Analysis Overview
SHA256
81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db
Threat Level: Known bad
The file 81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db was found to be: Known bad.
Malicious Activity Summary
RMS
Sets file to hidden
Executes dropped EXE
Stops running service(s)
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: SetClipboardViewer
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Runs .reg file with regedit
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-02 03:37
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-02 03:37
Reported
2022-05-02 03:40
Platform
win7-20220414-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\WinDevInstall.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\start1.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\start.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\Builder.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\Builder2.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\WinUpdate.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\WinUpdate1.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
Sets file to hidden
Stops running service(s)
Loads dropped DLL
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe
"C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe"
C:\ProgramData\CardWindows\WinDevInstall.exe
"C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
C:\ProgramData\CardWindows\start1.exe
"C:\ProgramData\CardWindows\start1.exe"
C:\ProgramData\CardWindows\start.exe
"C:\ProgramData\CardWindows\start.exe"
C:\ProgramData\CardWindows\Builder.exe
"C:\ProgramData\CardWindows\Builder.exe"
C:\ProgramData\CardWindows\Builder2.exe
"C:\ProgramData\CardWindows\Builder2.exe"
C:\ProgramData\CardWindows\WinUpdate.exe
"C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
C:\ProgramData\CardWindows\WinUpdate1.exe
"C:\ProgramData\CardWindows\WinUpdate1.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\CardWindows"
C:\Windows\SysWOW64\sc.exe
sc stop RManService
C:\Windows\SysWOW64\sc.exe
sc stop VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc stop NPackStereo
C:\Windows\SysWOW64\sc.exe
sc stop ServiceWork
C:\Windows\SysWOW64\sc.exe
sc stop IntelDriver
C:\Windows\SysWOW64\sc.exe
sc stop AMIHardware
C:\Windows\SysWOW64\sc.exe
sc delete RManService
C:\Windows\SysWOW64\sc.exe
sc delete VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc delete NPackStereo
C:\Windows\SysWOW64\sc.exe
sc delete ServiceWork
C:\Windows\SysWOW64\sc.exe
sc delete IntelDriver
C:\Windows\SysWOW64\sc.exe
sc delete AMIHardware
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rfusclient.exe /f
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rutserv.exe /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\CardWindows\config_set.reg"
C:\ProgramData\CardWindows\CDevice.exe
"C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
C:\ProgramData\CardWindows\CDevice.exe
"C:\ProgramData\CardWindows\CDevice.exe" /firewall
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\CardWindows\config_set.reg"
C:\Windows\SysWOW64\sc.exe
sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
C:\Windows\SysWOW64\sc.exe
sc config VDeviceCard obj= LocalSystem type= interact type= own
C:\ProgramData\CardWindows\CDevice.exe
"C:\ProgramData\CardWindows\CDevice.exe" /start
C:\ProgramData\CardWindows\CDevice.exe
C:\ProgramData\CardWindows\CDevice.exe
C:\ProgramData\CardWindows\sysdevices.exe
C:\ProgramData\CardWindows\sysdevices.exe
C:\ProgramData\CardWindows\sysdevices.exe
C:\ProgramData\CardWindows\sysdevices.exe /tray
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\CardWindows\*.*"
C:\ProgramData\CardWindows\sysdevices.exe
C:\ProgramData\CardWindows\sysdevices.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
Files
