Malware Analysis Report

2024-11-15 08:39

Sample ID 220502-d6wd6sbdh8
Target 81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db
SHA256 81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db
Tags
rms discovery evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db

Threat Level: Known bad

The file 81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db was found to be: Known bad.

Malicious Activity Summary

rms discovery evasion rat trojan

RMS

Sets file to hidden

Executes dropped EXE

Stops running service(s)

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Launches sc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: SetClipboardViewer

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-02 03:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-02 03:37

Reported

2022-05-02 03:40

Platform

win7-20220414-en

Max time kernel

141s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Stops running service(s)

evasion

Checks installed software on the system

discovery

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\CardWindows\sysdevices.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\CardWindows\CDevice.exe N/A
N/A N/A C:\ProgramData\CardWindows\CDevice.exe N/A
N/A N/A C:\ProgramData\CardWindows\CDevice.exe N/A
N/A N/A C:\ProgramData\CardWindows\CDevice.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 1660 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 1668 wrote to memory of 672 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 1668 wrote to memory of 672 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 1668 wrote to memory of 672 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 1668 wrote to memory of 672 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 1668 wrote to memory of 672 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 1668 wrote to memory of 672 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 1668 wrote to memory of 672 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 672 wrote to memory of 788 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 672 wrote to memory of 788 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 672 wrote to memory of 788 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 672 wrote to memory of 788 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 672 wrote to memory of 788 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 672 wrote to memory of 788 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 672 wrote to memory of 788 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 788 wrote to memory of 636 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 788 wrote to memory of 636 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 788 wrote to memory of 636 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 788 wrote to memory of 636 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 788 wrote to memory of 636 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 788 wrote to memory of 636 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 788 wrote to memory of 636 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 788 wrote to memory of 308 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 788 wrote to memory of 308 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 788 wrote to memory of 308 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 788 wrote to memory of 308 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 788 wrote to memory of 308 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 788 wrote to memory of 308 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 788 wrote to memory of 308 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 788 wrote to memory of 1740 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 788 wrote to memory of 1740 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 788 wrote to memory of 1740 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 788 wrote to memory of 1740 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 788 wrote to memory of 1740 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 788 wrote to memory of 1740 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 788 wrote to memory of 1740 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 1740 wrote to memory of 1252 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 1740 wrote to memory of 1252 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 1740 wrote to memory of 1252 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 1740 wrote to memory of 1252 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 1740 wrote to memory of 1252 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 1740 wrote to memory of 1252 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 1740 wrote to memory of 1252 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 1252 wrote to memory of 1136 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1136 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1136 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1136 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1136 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1136 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1252 wrote to memory of 1136 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1136 wrote to memory of 588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe

"C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe"

C:\ProgramData\CardWindows\WinDevInstall.exe

"C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456

C:\ProgramData\CardWindows\start1.exe

"C:\ProgramData\CardWindows\start1.exe"

C:\ProgramData\CardWindows\start.exe

"C:\ProgramData\CardWindows\start.exe"

C:\ProgramData\CardWindows\Builder.exe

"C:\ProgramData\CardWindows\Builder.exe"

C:\ProgramData\CardWindows\Builder2.exe

"C:\ProgramData\CardWindows\Builder2.exe"

C:\ProgramData\CardWindows\WinUpdate.exe

"C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228

C:\ProgramData\CardWindows\WinUpdate1.exe

"C:\ProgramData\CardWindows\WinUpdate1.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\CardWindows\SysInstall.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\CardWindows"

C:\Windows\SysWOW64\sc.exe

sc stop RManService

C:\Windows\SysWOW64\sc.exe

sc stop VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc stop NPackStereo

C:\Windows\SysWOW64\sc.exe

sc stop ServiceWork

C:\Windows\SysWOW64\sc.exe

sc stop IntelDriver

C:\Windows\SysWOW64\sc.exe

sc stop AMIHardware

C:\Windows\SysWOW64\sc.exe

sc delete RManService

C:\Windows\SysWOW64\sc.exe

sc delete VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc delete NPackStereo

C:\Windows\SysWOW64\sc.exe

sc delete ServiceWork

C:\Windows\SysWOW64\sc.exe

sc delete IntelDriver

C:\Windows\SysWOW64\sc.exe

sc delete AMIHardware

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rfusclient.exe /f

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rutserv.exe /f

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\CardWindows\config_set.reg"

