asyncrat | 439096c4077b5a1ad2e2ad232fdaeeece05a72e6a69c16d11a624b665dc428f3

Analysis

max time kernel
12s
max time network
34s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-09-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RebelCracked.exe
Size

154KB
MD5

76b3ef39824d31fde7ca5d27ae8700fa
SHA1

c03994080a4f1038d4a624499acedcf0fea737f3
SHA256

439096c4077b5a1ad2e2ad232fdaeeece05a72e6a69c16d11a624b665dc428f3
SHA512

3246594017abe3c4e208ce270388feecf23ec3032de73bb380aaebd17030263ff00e8270b2ab901efa993c2e896cd28a091b2b9a49986c98cd974826641f240d
SSDEEP

3072:0OovaAxpeK2dWUi60uu0JpZmTKv03lqUmPT01oSVeT5iu9d7:0OcpeK8lucpUCKlqUP/M

Score

10^/10

asyncrat stormkitty default credential_access discovery rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe	family_stormkitty
behavioral1/memory/924-18-0x0000000000E80000-0x0000000000EB2000-memory.dmp	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe	family_asyncrat

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Executes dropped EXE 5 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

pid process

924 RuntimeBroker.exe
1240 RuntimeBroker.exe
3020 RuntimeBroker.exe
2140 RuntimeBroker.exe
3108 RuntimeBroker.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 14 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File opened for modification	C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	RuntimeBroker.exe
File created	C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	RuntimeBroker.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
8 pastebin.com
14 pastebin.com
20 pastebin.com
26 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
5	pastebin.com
8	pastebin.com
14	pastebin.com
20	pastebin.com
26	pastebin.com

flow	ioc
1	icanhazip.com

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RuntimeBroker.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 14 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

netsh.exenetsh.execmd.execmd.execmd.exenetsh.execmd.exenetsh.execmd.exenetsh.execmd.execmd.exenetsh.exenetsh.exe

pid	process
4968	netsh.exe
488	netsh.exe
3012	cmd.exe
3000	cmd.exe
4068	cmd.exe
4956	netsh.exe
3888	cmd.exe
4064	netsh.exe
1212	cmd.exe
3776	netsh.exe
428	cmd.exe
3064	cmd.exe
2932	netsh.exe
5032	netsh.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exe

pid	process
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
1240	RuntimeBroker.exe
1240	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe
924	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exe

description	pid	process
Token: SeDebugPrivilege	924	RuntimeBroker.exe
Token: SeDebugPrivilege	1240	RuntimeBroker.exe
Token: SeDebugPrivilege	3020	RuntimeBroker.exe
Token: SeDebugPrivilege	2140	RuntimeBroker.exe
Token: SeDebugPrivilege	3108	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

RebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exeRebelCracked.exe

description	pid	process	target process
PID 792 wrote to memory of 4904	792	RebelCracked.exe	RebelCracked.exe
PID 792 wrote to memory of 4904	792	RebelCracked.exe	RebelCracked.exe
PID 792 wrote to memory of 924	792	RebelCracked.exe	RuntimeBroker.exe
PID 792 wrote to memory of 924	792	RebelCracked.exe	RuntimeBroker.exe
PID 792 wrote to memory of 924	792	RebelCracked.exe	RuntimeBroker.exe
PID 4904 wrote to memory of 5076	4904	RebelCracked.exe	RebelCracked.exe
PID 4904 wrote to memory of 5076	4904	RebelCracked.exe	RebelCracked.exe
PID 4904 wrote to memory of 1240	4904	RebelCracked.exe	RuntimeBroker.exe
PID 4904 wrote to memory of 1240	4904	RebelCracked.exe	RuntimeBroker.exe
PID 4904 wrote to memory of 1240	4904	RebelCracked.exe	RuntimeBroker.exe
PID 5076 wrote to memory of 1524	5076	RebelCracked.exe	RebelCracked.exe
PID 5076 wrote to memory of 1524	5076	RebelCracked.exe	RebelCracked.exe
PID 5076 wrote to memory of 3020	5076	RebelCracked.exe	RuntimeBroker.exe
PID 5076 wrote to memory of 3020	5076	RebelCracked.exe	RuntimeBroker.exe
PID 5076 wrote to memory of 3020	5076	RebelCracked.exe	RuntimeBroker.exe
PID 1524 wrote to memory of 2576	1524	RebelCracked.exe	RebelCracked.exe
PID 1524 wrote to memory of 2576	1524	RebelCracked.exe	RebelCracked.exe
PID 1524 wrote to memory of 2140	1524	RebelCracked.exe	RuntimeBroker.exe
PID 1524 wrote to memory of 2140	1524	RebelCracked.exe	RuntimeBroker.exe
PID 1524 wrote to memory of 2140	1524	RebelCracked.exe	RuntimeBroker.exe
PID 2576 wrote to memory of 2376	2576	RebelCracked.exe	RebelCracked.exe
PID 2576 wrote to memory of 2376	2576	RebelCracked.exe	RebelCracked.exe
PID 2576 wrote to memory of 3108	2576	RebelCracked.exe	RuntimeBroker.exe
PID 2576 wrote to memory of 3108	2576	RebelCracked.exe	RuntimeBroker.exe
PID 2576 wrote to memory of 3108	2576	RebelCracked.exe	RuntimeBroker.exe

C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
"C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
  "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
    "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
      "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        6⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        7⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        8⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        9⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        10⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        11⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        12⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        13⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        14⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        15⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RebelCracked.exe"
        16⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        16⤵
        
        PID:244
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        15⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        14⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        13⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        12⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        11⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        10⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        11⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        12⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:488
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        12⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        11⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        12⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        9⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        8⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        7⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        9⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4064
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        9⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        9⤵
        
        PID:2428
      - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        8⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        8⤵
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        7⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        8⤵
        
        PID:836
    - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3888
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        7⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        7⤵
        
        PID:4064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        6⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        7⤵
        
        PID:900
  - - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
      "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3000
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2760
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4956
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        
        PID:2204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        
        PID:3856
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4568
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        
        PID:2180
- - C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3012
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2932
    - - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:3112
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        5⤵
        
        PID:4144
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:4616
- C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
  "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:924
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1212
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:772
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3776
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:2920
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
    3⤵
    PID:2616
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show networks mode=bssid
      4⤵
      PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\13956e919736f7085cd339069468d0e2\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
64B

MD5
3a7471441fca91c0592d1ac18252cf6d

SHA1
8a2c985bd66de28bd0c4ce5c96e4de7143143955

SHA256
b66fd8debaff5719d8f033dd6fc8517c2bcf157c91644b0e94a7968fe7c6fdcd

SHA512
2febfe4497860c98b9097b338b0d132975687300c4f68e68662dee8c45e662ac7baa99ca9ca41a1baa08eb91b69a3594a6b4deb4fa2e42330fa39a02d2334182

Download Submit
C:\Users\Admin\AppData\Local\13956e919736f7085cd339069468d0e2\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
128B

MD5
9d514aa1bdbd79639b8e2f09b3ee530b

SHA1
93ecebc58a8bd369f93c4eb5494e6973bef3fb7e

SHA256
7211a5ed05b518f4baa16898e7e06f77ba5c64c9049bbd1d396519846c10b36b

SHA512
7b197688727a7619cdca2b9fa5416ad2b42c4c81f1e2926ee9848966642375a424296031fbaac4e6611402a50391210c3eff6da4bbab0305e09e52a584292141

Download Submit
C:\Users\Admin\AppData\Local\13956e919736f7085cd339069468d0e2\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
192B

MD5
ea5d5d6c2069d50244e6817edbc96995

SHA1
4e07b4c03252986cb493cb24ddc966b7d951d318

SHA256
1d8284164d1fa5cee7b639afde41093c3de2da2be2c395e127610ab33850a84b

SHA512
1ac5d3ccc7e783d8e9b5455ac184db7545eed6ab96d2e6d2a534a51ff9ee5248847a8edf54a6e1a9c1a60690efb16e651e6a62ce15131e8d8a98e4c56d227808