memory/1660-54-0x0000000076781000-0x0000000076783000-memory.dmp
\ProgramData\CardWindows\WinDevInstall.exe
| MD5 | b5c5f94914900ea67536aabfeb7b43d4 |
| SHA1 | c528252e3419dafbe43699455d16f4f73143e0ad |
| SHA256 | accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962 |
| SHA512 | 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f |
memory/1668-56-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\WinDevInstall.exe
| MD5 | b5c5f94914900ea67536aabfeb7b43d4 |
| SHA1 | c528252e3419dafbe43699455d16f4f73143e0ad |
| SHA256 | accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962 |
| SHA512 | 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f |
C:\ProgramData\CardWindows\WinDevInstall.exe
| MD5 | b5c5f94914900ea67536aabfeb7b43d4 |
| SHA1 | c528252e3419dafbe43699455d16f4f73143e0ad |
| SHA256 | accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962 |
| SHA512 | 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f |
\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
memory/672-63-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
C:\ProgramData\CardWindows\start.exe
| MD5 | 483f4c651d50fa46af3cd4b0abb8a480 |
| SHA1 | 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a |
| SHA256 | dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f |
| SHA512 | 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0 |
\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
C:\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
\ProgramData\CardWindows\start.exe
| MD5 | 483f4c651d50fa46af3cd4b0abb8a480 |
| SHA1 | 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a |
| SHA256 | dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f |
| SHA512 | 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0 |
memory/788-70-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\start.exe
| MD5 | 483f4c651d50fa46af3cd4b0abb8a480 |
| SHA1 | 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a |
| SHA256 | dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f |
| SHA512 | 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0 |
C:\ProgramData\CardWindows\Builder.exe
| MD5 | 2f92eed4e2061af0961f379e9ded70d6 |
| SHA1 | 8b58dcd428759d3633a14bcfc62a8cb6deb66de5 |
| SHA256 | 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f |
| SHA512 | 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac |
\ProgramData\CardWindows\start.exe
| MD5 | 483f4c651d50fa46af3cd4b0abb8a480 |
| SHA1 | 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a |
| SHA256 | dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f |
| SHA512 | 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0 |
\ProgramData\CardWindows\Builder.exe
| MD5 | 2f92eed4e2061af0961f379e9ded70d6 |
| SHA1 | 8b58dcd428759d3633a14bcfc62a8cb6deb66de5 |
| SHA256 | 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f |
| SHA512 | 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac |
\ProgramData\CardWindows\Builder.exe
| MD5 | 2f92eed4e2061af0961f379e9ded70d6 |
| SHA1 | 8b58dcd428759d3633a14bcfc62a8cb6deb66de5 |
| SHA256 | 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f |
| SHA512 | 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac |
memory/636-77-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\Builder.exe
| MD5 | 2f92eed4e2061af0961f379e9ded70d6 |
| SHA1 | 8b58dcd428759d3633a14bcfc62a8cb6deb66de5 |
| SHA256 | 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f |
| SHA512 | 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac |
\ProgramData\CardWindows\Builder2.exe
| MD5 | 5bc1cdb63ab6345843d7254ee51eb3cd |
| SHA1 | 54b5ec6185bbb3d33c17fd24c6143cf9372168b2 |
| SHA256 | 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae |
| SHA512 | 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d |
C:\ProgramData\CardWindows\Builder2.exe