C:\ProgramData\CardWindows\CDevice.exe

"C:\ProgramData\CardWindows\CDevice.exe" /silentinstall

C:\ProgramData\CardWindows\CDevice.exe

"C:\ProgramData\CardWindows\CDevice.exe" /firewall

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\CardWindows\config_set.reg"

C:\Windows\SysWOW64\sc.exe

sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500

C:\Windows\SysWOW64\sc.exe

sc config VDeviceCard obj= LocalSystem type= interact type= own

C:\ProgramData\CardWindows\CDevice.exe

"C:\ProgramData\CardWindows\CDevice.exe" /start

C:\ProgramData\CardWindows\CDevice.exe

C:\ProgramData\CardWindows\CDevice.exe

C:\ProgramData\CardWindows\sysdevices.exe

C:\ProgramData\CardWindows\sysdevices.exe

C:\ProgramData\CardWindows\sysdevices.exe

C:\ProgramData\CardWindows\sysdevices.exe /tray

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\CardWindows\*.*"

C:\ProgramData\CardWindows\sysdevices.exe

C:\ProgramData\CardWindows\sysdevices.exe /tray

Network

Country Destination Domain Proto
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp

Files

memory/1660-54-0x0000000076781000-0x0000000076783000-memory.dmp

\ProgramData\CardWindows\WinDevInstall.exe

MD5 b5c5f94914900ea67536aabfeb7b43d4
SHA1 c528252e3419dafbe43699455d16f4f73143e0ad
SHA256 accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962
SHA512 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f

memory/1668-56-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\WinDevInstall.exe

MD5 b5c5f94914900ea67536aabfeb7b43d4
SHA1 c528252e3419dafbe43699455d16f4f73143e0ad
SHA256 accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962
SHA512 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f

C:\ProgramData\CardWindows\WinDevInstall.exe

MD5 b5c5f94914900ea67536aabfeb7b43d4
SHA1 c528252e3419dafbe43699455d16f4f73143e0ad
SHA256 accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962
SHA512 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f

\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

memory/672-63-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

C:\ProgramData\CardWindows\start.exe

MD5 483f4c651d50fa46af3cd4b0abb8a480
SHA1 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a
SHA256 dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f
SHA512 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

C:\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

\ProgramData\CardWindows\start.exe

MD5 483f4c651d50fa46af3cd4b0abb8a480
SHA1 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a
SHA256 dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f
SHA512 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

memory/788-70-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\start.exe

MD5 483f4c651d50fa46af3cd4b0abb8a480
SHA1 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a
SHA256 dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f
SHA512 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

C:\ProgramData\CardWindows\Builder.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

\ProgramData\CardWindows\start.exe

MD5 483f4c651d50fa46af3cd4b0abb8a480
SHA1 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a
SHA256 dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f
SHA512 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

\ProgramData\CardWindows\Builder.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

\ProgramData\CardWindows\Builder.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

memory/636-77-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\Builder.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

\ProgramData\CardWindows\Builder2.exe

MD5 5bc1cdb63ab6345843d7254ee51eb3cd
SHA1 54b5ec6185bbb3d33c17fd24c6143cf9372168b2
SHA256 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae
SHA512 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

C:\ProgramData\CardWindows\Builder2.exe

MD5 5bc1cdb63ab6345843d7254ee51eb3cd
SHA1 54b5ec6185bbb3d33c17fd24c6143cf9372168b2
SHA256 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae
SHA512 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

\ProgramData\CardWindows\Builder2.exe

MD5 5bc1cdb63ab6345843d7254ee51eb3cd
SHA1 54b5ec6185bbb3d33c17fd24c6143cf9372168b2
SHA256 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae
SHA512 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

memory/308-83-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\WinUpdate.exe

MD5 436658cb9c13960ecdb332ec02cc1388
SHA1 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff
SHA256 ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7
SHA512 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