Download Submit
C:\Users\Admin\AppData\Local\13956e919736f7085cd339069468d0e2\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
256B

MD5
67d8f3b32fee72a2d9e730add2f38219

SHA1
9cc9cbea68082fca6de1cbc3c610de3a224cd787

SHA256
8ed349d0283ef91eccf529c5d0f6e9b6875794632996928bd9b1298b46269818

SHA512
5e592bf677289241a2888d57febb0dd239e2a6260674eaaa35025c209bfd42860094094b3f556958e0fde164fc2365c61c172c8e526caf1aa80c4b4b319909c9

Download Submit
C:\Users\Admin\AppData\Local\13956e919736f7085cd339069468d0e2\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
349B

MD5
cc9644e32ba5b069a8e8368774aaf072

SHA1
d4acb4570a0ffc87205e90a395f86bedabaee7bf

SHA256
5a674e2d24a58f53135d434a407926aa46b847b444d0c034889cab1eea62a0fb

SHA512
a7efd606073959a2e5fc6c9a7866998d11593cf029806d5d0814f864de7b6b23f9bb75ea26bc7a6a1a0c1b593375fe9515c6209f76a5b8965fc2b48e09c35f49

Download Submit
C:\Users\Admin\AppData\Local\13956e919736f7085cd339069468d0e2\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
4KB

MD5
af8c6183ff9f2cb61cd022b6270f2ad2

SHA1
76213578a50639658e7affe9657c24d3f2594f52

SHA256
41d5d68e44a5cf00f484e27476d2fa7d64ad8ed7da6f5cc6223e12917b15368c

SHA512
ce117aa28aa3bf6e6fb991dbb836f2d9611d7852639852febe07693d88456cdad4515269199cf68f0988568bfe9eb13cad5bc533628e3677e0f14964e8574c60

Download Submit
C:\Users\Admin\AppData\Local\13956e919736f7085cd339069468d0e2\Admin@WMCTSIEG_en-US\System\ScanningNetworks.txt

Filesize
84B

MD5
58cd2334cfc77db470202487d5034610

SHA1
61fa242465f53c9e64b3752fe76b2adcceb1f237

SHA256
59b3120c5ce1a7d1819510272a927e1c8f1c95385213fccbcdd429ff3492040d

SHA512
c8f52d85ec99177c722527c306a64ba61adc3ad3a5fec6d87749fbad12da424ba6b34880ab9da627fb183412875f241e1c1864d723e62130281e44c14ad1481e

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
720B

MD5
797f4ed25a7bbcf1a058b93c0fc3f859

SHA1
e60ab105b642ca6e3b20366aef826348851e4a47

SHA256
118f7fc6b49c7507d2955620af4a1dda4c7eaad04a0529e7ed0f6291a7bad885

SHA512
1856bd85a0bec0d4f9ed4f07e5b6574862f053857e23ee0821a98df89df395fac9452f361bad56e7cb06d061dea4c8c5c375127a3073868f4805c39107b1afed

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
783B

MD5
e7a8076335913973825b6af77210254e

SHA1
c136ee74170d60d0a75dc5b87842697074a35130

SHA256
92668a240b582a4bd6682a5e75d125b54e0fa6e8876251976f66bdb3d2307e69

SHA512
4bdcd0efdebc2220bb127881307d468241699f9a5babd2a64418450d36e6366a13b1fd0e2e990b1a359ee746ef1f145e5646720871e3a7b3dc2c1c8f3484d709

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
813B

MD5
f2a5665db7ea9da02b5c4d821cf6e13c

SHA1
15d327dfdf829e87cf9718107be04327210ff10c

SHA256
566627a9ab47be3381bfa199e21281c759a7fcfcc8e0e417aba9472d270c201d

SHA512
a7f30a4760ed37bdf8fc467c6043e4e08fedfb30d55cc4e8a74d43fe389c6b41ae23db8ce84862eefb3a9286c3634ea97028996497d0140a0d792c3c10681d08