| MD5 | 5bc1cdb63ab6345843d7254ee51eb3cd |
| SHA1 | 54b5ec6185bbb3d33c17fd24c6143cf9372168b2 |
| SHA256 | 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae |
| SHA512 | 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d |
\ProgramData\CardWindows\Builder2.exe
| MD5 | 5bc1cdb63ab6345843d7254ee51eb3cd |
| SHA1 | 54b5ec6185bbb3d33c17fd24c6143cf9372168b2 |
| SHA256 | 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae |
| SHA512 | 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d |
memory/308-83-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\WinUpdate.exe
| MD5 | 436658cb9c13960ecdb332ec02cc1388 |
| SHA1 | 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff |
| SHA256 | ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7 |
| SHA512 | 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4 |
C:\ProgramData\CardWindows\Builder2.exe
| MD5 | 5bc1cdb63ab6345843d7254ee51eb3cd |
| SHA1 | 54b5ec6185bbb3d33c17fd24c6143cf9372168b2 |
| SHA256 | 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae |
| SHA512 | 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d |
memory/1740-88-0x0000000000000000-mapping.dmp
\ProgramData\CardWindows\WinUpdate.exe
| MD5 | 436658cb9c13960ecdb332ec02cc1388 |
| SHA1 | 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff |
| SHA256 | ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7 |
| SHA512 | 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4 |
C:\ProgramData\CardWindows\WinUpdate.exe
| MD5 | 436658cb9c13960ecdb332ec02cc1388 |
| SHA1 | 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff |
| SHA256 | ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7 |
| SHA512 | 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4 |
\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
C:\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
memory/1252-94-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
memory/1136-100-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\SysInstall.bat
| MD5 | a00d1b7d978dcd3728e14c3f0e2386df |
| SHA1 | 596deee85bd6521c9d3fb7ffe3654aa0b386e9ed |
| SHA256 | 00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5 |
| SHA512 | fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80 |
memory/1964-102-0x0000000000000000-mapping.dmp
memory/588-104-0x0000000000000000-mapping.dmp
memory/1244-106-0x0000000000000000-mapping.dmp
memory/1620-108-0x0000000000000000-mapping.dmp
memory/1724-110-0x0000000000000000-mapping.dmp
memory/1560-112-0x0000000000000000-mapping.dmp
memory/1984-113-0x0000000000000000-mapping.dmp
memory/960-115-0x0000000000000000-mapping.dmp
memory/1608-117-0x0000000000000000-mapping.dmp
memory/2016-119-0x0000000000000000-mapping.dmp
memory/1692-121-0x0000000000000000-mapping.dmp
memory/524-123-0x0000000000000000-mapping.dmp
memory/1892-125-0x0000000000000000-mapping.dmp
memory/848-127-0x0000000000000000-mapping.dmp
memory/108-129-0x0000000000000000-mapping.dmp
memory/1464-131-0x0000000000000000-mapping.dmp
memory/1980-133-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\config_set.reg
| MD5 | 864e25c17d596e0baf577189a9cf0295 |
| SHA1 | 94e915da3e683faf54945b86939d2bfb2abd70c5 |
| SHA256 | 79ab503fa5c9a7e128f50c07e0dd1e1c078a0034d01956267f0040edae0295a5 |
| SHA512 | d37489135043adf202be19df80c36c7429e7e00e9f39ec580063cc949390192b1ca494a7bee7b8aef4b0a2d205ea143b4c31ac9a6c9e1fe76d055bf8ddb84da5 |
memory/1648-138-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
memory/1056-142-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
memory/580-145-0x0000000000000000-mapping.dmp
memory/1420-147-0x0000000000000000-mapping.dmp
memory/1380-149-0x0000000000000000-mapping.dmp
\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
memory/1840-152-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