C:\ProgramData\CardWindows\Builder2.exe

MD5 5bc1cdb63ab6345843d7254ee51eb3cd
SHA1 54b5ec6185bbb3d33c17fd24c6143cf9372168b2
SHA256 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae
SHA512 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

memory/1740-88-0x0000000000000000-mapping.dmp

\ProgramData\CardWindows\WinUpdate.exe

MD5 436658cb9c13960ecdb332ec02cc1388
SHA1 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff
SHA256 ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7
SHA512 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

C:\ProgramData\CardWindows\WinUpdate.exe

MD5 436658cb9c13960ecdb332ec02cc1388
SHA1 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff
SHA256 ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7
SHA512 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

C:\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

memory/1252-94-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

memory/1136-100-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\SysInstall.bat

MD5 a00d1b7d978dcd3728e14c3f0e2386df
SHA1 596deee85bd6521c9d3fb7ffe3654aa0b386e9ed
SHA256 00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5
SHA512 fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

memory/1964-102-0x0000000000000000-mapping.dmp

memory/588-104-0x0000000000000000-mapping.dmp

memory/1244-106-0x0000000000000000-mapping.dmp

memory/1620-108-0x0000000000000000-mapping.dmp

memory/1724-110-0x0000000000000000-mapping.dmp

memory/1560-112-0x0000000000000000-mapping.dmp

memory/1984-113-0x0000000000000000-mapping.dmp

memory/960-115-0x0000000000000000-mapping.dmp

memory/1608-117-0x0000000000000000-mapping.dmp

memory/2016-119-0x0000000000000000-mapping.dmp

memory/1692-121-0x0000000000000000-mapping.dmp

memory/524-123-0x0000000000000000-mapping.dmp

memory/1892-125-0x0000000000000000-mapping.dmp

memory/848-127-0x0000000000000000-mapping.dmp

memory/108-129-0x0000000000000000-mapping.dmp

memory/1464-131-0x0000000000000000-mapping.dmp

memory/1980-133-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\config_set.reg

MD5 864e25c17d596e0baf577189a9cf0295
SHA1 94e915da3e683faf54945b86939d2bfb2abd70c5
SHA256 79ab503fa5c9a7e128f50c07e0dd1e1c078a0034d01956267f0040edae0295a5
SHA512 d37489135043adf202be19df80c36c7429e7e00e9f39ec580063cc949390192b1ca494a7bee7b8aef4b0a2d205ea143b4c31ac9a6c9e1fe76d055bf8ddb84da5

memory/1648-138-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

memory/1056-142-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

memory/580-145-0x0000000000000000-mapping.dmp

memory/1420-147-0x0000000000000000-mapping.dmp

memory/1380-149-0x0000000000000000-mapping.dmp

\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

memory/1840-152-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

C:\ProgramData\CardWindows\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

C:\ProgramData\CardWindows\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\ProgramData\CardWindows\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

memory/1760-163-0x0000000000000000-mapping.dmp

memory/2032-164-0x0000000000000000-mapping.dmp

memory/1892-170-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\SysInstall2.bat

MD5 ad964d1f40f1ab48e26d9ff0bdc01d06
SHA1 073396d19000036396005d9ebf89f40fb481e1e5
SHA256 632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff
SHA512 f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255

C:\ProgramData\CardWindows\SystemCard.dat

MD5 2db0f5ade581516ccd80880197a007ff
SHA1 9dd8379da351d1c8361169d0548a25ad13c14973
SHA256 9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3
SHA512 8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103

memory/1976-173-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-02 03:37

Reported

2022-05-02 03:40

Platform

win10v2004-20220414-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe"

Signatures

RMS

trojan rat rms

Sets file to hidden

evasion

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\CardWindows\WinDevInstall.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\CardWindows\start1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\CardWindows\start.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\CardWindows\WinUpdate.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\ProgramData\CardWindows\WinUpdate1.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious behavior: SetClipboardViewer

