bdc01d06

                                  SHA1

                                  073396d19000036396005d9ebf89f40fb481e1e5

                                  SHA256

                                  632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff

                                  SHA512

                                  f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255

                                • C:\ProgramData\CardWindows\SystemCard.dat

                                  Filesize

                                  647B

                                  MD5

                                  2db0f5ade581516ccd80880197a007ff

                                  SHA1

                                  9dd8379da351d1c8361169d0548a25ad13c14973

                                  SHA256

                                  9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3

                                  SHA512

                                  8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103

                                • C:\ProgramData\CardWindows\WinDevInstall.exe

                                  Filesize

                                  4.8MB

                                  MD5

                                  b5c5f94914900ea67536aabfeb7b43d4

                                  SHA1

                                  c528252e3419dafbe43699455d16f4f73143e0ad

                                  SHA256

                                  accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962

                                  SHA512

                                  541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f

                                • C:\ProgramData\CardWindows\WinDevInstall.exe

                                  Filesize

                                  4.8MB

                                  MD5

                                  b5c5f94914900ea67536aabfeb7b43d4

                                  SHA1

                                  c528252e3419dafbe43699455d16f4f73143e0ad

                                  SHA256

                                  accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962

                                  SHA512

                                  541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f

                                • C:\ProgramData\CardWindows\WinUpdate.exe

                                  Filesize

                                  4.3MB

                                  MD5

                                  436658cb9c13960ecdb332ec02cc1388

                                  SHA1

                                  33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff

                                  SHA256

                                  ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7

                                  SHA512

                                  231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

                                • C:\ProgramData\CardWindows\WinUpdate.exe

                                  Filesize

                                  4.3MB

                                  MD5

                                  436658cb9c13960ecdb332ec02cc1388

                                  SHA1

                                  33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff

                                  SHA256

                                  ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7

                                  SHA512

                                  231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

                                • C:\ProgramData\CardWindows\WinUpdate1.exe

                                  Filesize

                                  379KB

                                  MD5

                                  a36f89d64e0de0fe14ba911713df29eb

                                  SHA1

                                  7d700fa255f32aa37b82dc59826cf35300b250d4

                                  SHA256

                                  d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c

                                  SHA512

                                  55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

                                • C:\ProgramData\CardWindows\WinUpdate1.exe

                                  Filesize

                                  379KB

                                  MD5

                                  a36f89d64e0de0fe14ba911713df29eb

                                  SHA1

                                  7d700fa255f32aa37b82dc59826cf35300b250d4

                                  SHA256

                                  d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c

                                  SHA512

                                  55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

                                • C:\ProgramData\CardWindows\config_set.reg

                                  Filesize

                                  11KB

                                  MD5

                                  864e25c17d596e0baf577189a9cf0295

                                  SHA1

                                  94e915da3e683faf54945b86939d2bfb2abd70c5

                                  SHA256

                                  79ab503fa5c9a7e128f50c07e0dd1e1c078a0034d01956267f0040edae0295a5

                                  SHA512

                                  d37489135043adf202be19df80c36c7429e7e00e9f39ec580063cc949390192b1ca494a7bee7b8aef4b0a2d205ea143b4c31ac9a6c9e1fe76d055bf8ddb84da5