C:\ProgramData\CardWindows\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
C:\ProgramData\CardWindows\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\ProgramData\CardWindows\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
memory/1760-163-0x0000000000000000-mapping.dmp
memory/2032-164-0x0000000000000000-mapping.dmp
memory/1892-170-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\SysInstall2.bat
| MD5 | ad964d1f40f1ab48e26d9ff0bdc01d06 |
| SHA1 | 073396d19000036396005d9ebf89f40fb481e1e5 |
| SHA256 | 632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff |
| SHA512 | f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255 |
C:\ProgramData\CardWindows\SystemCard.dat
| MD5 | 2db0f5ade581516ccd80880197a007ff |
| SHA1 | 9dd8379da351d1c8361169d0548a25ad13c14973 |
| SHA256 | 9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3 |
| SHA512 | 8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103 |
memory/1976-173-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-02 03:37
Reported
2022-05-02 03:40
Platform
win10v2004-20220414-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
RMS
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\WinDevInstall.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\start1.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\start.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\Builder.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\Builder2.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\WinUpdate.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\WinUpdate1.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
Sets file to hidden
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\CardWindows\WinDevInstall.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\CardWindows\start1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\CardWindows\start.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\CardWindows\WinUpdate.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\ProgramData\CardWindows\WinUpdate1.exe | N/A |
Checks installed software on the system
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\sysdevices.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\CardWindows\start1.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\start.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\Builder.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\Builder2.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\WinUpdate.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\WinUpdate1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
| N/A | N/A | C:\ProgramData\CardWindows\CDevice.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe
"C:\Users\Admin\AppData\Local\Temp\81b4c8939929fd7098ebbbed373e56da265398a1f42e9da1dfcc239f1e8f77db.exe"
C:\ProgramData\CardWindows\WinDevInstall.exe
"C:\ProgramData\CardWindows\WinDevInstall.exe" -p7832489354378589235643543456
C:\ProgramData\CardWindows\start1.exe
"C:\ProgramData\CardWindows\start1.exe"
C:\ProgramData\CardWindows\start.exe
"C:\ProgramData\CardWindows\start.exe"
C:\ProgramData\CardWindows\Builder.exe
"C:\ProgramData\CardWindows\Builder.exe"
C:\ProgramData\CardWindows\Builder2.exe
"C:\ProgramData\CardWindows\Builder2.exe"
C:\ProgramData\CardWindows\WinUpdate.exe
"C:\ProgramData\CardWindows\WinUpdate.exe" -p5387687645378674524512345389721228
C:\ProgramData\CardWindows\WinUpdate1.exe
"C:\ProgramData\CardWindows\WinUpdate1.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\CardWindows\SysInstall.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\CardWindows"
C:\Windows\SysWOW64\sc.exe
sc delete NPackStereo
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rfusclient.exe /f
C:\Windows\SysWOW64\sc.exe
sc delete AMIHardware
C:\Windows\SysWOW64\sc.exe
sc delete IntelDriver