Description Indicator Process Target
N/A N/A C:\ProgramData\CardWindows\sysdevices.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\CardWindows\CDevice.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 3124 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 3124 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe C:\ProgramData\CardWindows\WinDevInstall.exe
PID 4072 wrote to memory of 2676 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 4072 wrote to memory of 2676 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 4072 wrote to memory of 2676 N/A C:\ProgramData\CardWindows\WinDevInstall.exe C:\ProgramData\CardWindows\start1.exe
PID 2676 wrote to memory of 2680 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 2676 wrote to memory of 2680 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 2676 wrote to memory of 2680 N/A C:\ProgramData\CardWindows\start1.exe C:\ProgramData\CardWindows\start.exe
PID 2680 wrote to memory of 1032 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 2680 wrote to memory of 1032 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 2680 wrote to memory of 1032 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder.exe
PID 2680 wrote to memory of 3272 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 2680 wrote to memory of 3272 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 2680 wrote to memory of 3272 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\Builder2.exe
PID 2680 wrote to memory of 4344 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 2680 wrote to memory of 4344 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 2680 wrote to memory of 4344 N/A C:\ProgramData\CardWindows\start.exe C:\ProgramData\CardWindows\WinUpdate.exe
PID 4344 wrote to memory of 3448 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 4344 wrote to memory of 3448 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 4344 wrote to memory of 3448 N/A C:\ProgramData\CardWindows\WinUpdate.exe C:\ProgramData\CardWindows\WinUpdate1.exe
PID 3448 wrote to memory of 4724 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4724 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 3448 wrote to memory of 4724 N/A C:\ProgramData\CardWindows\WinUpdate1.exe C:\Windows\SysWOW64\cmd.exe
PID 4724 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4724 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4724 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4724 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 3328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 4272 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 748 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4724 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe

"C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe"

C:\ProgramData\CardWindows\WinDevInstall.exe

"C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456

C:\ProgramData\CardWindows\start1.exe

"C:\ProgramData\CardWindows\start1.exe"

C:\ProgramData\CardWindows\start.exe

"C:\ProgramData\CardWindows\start.exe"

C:\ProgramData\CardWindows\Builder.exe

"C:\ProgramData\CardWindows\Builder.exe"

C:\ProgramData\CardWindows\Builder2.exe

"C:\ProgramData\CardWindows\Builder2.exe"

C:\ProgramData\CardWindows\WinUpdate.exe

"C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228

C:\ProgramData\CardWindows\WinUpdate1.exe

"C:\ProgramData\CardWindows\WinUpdate1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CardWindows\SysInstall.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\CardWindows"

C:\Windows\SysWOW64\sc.exe

sc delete NPackStereo

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rfusclient.exe /f

C:\Windows\SysWOW64\sc.exe

sc delete AMIHardware

C:\Windows\SysWOW64\sc.exe

sc delete IntelDriver

C:\Windows\SysWOW64\taskkill.exe

taskkill /im rutserv.exe /f

C:\Windows\SysWOW64\sc.exe

sc delete ServiceWork

C:\Windows\SysWOW64\sc.exe

sc delete VDeviceCard

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\CardWindows\config_set.reg"

C:\ProgramData\CardWindows\CDevice.exe

"C:\ProgramData\CardWindows\CDevice.exe" /silentinstall

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f

C:\Windows\SysWOW64\sc.exe

sc delete RManService

C:\Windows\SysWOW64\sc.exe

sc stop AMIHardware

C:\ProgramData\CardWindows\CDevice.exe

"C:\ProgramData\CardWindows\CDevice.exe" /firewall

C:\Windows\SysWOW64\sc.exe

sc stop IntelDriver

C:\Windows\SysWOW64\sc.exe

sc stop ServiceWork

C:\Windows\SysWOW64\sc.exe

sc stop NPackStereo

C:\Windows\SysWOW64\sc.exe

sc stop VDeviceCard

C:\Windows\SysWOW64\sc.exe

sc stop RManService

C:\Windows\SysWOW64\regedit.exe

regedit /s "C:\ProgramData\CardWindows\config_set.reg"

C:\Windows\SysWOW64\sc.exe

sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500

C:\ProgramData\CardWindows\CDevice.exe

"C:\ProgramData\CardWindows\CDevice.exe" /start

C:\ProgramData\CardWindows\CDevice.exe

C:\ProgramData\CardWindows\CDevice.exe

C:\Windows\SysWOW64\sc.exe

sc config VDeviceCard obj= LocalSystem type= interact type= own

C:\ProgramData\CardWindows\sysdevices.exe

C:\ProgramData\CardWindows\sysdevices.exe /tray

C:\ProgramData\CardWindows\sysdevices.exe

C:\ProgramData\CardWindows\sysdevices.exe

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\ProgramData\CardWindows\*.*"