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
846B

MD5
dc35266204fb221299fb43088df9e2cb

SHA1
c830ed2d1586aeeb4499f559f72fdafa28842389

SHA256
0105b4ddc0755bdc7247bdf4a256562d64b876061a533238320935e0f43cd912

SHA512
e50d1331930ce8601780ea6966014893a445c1faad93c92f86ab5c19c448718e8e45b5fdd5952ee0f7d76e6c88e81f2a91c29f19efb0c8bb3655c385773a9e66

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
910B

MD5
0a8c2143cf6cbecaf6d923ea7c3ee4f8

SHA1
79f9655135192ebdabcef66964a55471fd5f2f9d

SHA256
f341ac27592dae887d0da4c9dffade7f36ee2bf78b3681a8d16b3cc1c292872f

SHA512
3a5ebf7830c596c8904453f7be870acf969f9b11b8ec62a818160632cda13a2f2824d444f1157d8db779f3ce78de524ea24897fa76925d33c8187b463de75eec

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
974B

MD5
6fc4028a196b515915b4b7e114632040

SHA1
6520bdbd993996e998571f8fbfd4cdeb7b8d8036

SHA256
31de040dc99d61653341330b02f6d088420e439e52247f5d3f731abcd905e431

SHA512
1d420f796672253a58cec4d647be82e6248d478cd78241342a50762cae3131bcb5efc21c4a1a3bd1df5b7a82c4de63406337541faaaff42f71438b5f36bd4d90

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
1006B

MD5
d2c0206d3d74a598ad33ef36d38c27f5

SHA1
d097b7d5c0203909e1fb767f2337a0dd826c4281

SHA256
b4fdf86ad499e4ebaf231fcd431d8574aa85ed52ede398826d171e213bc7ad18

SHA512
1a3ebf8acac29f1cd18fc8de3122322b9b2aa009f865adb48c8a890bfe745d7136074524bfb5b64c4a88619ae54d7caeab6d935bb987a151176881ce35d11d2d

Download Submit
C:\Users\Admin\AppData\Local\1df52a31c081152866c603010c6c708c\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
4KB

MD5
5f778ad9483f3cb3a9109d7423aad1fd

SHA1
24479c9d6517ee93ad3f61400058981c15d39800

SHA256
ed087f279df508f8a1f0af3ac11d9996666db464804f9a7d31038ea851776adf

SHA512
3424fae50a890f9213a1410c596785d383ec9d0a65180548db6ffe8dedf599f2714e2aff36e2827c20533685d6b8495d1092f911e00b990a961edcb32e59e7a3

Download Submit
C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\Directories\Temp.txt

Filesize
2KB

MD5
f9ffd33fdab7c281ef5761cddbb288ce

SHA1
f7c781a3e138d9e02ca0aef27dc2d55a58c05926

SHA256
e5f27e2328180313fd8b29273438edc7fa91c743b885af8799912be4c9658514

SHA512
3170f4fa71d107edae90dfb74fd98bc1145c234f029e5d413e7d01bde169d9a5edf9e22546f4ef72bd1613499afba2a2411f95762ded999f364d50e2cdc08bb7

Download Submit
C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
4KB

MD5
d9cb91fe8494e0a736c7b248c0dee9e3

SHA1
fcdb882be82c6b3b173f162b2277bc23132d8aa6

SHA256
5387e8541c98583d762d593e5eb8affe993524c5409f71cc508bd7bc3e78701a

SHA512
3ce1eac68d7bae30cb13ad57b72e4a329007328011f3929a37cb9d4f4cd75d162d4acdd1ae1894538de37ae5ce72c528996a06d1f7e0fbc6af10a4abf9dabcbb