C:\Windows\SysWOW64\taskkill.exe
taskkill /im rutserv.exe /f
C:\Windows\SysWOW64\sc.exe
sc delete ServiceWork
C:\Windows\SysWOW64\sc.exe
sc delete VDeviceCard
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\CardWindows\config_set.reg"
C:\ProgramData\CardWindows\CDevice.exe
"C:\ProgramData\CardWindows\CDevice.exe" /silentinstall
C:\Windows\SysWOW64\reg.exe
reg delete "HKLM\SYSTEM\Nvidia\Toolbar\DeviceCard" /f
C:\Windows\SysWOW64\sc.exe
sc delete RManService
C:\Windows\SysWOW64\sc.exe
sc stop AMIHardware
C:\ProgramData\CardWindows\CDevice.exe
"C:\ProgramData\CardWindows\CDevice.exe" /firewall
C:\Windows\SysWOW64\sc.exe
sc stop IntelDriver
C:\Windows\SysWOW64\sc.exe
sc stop ServiceWork
C:\Windows\SysWOW64\sc.exe
sc stop NPackStereo
C:\Windows\SysWOW64\sc.exe
sc stop VDeviceCard
C:\Windows\SysWOW64\sc.exe
sc stop RManService
C:\Windows\SysWOW64\regedit.exe
regedit /s "C:\ProgramData\CardWindows\config_set.reg"
C:\Windows\SysWOW64\sc.exe
sc failure VDeviceCard reset= 0 actions= restart/500/restart/500/restart/500
C:\ProgramData\CardWindows\CDevice.exe
"C:\ProgramData\CardWindows\CDevice.exe" /start
C:\ProgramData\CardWindows\CDevice.exe
C:\ProgramData\CardWindows\CDevice.exe
C:\Windows\SysWOW64\sc.exe
sc config VDeviceCard obj= LocalSystem type= interact type= own
C:\ProgramData\CardWindows\sysdevices.exe
C:\ProgramData\CardWindows\sysdevices.exe /tray
C:\ProgramData\CardWindows\sysdevices.exe
C:\ProgramData\CardWindows\sysdevices.exe
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\ProgramData\CardWindows\*.*"
C:\ProgramData\CardWindows\sysdevices.exe
C:\ProgramData\CardWindows\sysdevices.exe /tray
Network
| Country | Destination | Domain | Proto |
| US | 52.109.8.19:443 | tcp | |
| US | 8.8.8.8:53 | rmansys.ru | udp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| RU | 31.31.198.18:80 | rmansys.ru | tcp |
| US | 8.8.8.8:53 | rms-server.tektonit.ru | udp |
| RU | 95.213.205.83:5655 | rms-server.tektonit.ru | tcp |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 4.tlu.dl.delivery.mp.microsoft.com | udp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| NL | 87.248.202.1:80 | 4.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | 2.tlu.dl.delivery.mp.microsoft.com | udp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 13.107.4.50:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| FR | 2.22.147.32:80 | 2.tlu.dl.delivery.mp.microsoft.com | tcp |
Files
memory/4072-130-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\WinDevInstall.exe
| MD5 | b5c5f94914900ea67536aabfeb7b43d4 |
| SHA1 | c528252e3419dafbe43699455d16f4f73143e0ad |
| SHA256 | accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962 |
| SHA512 | 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f |
C:\ProgramData\CardWindows\WinDevInstall.exe
| MD5 | b5c5f94914900ea67536aabfeb7b43d4 |
| SHA1 | c528252e3419dafbe43699455d16f4f73143e0ad |
| SHA256 | accb85af56237053f2a159a7b52f22379609e10033a51e7d69cf106ce3df5962 |
| SHA512 | 541cc5a660199def0c7f69d717ceef36d94b9b640eca7f1516deb0beb67c576a80c2c8227266ed5c3ff774b1e947dbe4ab77fafd5736e6deef79392405e77b6f |
memory/2676-133-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
C:\ProgramData\CardWindows\start1.exe
| MD5 | 8c83dc3eb8124dd9cdaa95a0a1ad45d4 |
| SHA1 | 9428c90a79281d5dc84205e435833f0c75f4ae3c |
| SHA256 | 35c5a75bce725f0132ebd59c5c8f090df3f0fb70e8f0f83cad8f9983a58a887b |
| SHA512 | f2a1856ad6189fd189d64922e80201957f19601f05783a1b5543bb62f4e2921074a3dc522bf4b4307ea1ac2f1e2e18de9384d86a721073a332d75ac309c82d5d |
C:\ProgramData\CardWindows\start.exe
| MD5 | 483f4c651d50fa46af3cd4b0abb8a480 |
| SHA1 | 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a |
| SHA256 | dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f |
| SHA512 | 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0 |