C:\ProgramData\CardWindows\sysdevices.exe

C:\ProgramData\CardWindows\sysdevices.exe /tray

Network

Country Destination Domain Proto
US 52.109.8.19:443 tcp
US 8.8.8.8:53 rmansys.ru udp
RU 31.31.198.18:80 rmansys.ru tcp
RU 31.31.198.18:80 rmansys.ru tcp
US 8.8.8.8:53 rms-server.tektonit.ru udp
RU 95.213.205.83:5655 rms-server.tektonit.ru tcp
NL 104.97.14.81:80 tcp
IE 20.54.110.249:443 tcp
NL 104.97.14.80:80 tcp
NL 104.97.14.80:80 tcp
US 20.42.65.89:443 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 store-images.s-microsoft.com udp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
NL 104.123.41.133:80 store-images.s-microsoft.com tcp
US 8.8.8.8:53 tsfe.trafficshaping.dsp.mp.microsoft.com udp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
IE 20.54.110.119:443 tsfe.trafficshaping.dsp.mp.microsoft.com tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 tlu.dl.delivery.mp.microsoft.com udp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 4.tlu.dl.delivery.mp.microsoft.com udp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
NL 87.248.202.1:80 4.tlu.dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 2.tlu.dl.delivery.mp.microsoft.com udp
FR 2.22.147.32:80 2.tlu.dl.delivery.mp.microsoft.com tcp
US 13.107.4.50:80 dl.delivery.mp.microsoft.com tcp
US 209.197.3.8:80 tlu.dl.delivery.mp.microsoft.com tcp
FR 2.22.147.32:80 2.tlu.dl.delivery.mp.microsoft.com tcp

Files

memory/4072-130-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\WinDevInstall.exe

MD5 b5c5f94914900ea67536aabfeb7b43d4
SHA1 c528252e3419dafbe43699455d16f4f73143e0ad
SHA256 accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962
SHA512 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f

C:\ProgramData\CardWindows\WinDevInstall.exe

MD5 b5c5f94914900ea67536aabfeb7b43d4
SHA1 c528252e3419dafbe43699455d16f4f73143e0ad
SHA256 accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962
SHA512 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f

memory/2676-133-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

C:\ProgramData\CardWindows\start1.exe

MD5 8c83dc3eb8124dd9cdaa95a0a1ad45d4
SHA1 9428c90a79281d5dc84205e435833f0c75f4ae3c
SHA256 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b
SHA512 f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d

C:\ProgramData\CardWindows\start.exe

MD5 483f4c651d50fa46af3cd4b0abb8a480
SHA1 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a
SHA256 dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f
SHA512 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

C:\ProgramData\CardWindows\start.exe

MD5 483f4c651d50fa46af3cd4b0abb8a480
SHA1 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a
SHA256 dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f
SHA512 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0

memory/2680-137-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\Builder.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

C:\ProgramData\CardWindows\Builder.exe

MD5 2f92eed4e2061af0961f379e9ded70d6
SHA1 8b58dcd428759d3633a14bcfc62a8cb6deb66de5
SHA256 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f
SHA512 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac

memory/1032-140-0x0000000000000000-mapping.dmp

memory/3272-143-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\WinUpdate.exe

MD5 436658cb9c13960ecdb332ec02cc1388
SHA1 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff
SHA256 ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7
SHA512 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

C:\ProgramData\CardWindows\Builder2.exe

MD5 5bc1cdb63ab6345843d7254ee51eb3cd
SHA1 54b5ec6185bbb3d33c17fd24c6143cf9372168b2
SHA256 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae
SHA512 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

C:\ProgramData\CardWindows\Builder2.exe

MD5 5bc1cdb63ab6345843d7254ee51eb3cd
SHA1 54b5ec6185bbb3d33c17fd24c6143cf9372168b2
SHA256 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae
SHA512 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d

C:\ProgramData\CardWindows\WinUpdate.exe

MD5 436658cb9c13960ecdb332ec02cc1388
SHA1 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff
SHA256 ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7
SHA512 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4

memory/4344-146-0x0000000000000000-mapping.dmp

memory/3448-148-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

C:\ProgramData\CardWindows\WinUpdate1.exe

MD5 a36f89d64e0de0fe14ba911713df29eb
SHA1 7d700fa255f32aa37b82dc59826cf35300b250d4
SHA256 d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c
SHA512 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57