Download Submit
C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
5KB

MD5
0584840cd46aabc74871d2112b60f212

SHA1
56e73c183bbc1a10215b5b83e9e469779481a193

SHA256
f81c209bd3fa67c2165cfdfe4025d1d1598b09e1271633b75a0e7e38f86d6eb0

SHA512
fbe1c4d96327688e228f4562bd06766d1021eb9c4495c2ab10b9dd30ccd9716a33dd1079c0715344e3beb3f4ef606eebb7e315d1dfbb6bade4ea5ae85fe8d454

Download Submit
C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
4KB

MD5
58c9035a42941a46216fb847da866c43

SHA1
3714749be7e6106ef46e5bcb316a7efc7f77218c

SHA256
e25acdf0f84e3e9b11ce3e03c67d59b29c30483c41ed5d9de7d59ec4dcf9bc26

SHA512
0448814daa71ef97f35b3b52000489c658e3728546eb7150d9b0702ecc8f146a632396c7a5e8e7815c759a7685629c637ac24e0866050c5125705e67ed19d97f

Download Submit
C:\Users\Admin\AppData\Local\412158ca8a1b900098c9af44f1889c6a\Admin@WMCTSIEG_en-US\System\WorldWind.jpg

Filesize
81KB

MD5
01d0e19673888adca03c5ff62f3b1b33

SHA1
7c926a408ad784a9c6631765002b57a89dc112d6

SHA256
51092dd06a27d599a5e019d218572ccc4cdc76e72f40bd65bd7ba16193bc1ba7

SHA512
012bcf1207d6d6d5137b08dfbaa0624464f399e7e5e5bd8b0d12db1fa9996dd27bf1b5507fb6c0bca46181919d6599ebc494b02c4662f4237f0311f04f9b2736

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Desktop.txt

Filesize
557B

MD5
220e60538d1f0642ac34110adb7bd0bb

SHA1
c2c3d0be08742985afd504b1f0697f114b7f6bbf

SHA256
93dd1ede60b63afc5a936549187506a4156c305ccbc353679e1eac49cef4e809

SHA512
e2e1040b40219d5e6a6b0e9c5d66fd586fe3b0c90519f7556ddb1b48c32598626286d8cf0191ce1b863bb13847365422b9119079d672f022f0ab5e926e3130e9

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Documents.txt

Filesize
432B

MD5
4718faedc0dcf0bf8bbed09c7df1569c

SHA1
1e260636877c9d303776e41d7b37947efd11ffab

SHA256
41cde2bfb87b06f01a6c6a726de2bf509a958d967fe76b80d953ff105b73b150

SHA512
9714c6455ee22dc8f93392f4c8405ec7bee50b3d976c804a56395d0b1b20650bfd1bfc221266a2e5f352916c53c962617bff44a69c8e2114517762a022baf432

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Downloads.txt

Filesize
692B

MD5
befef6422c1b4c8fc1e996288cfbfdc7

SHA1
4fa8164a32342fd7305bd612afc796a2dc202b83

SHA256
102a303ddccf487e31293fc8f1d8a40e7f1a9d1ca70ab54f50155870becedcb4

SHA512
d068f32b4f903df4067304a87649c537c8c0d416ef34c0ad438233fcc077e4ae7b131f3b3bf72e088911ca6080e637b63a8dd08c81d6b9e571d4a278754d3499

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Pictures.txt

Filesize
774B

MD5
b01364d4a98dd2069fa91aa4e76f4778

SHA1
929bb5514be0a459a27b40d406677e81871f5cff

SHA256
697f3a8cafbf27b1b682dbb493a048b915ce3138617a074114468a6d07b99c2f

SHA512
4b82152108077cd1112c0e8bb78f87f4d00a50264404586b29c948a6a69fbb2b720efd1af3d43b33fdfd8704c4c011d3b651db048b3069502427cf79105f0a06

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Startup.txt

Filesize
24B

MD5
68c93da4981d591704cea7b71cebfb97

SHA1
fd0f8d97463cd33892cc828b4ad04e03fc014fa6

SHA256
889ed51f9c16a4b989bda57957d3e132b1a9c117ee84e208207f2fa208a59483

SHA512
63455c726b55f2d4de87147a75ff04f2daa35278183969ccf185d23707840dd84363bec20d4e8c56252196ce555001ca0e61b3f4887d27577081fdef9e946402