C:\ProgramData\CardWindows\start.exe
| MD5 | 483f4c651d50fa46af3cd4b0abb8a480 |
| SHA1 | 1ccdb6d6b274b66cfe2ccfc3458bd9e0cd47151a |
| SHA256 | dd8a5dbd5fa017c4c77966617ca23bf6c1eca9131d8c56a09a3599f4617da24f |
| SHA512 | 7ccb9c432c897c2ec589f73a895b77e89d5e87e9b7dbe718eec64e35c3adafe016b9a58c50b03b8f2519ee6eb77ba4c4513a32f2dcce5e09cab1def0c1930ee0 |
memory/2680-137-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\Builder.exe
| MD5 | 2f92eed4e2061af0961f379e9ded70d6 |
| SHA1 | 8b58dcd428759d3633a14bcfc62a8cb6deb66de5 |
| SHA256 | 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f |
| SHA512 | 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac |
C:\ProgramData\CardWindows\Builder.exe
| MD5 | 2f92eed4e2061af0961f379e9ded70d6 |
| SHA1 | 8b58dcd428759d3633a14bcfc62a8cb6deb66de5 |
| SHA256 | 52cad2ada36a7a4b8d5e653cfe1854d32210ef198561e4cf53ea1c4e5ebbb84f |
| SHA512 | 909561ad25f5a4af7360004a6b259bdb70dfad4ced7fe0f39a72ed61f421bc943dce9c7215634ed12284811f36d9a5bae8d1f439412a94bbbd4c24cb4f4962ac |
memory/1032-140-0x0000000000000000-mapping.dmp
memory/3272-143-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\WinUpdate.exe
| MD5 | 436658cb9c13960ecdb332ec02cc1388 |
| SHA1 | 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff |
| SHA256 | ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7 |
| SHA512 | 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4 |
C:\ProgramData\CardWindows\Builder2.exe
| MD5 | 5bc1cdb63ab6345843d7254ee51eb3cd |
| SHA1 | 54b5ec6185bbb3d33c17fd24c6143cf9372168b2 |
| SHA256 | 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae |
| SHA512 | 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d |
C:\ProgramData\CardWindows\Builder2.exe
| MD5 | 5bc1cdb63ab6345843d7254ee51eb3cd |
| SHA1 | 54b5ec6185bbb3d33c17fd24c6143cf9372168b2 |
| SHA256 | 5e0c07ccca39ab7e0d5a59d7f71b79a6c786a9ef65e3c53f1934016bf490d2ae |
| SHA512 | 6768769a22e4075eb3c2bbe8784e3eea79f0d2b709f43627742adc9b6610ed0f3d4f7327e6d10f898f68e7bf808c540c76ae2098b803ff784a829066151b980d |
C:\ProgramData\CardWindows\WinUpdate.exe
| MD5 | 436658cb9c13960ecdb332ec02cc1388 |
| SHA1 | 33c6b18a1a0ef78fbc9496893dd32bbce7fd47ff |
| SHA256 | ba83d27a14161c57f58bed535843fc3cd64b39853e787b01e73517360e9923a7 |
| SHA512 | 231b82bb53ef894b1907a0c644dc9ec7a6267783193310f97200be37beb1805462fa834bc7e46b7e3c03e149602169373549c6e937744e9fdd9e56a34e731ab4 |
memory/4344-146-0x0000000000000000-mapping.dmp
memory/3448-148-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
C:\ProgramData\CardWindows\WinUpdate1.exe
| MD5 | a36f89d64e0de0fe14ba911713df29eb |
| SHA1 | 7d700fa255f32aa37b82dc59826cf35300b250d4 |
| SHA256 | d1deecb8f672e32316a71444f1500be8381f64741445f138704876274e131a1c |
| SHA512 | 55ac398815ce5e00e18a839f0d12984488e6ee4e1eb69396a6bc01e12a86bc3256308f164cd52d5b6c733c77cb18f008a03921c831c62fd0d4d0a7b7184a6e57 |
C:\ProgramData\CardWindows\SysInstall.bat
| MD5 | a00d1b7d978dcd3728e14c3f0e2386df |
| SHA1 | 596deee85bd6521c9d3fb7ffe3654aa0b386e9ed |
| SHA256 | 00baf3f49d72d9ae56cd5dbfbcd0a3a87b88ae3e768cbfe8a77769fd443a1cd5 |
| SHA512 | fe8a3752ba3bfddeb979f0a3cb8787218525057b873481f24169c6629851f862059ceb1cc52ed03f6b1bea87866833a107226b6a1a5ab969b959de0d56987c80 |
memory/4724-152-0x0000000000000000-mapping.dmp
memory/5096-153-0x0000000000000000-mapping.dmp
memory/2376-154-0x0000000000000000-mapping.dmp
memory/2224-156-0x0000000000000000-mapping.dmp
memory/1708-157-0x0000000000000000-mapping.dmp
memory/2412-159-0x0000000000000000-mapping.dmp
memory/4272-160-0x0000000000000000-mapping.dmp
memory/816-161-0x0000000000000000-mapping.dmp
memory/748-162-0x0000000000000000-mapping.dmp
memory/1828-164-0x0000000000000000-mapping.dmp
memory/3120-166-0x0000000000000000-mapping.dmp
memory/1144-165-0x0000000000000000-mapping.dmp