                                • C:\ProgramData\CardWindows\start.exe

                                  Filesize

                                  394KB

                                  MD5

                                  483f4c651d50fa46af3cd4b0abb8a480

                                  SHA1

                                  1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a

                                  SHA256

                                  dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f

                                  SHA512

                                  7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

                                • C:\ProgramData\CardWindows\start.exe

                                  Filesize

                                  394KB

                                  MD5

                                  483f4c651d50fa46af3cd4b0abb8a480

                                  SHA1

                                  1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a

                                  SHA256

                                  dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f

                                  SHA512

                                  7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

                                • C:\ProgramData\CardWindows\start1.exe

                                  Filesize

                                  394KB

                                  MD5

                                  8c83dc3eb8124dd9cdaa95a0a1ad45d4

                                  SHA1

                                  9428c90a79281d5dc84205e435833f0c75f4ae3c

                                  SHA256

                                  35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b

                                  SHA512

                                  f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

                                • C:\ProgramData\CardWindows\start1.exe

                                  Filesize

                                  394KB

                                  MD5

                                  8c83dc3eb8124dd9cdaa95a0a1ad45d4

                                  SHA1

                                  9428c90a79281d5dc84205e435833f0c75f4ae3c

                                  SHA256

                                  35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b

                                  SHA512

                                  f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

                                • C:\ProgramData\CardWindows\sysdevices.exe

                                  Filesize

                                  5.1MB

                                  MD5

                                  271dc5107c866fd480b1256f0ce0e36c

                                  SHA1

                                  0d9c7e060b57a8177664233ad99049963b3fd83b

                                  SHA256

                                  dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

                                  SHA512

                                  fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

                                • C:\ProgramData\CardWindows\sysdevices.exe

                                  Filesize

                                  5.1MB

                                  MD5

                                  271dc5107c866fd480b1256f0ce0e36c

                                  SHA1

                                  0d9c7e060b57a8177664233ad99049963b3fd83b

                                  SHA256

                                  dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

                                  SHA512

                                  fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

                                • C:\ProgramData\CardWindows\sysdevices.exe

                                  Filesize

                                  5.1MB

                                  MD5

                                  271dc5107c866fd480b1256f0ce0e36c

                                  SHA1

                                  0d9c7e060b57a8177664233ad99049963b3fd83b

                                  SHA256

                                  dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

                                  SHA512

                                  fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

                                • C:\ProgramData\CardWindows\sysdevices.exe

                                  Filesize

                                  5.1MB

                                  MD5

                                  271dc5107c866fd480b1256f0ce0e36c

                                  SHA1

                                  0d9c7e060b57a8177664233ad99049963b3fd83b

                                  SHA256

                                  dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4

                                  SHA512

                                  fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

                                • C:\ProgramData\CardWindows\vp8decoder.dll

                                  Filesize

                                  378KB

                                  MD5

                                  d43fa82fab5337ce20ad14650085c5d9

                                  SHA1

                                  678aa092075ff65b6815ffc2d8fdc23af8425981

                                  SHA256

                                  c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b

                                  SHA512

                                  103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

                                • C:\ProgramData\CardWindows\vp8encoder.dll

                                  Filesize

                                  1.6MB

                                  MD5

                                  dab4646806dfca6d0e0b4d80fa9209d6

                                  SHA1

                                  8244dfe22ec2090eee89dad103e6b2002059d16a

                                  SHA256

                                  cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587

                                  SHA512

                                  aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

                                • memory/372-193-0x0000000000000000-mapping.dmp

                                • memory/748-162-0x0000000000000000-mapping.dmp

                                • memory/816-161-0x0000000000000000-mapping.dmp

                                • memory/1032-140-0x0000000000000000-mapping.dmp

                                • memory/1144-165-0x0000000000000000-mapping.dmp

                                • memory/1708-157-0x0000000000000000-mapping.dmp

                                • memory/1828-164-0x0000000000000000-mapping.dmp

                                • memory/1932-178-0x0000000000000000-mapping.dmp

                                • memory/2116-155-0x0000000000000000-mapping.dmp

                                • memory/2224-156-0x0000000000000000-mapping.dmp

                                • memory/2376-154-0x0000000000000000-mapping.dmp

                                • memory/2412-159-0x0000000000000000-mapping.dmp

                                • memory/2676-133-0x0000000000000000-mapping.dmp

                                • memory/2680-137-0x0000000000000000-mapping.dmp

                                • memory/3120-166-0x0000000000000000-mapping.dmp

                                • memory/3132-187-0x0000000000000000-mapping.dmp

                                • memory/3172-171-0x0000000000000000-mapping.dmp

                                • memory/3200-168-0x0000000000000000-mapping.dmp

                                • memory/3272-143-0x0000000000000000-mapping.dmp

                                • memory/3328-158-0x0000000000000000-mapping.dmp

                                • memory/3448-148-0x0000000000000000-mapping.dmp

                                • memory/3656-191-0x0000000000000000-mapping.dmp

                                • memory/3776-177-0x0000000000000000-mapping.dmp

                                • memory/3836-179-0x0000000000000000-mapping.dmp

                                • memory/4000-169-0x0000000000000000-mapping.dmp

                                • memory/4072-130-0x0000000000000000-mapping.dmp

                                • memory/4272-160-0x0000000000000000-mapping.dmp

                                • memory/4344-146-0x0000000000000000-mapping.dmp

                                • memory/4384-176-0x0000000000000000-mapping.dmp

                                • memory/4496-174-0x0000000000000000-mapping.dmp

                                • memory/4532-186-0x0000000000000000-mapping.dmp

                                • memory/4724-152-0x0000000000000000-mapping.dmp

                                • memory/4768-167-0x0000000000000000-mapping.dmp

                                • memory/4784-163-0x0000000000000000-mapping.dmp

                                • memory/5096-153-0x0000000000000000-mapping.dmp