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Temp.txt

Filesize
2KB

MD5
9eaf57e1756815c0e95b350cef7fb979

SHA1
cb20cf7438d80737f80ed84f77e891a179aae310

SHA256
23490bf78f9204d5e6b0f82ee2c85cce1c7d50ddfaf14b2c55ec531b2414757f

SHA512
2df57b879dded449c75db9741d6b684d275509493e533da9f31d37cec2803024440b9b151b61c8ecdcc3780fe7e8d9f7fa8acabe804cb85995124cc56be40cee

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Temp.txt

Filesize
2KB

MD5
06fc1549ac1352ccdafca35070d93de8

SHA1
c80bcb919d0e4d74f46f317189bea168950bd2a8

SHA256
8d9bc0c25889273669029e0bbef9f83de104eeba91ff01cdd5efcf77f75fd988

SHA512
082b12849aa0e074530d3f35bd40ca20aece65494561350bc84da7586cfd3d9681704fdebfee5ff31b1cc11efd2f7c2f945378028fe07f817271730708a9db5e

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Directories\Videos.txt

Filesize
23B

MD5
1fddbf1169b6c75898b86e7e24bc7c1f

SHA1
d2091060cb5191ff70eb99c0088c182e80c20f8c

SHA256
a67aa329b7d878de61671e18cd2f4b011d11cbac67ea779818c6dafad2d70733

SHA512
20bfeafde7fec1753fef59de467bd4a3dd7fe627e8c44e95fe62b065a5768c4508e886ec5d898e911a28cf6365f455c9ab1ebe2386d17a76f53037f99061fd4d

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini

Filesize
190B

MD5
d48fce44e0f298e5db52fd5894502727

SHA1
fce1e65756138a3ca4eaaf8f7642867205b44897

SHA256
231a08caba1f9ba9f14bd3e46834288f3c351079fcedda15e391b724ac0c7ea8

SHA512
a1c0378db4e6dac9a8638586f6797bad877769d76334b976779cd90324029d755fb466260ef27bd1e7f9fdf97696cd8cd1318377970a1b5bf340efb12a4feb4a

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini

Filesize
190B

MD5
87a524a2f34307c674dba10708585a5e

SHA1
e0508c3f1496073b9f6f9ecb2fb01cb91f9e8201

SHA256
d01a7ef6233ef4ab3ea7210c0f2837931d334a20ae4d2a05ed03291e59e576c9

SHA512
7cfa6d47190075e1209fb081e36ed7e50e735c9682bfb482dbf5a36746abdad0dccfdb8803ef5042e155e8c1f326770f3c8f7aa32ce66cf3b47cd13781884c38

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
3KB

MD5
71f5e04341a9b7a6af7916b992f00e2f

SHA1
fe0088c684b84daaa0120e3cc840457b82d4f024

SHA256
ae5f887d6455cbdb66aed6c138f6dac305ced2434a76d18c3028012838366579

SHA512
253585b0d9d6ff2f081d154f1a7caf249af01fe0daa6b8f5681535680ad8df7295f695eecb94156ce58a83289bd27247afea4a24ccaa0e8b65e041a47f34f87c

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
503B

MD5
9ccfddf803352bdc534d3f7e819e7270

SHA1
5e376bffd507745ea6642b977f54796c3476dff7

SHA256
287c1d88ae1bd3eac89824a0d8bcda6a975bf290c0240a44bd16b274297e225d

SHA512
f098f31b2e9dbce9b938228dfb0103b7960bc60ca75b09fbee6c0a0009d0cd27f30f673c0d8bb1837e70c7f8a81f56c667e522009f108d48a9965f5689693916