memory/4768-167-0x0000000000000000-mapping.dmp
memory/4784-163-0x0000000000000000-mapping.dmp
memory/4000-169-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\config_set.reg
| MD5 | 864e25c17d596e0baf577189a9cf0295 |
| SHA1 | 94e915da3e683faf54945b86939d2bfb2abd70c5 |
| SHA256 | 79ab503fa5c9a7e128f50c07e0dd1e1c078a0034d01956267f0040edae0295a5 |
| SHA512 | d37489135043adf202be19df80c36c7429e7e00e9f39ec580063cc949390192b1ca494a7bee7b8aef4b0a2d205ea143b4c31ac9a6c9e1fe76d055bf8ddb84da5 |
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
memory/3172-171-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
memory/3200-168-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
memory/4496-174-0x0000000000000000-mapping.dmp
memory/3328-158-0x0000000000000000-mapping.dmp
memory/2116-155-0x0000000000000000-mapping.dmp
memory/4384-176-0x0000000000000000-mapping.dmp
memory/3776-177-0x0000000000000000-mapping.dmp
memory/1932-178-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
memory/3836-179-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\CDevice.exe
| MD5 | 60478b65ab22e759c71f1923edb1bbab |
| SHA1 | 4268fc2bf9ff27ec280416b12bb0de96e9ae718d |
| SHA256 | 047274a242de93573a5f83fb152554a68dfa12ac877f5f9919dec5e62b70ada0 |
| SHA512 | 2921917b17de2ef41e10619d86a5a4a34fe9da8d05870135781342a7c6b171827e868f351d9961fa4844bb37a29ab2278d6d38ce231022f820a7310e97669580 |
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
C:\ProgramData\CardWindows\vp8encoder.dll
| MD5 | dab4646806dfca6d0e0b4d80fa9209d6 |
| SHA1 | 8244dfe22ec2090eee89dad103e6b2002059d16a |
| SHA256 | cb6ef96d3a66ef08ec2c8640b751a52d6d4f4530cf01162a69966f0fd5153587 |
| SHA512 | aa5eb93bf23a10de797d6fb52a55a95d36bc48927c76fedd81e0c48872745cb7f7d1b3f230eaae42fd4e79b6a59ca707e56bd6963b03644cbd5984f11e98d6e7 |
C:\ProgramData\CardWindows\vp8decoder.dll
| MD5 | d43fa82fab5337ce20ad14650085c5d9 |
| SHA1 | 678aa092075ff65b6815ffc2d8fdc23af8425981 |
| SHA256 | c022958429edd94bfe31f2eacfe24ff6b45d6f12747725c449a36116373de03b |
| SHA512 | 103e61a9f58df03316676a074487e50ec518479c11068df3736df139b85c7671048c65bce0ef2c55b3c50c61fde54e9e6c7d1b795aea71263ae94c91d4874e0d |
C:\ProgramData\CardWindows\Russian.lg
| MD5 | e44e34bc285b709f08f967325d9c8be1 |
| SHA1 | e73f05c6a980ec9d006930c5343955f89579b409 |
| SHA256 | 1d99a7b5f7b3daa61fa773972b1e335aa09b92411484f6ddc99d2b2894455a5b |
| SHA512 | 576b292b6e9cf022822443e050994462a6cbd9a3c60063bae9f54c78a84e75e17bb5eddf7e259a22a9d93f757cb6536c503762e2a30e75091e40c2756cde8727 |
memory/3132-187-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
memory/4532-186-0x0000000000000000-mapping.dmp
memory/3656-191-0x0000000000000000-mapping.dmp
C:\ProgramData\CardWindows\SysInstall2.bat
| MD5 | ad964d1f40f1ab48e26d9ff0bdc01d06 |
| SHA1 | 073396d19000036396005d9ebf89f40fb481e1e5 |
| SHA256 | 632b75ab4857c964f8cf1f61efeff7a1bc7583fca3e9fbef9bca768ee227b9ff |
| SHA512 | f671e8bcb42f757d5384c8be7bde6abe18a1196834948ded0634152c4ef0608c972be417082035b7640178d26810fe8dc25b128c1e18d1d343e1b9f9c475d255 |
C:\ProgramData\CardWindows\SystemCard.dat
| MD5 | 2db0f5ade581516ccd80880197a007ff |
| SHA1 | 9dd8379da351d1c8361169d0548a25ad13c14973 |
| SHA256 | 9b0e0a3cd2e3694bfa85335d8ec3b59a6e92bd37592604a65e32b310b61458d3 |
| SHA512 | 8fffa0271c81cfd37194e2b405c2b35e949b08eec08e93be5b49d268d9ec4b58aaa9c5038b316589c5ac6444fb969b37a17c71ed8b1665dc3ca56f30b857c103 |
C:\ProgramData\CardWindows\sysdevices.exe
| MD5 | 271dc5107c866fd480b1256f0ce0e36c |
| SHA1 | 0d9c7e060b57a8177664233ad99049963b3fd83b |
| SHA256 | dfa101c21fba688512ef911988e1d72199c1ec5c3571f91da214faa0fac7cba4 |
| SHA512 | fb23837f2c69c5f0a938ff3f44a8158321394117c9466a0fa6865fd85914f51970f4afe0873e440e4ad6d502d839cb57c07b502905641dceebeae5eb61143784 |
memory/372-193-0x0000000000000000-mapping.dmp