C:\ProgramData\CardWindows\SysInstall.bat

MD5 a00d1b7d978dcd3728e14c3f0e2386df
SHA1 596deee85bd6521c9d3fb7ffe3654aa0b386e9ed
SHA256 00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5
SHA512 fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80

memory/4724-152-0x0000000000000000-mapping.dmp

memory/5096-153-0x0000000000000000-mapping.dmp

memory/2376-154-0x0000000000000000-mapping.dmp

memory/2224-156-0x0000000000000000-mapping.dmp

memory/1708-157-0x0000000000000000-mapping.dmp

memory/2412-159-0x0000000000000000-mapping.dmp

memory/4272-160-0x0000000000000000-mapping.dmp

memory/816-161-0x0000000000000000-mapping.dmp

memory/748-162-0x0000000000000000-mapping.dmp

memory/1828-164-0x0000000000000000-mapping.dmp

memory/3120-166-0x0000000000000000-mapping.dmp

memory/1144-165-0x0000000000000000-mapping.dmp

memory/4768-167-0x0000000000000000-mapping.dmp

memory/4784-163-0x0000000000000000-mapping.dmp

memory/4000-169-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\config_set.reg

MD5 864e25c17d596e0baf577189a9cf0295
SHA1 94e915da3e683faf54945b86939d2bfb2abd70c5
SHA256 79ab503fa5c9a7e128f50c07e0dd1e1c078a0034d01956267f0040edae0295a5
SHA512 d37489135043adf202be19df80c36c7429e7e00e9f39ec580063cc949390192b1ca494a7bee7b8aef4b0a2d205ea143b4c31ac9a6c9e1fe76d055bf8ddb84da5

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

memory/3172-171-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

memory/3200-168-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

memory/4496-174-0x0000000000000000-mapping.dmp

memory/3328-158-0x0000000000000000-mapping.dmp

memory/2116-155-0x0000000000000000-mapping.dmp

memory/4384-176-0x0000000000000000-mapping.dmp

memory/3776-177-0x0000000000000000-mapping.dmp

memory/1932-178-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

memory/3836-179-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\CDevice.exe

MD5 60478b65ab22e759c71f1923edb1bbab
SHA1 4268fc2bf9ff27ec280416b12bb0de96e9ae718d
SHA256 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0
SHA512 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

C:\ProgramData\CardWindows\vp8encoder.dll

MD5 dab4646806dfca6d0e0b4d80fa9209d6
SHA1 8244dfe22ec2090eee89dad103e6b2002059d16a
SHA256 cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587
SHA512 aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7

C:\ProgramData\CardWindows\vp8decoder.dll

MD5 d43fa82fab5337ce20ad14650085c5d9
SHA1 678aa092075ff65b6815ffc2d8fdc23af8425981
SHA256 c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b
SHA512 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d

C:\ProgramData\CardWindows\Russian.lg

MD5 e44e34bc285b709f08f967325d9c8be1
SHA1 e73f05c6a980ec9d006930c5343955f89579b409
SHA256 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b
SHA512 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727

memory/3132-187-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

memory/4532-186-0x0000000000000000-mapping.dmp

memory/3656-191-0x0000000000000000-mapping.dmp

C:\ProgramData\CardWindows\SysInstall2.bat

MD5 ad964d1f40f1ab48e26d9ff0bdc01d06
SHA1 073396d19000036396005d9ebf89f40fb481e1e5
SHA256 632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff
SHA512 f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255

C:\ProgramData\CardWindows\SystemCard.dat

MD5 2db0f5ade581516ccd80880197a007ff
SHA1 9dd8379da351d1c8361169d0548a25ad13c14973
SHA256 9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3
SHA512 8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103

C:\ProgramData\CardWindows\sysdevices.exe

MD5 271dc5107c866fd480b1256f0ce0e36c
SHA1 0d9c7e060b57a8177664233ad99049963b3fd83b
SHA256 dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4
SHA512 fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784

memory/372-193-0x0000000000000000-mapping.dmp