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
656B

MD5
f08cdc1b842ad22c72f21187d3863744

SHA1
620c52d3510bea0ddade3c8a23d3d8f3137a8b08

SHA256
0f1b7efefdea809fe258381cace8418a2eed0e6faf15fa7851142a15cc469123

SHA512
1b8a491d0d40a9ddc910890c7f32d077b88989898ce3cff9c7699bef1ff5b5913dd8a08d804d1f8297cee644acb2c97decd4942aa28bfa9402b215de6dc29bed

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
4KB

MD5
74c643a903c474de852cac51e68701a4

SHA1
8c200d2daa55c132858eaf45fd825f67d263f36f

SHA256
60eb9071c0307ee259e9b361ef49a485d3b133330aba2333cbc38454bf5d8b6d

SHA512
fb7ed554f725cb439b2f374d8110df3fc394234bf5f9a73f66c7876291b362f0a6afbb47495c4f3593e6613484a684450f8994eaae74d926c8d8c15c73f10789

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\System\ProductKey.txt

Filesize
29B

MD5
71eb5479298c7afc6d126fa04d2a9bde

SHA1
a9b3d5505cf9f84bb6c2be2acece53cb40075113

SHA256
f6cadfd4e4c25ff3b8cffe54a2af24a757a349abbf4e1142ec4c9789347fe8b3

SHA512
7c6687e21d31ec1d6d2eff04b07b465f875fd80df26677f1506b14158444cf55044eb6674880bd5bd44f04ff73023b26cb19b8837427a1d6655c96df52f140bd

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\System\ScanningNetworks.txt

Filesize
168B

MD5
9f11565dd11db9fb676140e888f22313

SHA1
35ae1ce345de569db59b52ed9aee5d83fea37635

SHA256
bd652c6bfa16a30133dd622f065e53aee489e9066e81ecb883af1c3892af727d

SHA512
d70edbd84693afbdb90424b9f72a4bd4a51bd27c719506e17a58b171c251046aea23ca7228ccd8b98b47cd8eb1227bc2d90a07c4f50e8b080f9a41d253935ace

Download Submit
C:\Users\Admin\AppData\Local\44b60dea5a25ad66ecbd67d8926d524a\Admin@WMCTSIEG_en-US\System\WorldWind.jpg

Filesize
82KB

MD5
eb530d482aeaa3d47e475538b9daf313

SHA1
210d052f11d4a8603e4412e905389cabee79de7c

SHA256
2fc370f4da28aad836fbff13fbbcc9297ddef9fe018724aaba1d261e1ebce018

SHA512
ea497a6f1295dcde35f9029f42d9d5506eade6bb71fdf5f3dbb37762c53122801df35f5212f7be77e0776cb86cf187796910479c65d85ba228d0e2c1c40e3b17

Download Submit
C:\Users\Admin\AppData\Local\6a29c0c575e07a3793f9f21e10716c65\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\89b1d1e8ed2833621f1a4ce2e6ced577\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
1KB

MD5
fd1216ea301cbf42bb4e75d37be85bb7

SHA1
1c0d65141a922e1609eb40adc1f15711838c9f2a

SHA256
1493aefbd719b05a7e782b1170274f16da1542808e1d9675388ad5ce0f1e63d4

SHA512
6a69e937e65d71e07258183f838053f011946f3fea4d87b2085ad1b86345795844ce4d70391759ead9d7428e0ac471d847d7835cb2f5a36c167cd3e7087be459

Download Submit
C:\Users\Admin\AppData\Local\94c6e5929a0ea52129762d59880a55ed\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
4KB

MD5
e7b5da1d9b1aff84fedf44f23f25e10f

SHA1
a8c849867bcc77e881cd4900d810e398c120d76b

SHA256
d92051cfc7df877faa48e14502cb6d79f536b81e7515e8edad556511bfe760ca

SHA512
8c9e0bec7d77b544672c22303a057c9111806b426fb3b14899beaaa5c5a2a523d28b8a032435495b3a565d46e9ca0388656e72761129c8a9c43c14cdb1795c34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RebelCracked.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe

Filesize
175KB

MD5
59d9f02a7c904f21a175944dbeed3b13

SHA1
aa718c47c9cf57d16b7d3f4d8743a739fc05123b

SHA256
b8d40aee28967859278556d66452e861691ce10f41a4ace97fe87265294f6524

SHA512
1ecb75b6e334d3d0695ac50561eaa1ef9e87e8aeb370e053ded4d17dfff825e4b3d33b17a3728b5bda9008a7b85b33aa48a79821d286c99ae2c767a76908b36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
b11baf554aa38036dcf761f1bd7cc9d5

SHA1
1070dbd3ac639dc3662946e3496f37c0a36c9061

SHA256
87d7b081ca0e24da7c073657a545d985c28fae04da401013f1fd13a5ab1f0ddc

SHA512
daa70fb5669f8e3a5ee31a3a9a25113309a896701f6f100eb0d79568ab6785cba95929baa95445584967aee2dff35153bce2fd76703cdb04623b08a96f1f003e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB323.tmp.dat

Filesize
114KB

MD5
16525940d4d53252d2b47a961435749e

SHA1
aae20adb5acb17d80ab1f038d6efb4428ea59d3a

SHA256
d6d3dbb0f235b410c2443422b08a758ca08c24cf74a078fe62ba7708c735f3d5

SHA512
f97537d3280d1e28c4344a0a0fbb62bf4167deaef7d4022e242cb097befcfb5790195b46f4051b23f57d8f069db4b8e532daef46cd1c3d6d6d95ad4174a23d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB325.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB338.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC5C.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC62.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC63.tmp.dat

Filesize
20KB

MD5
22be08f683bcc01d7a9799bbd2c10041

SHA1
2efb6041cf3d6e67970135e592569c76fc4c41de

SHA256
451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457

SHA512
0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC64.tmp.dat

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC74.tmp.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Local\bcfbc24d3b4903707e485fc27c024035\Admin@WMCTSIEG_en-US\System\Process.txt

Filesize
4KB

MD5
67b6f7c349d70aff5ba91d6aa5b82609

SHA1
83f59fe7aa030074be0b96a564b3d9c1449a3c50

SHA256
e5b018060946c1b4b040f1e5d1d1564b4374ae19d2b78c26284dcb2cec26205a

SHA512
7c290df330ee85e3b609c415b3a58b6c328711735e58a2fac8fc15244df2629f26b7244ce224c02815fcbc03370af7eb2e222b8658a94aade8cbdc433455c5c4

Download Submit
memory/792-16-0x00007FF9480D0000-0x00007FF948B92000-memory.dmp

Filesize
10.8MB

Download
memory/792-0-0x00007FF9480D3000-0x00007FF9480D5000-memory.dmp

Filesize
8KB

Download
memory/792-1-0x0000000000040000-0x000000000006C000-memory.dmp

Filesize
176KB

Download
memory/792-10-0x00007FF9480D0000-0x00007FF948B92000-memory.dmp

Filesize
10.8MB

Download
memory/924-305-0x0000000006F40000-0x00000000074E6000-memory.dmp

Filesize
5.6MB

Download
memory/924-18-0x0000000000E80000-0x0000000000EB2000-memory.dmp

Filesize
200KB

Download
memory/924-17-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/924-879-0x0000000007930000-0x0000000007942000-memory.dmp

Filesize
72KB

Download
memory/924-208-0x000000007485E000-0x000000007485F000-memory.dmp

Filesize
4KB

Download
memory/924-608-0x00000000068E0000-0x00000000068EA000-memory.dmp

Filesize
40KB

Download
memory/924-297-0x00000000068F0000-0x0000000006982000-memory.dmp

Filesize
584KB

Download
memory/924-22-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/4904-15-0x00007FF9480D0000-0x00007FF948B92000-memory.dmp

Filesize
10.8MB

Download
memory/4904-21-0x00007FF9480D0000-0x00007FF948B92000-memory.dmp

Filesize
10.8MB

Download